spring 不强制执行方法安全注释 [英] spring not enforcing method security annotations

问题描述

我对为什么 spring 没有在我的服务接口上强制执行 @Secured("ROLE_USER") 有一些误解.我的控制器是使用注释建立的.

I'm some what lost as to why spring isn't enforcing the @Secured("ROLE_USER") on my service interface. My controllers are established using annotations.

我的服务接口示例

public interface MyServiceManager {

    @Secured("ROLE_USER")
    public void delete(int cid);

    @RolesAllowed({"ROLE_USER"})
    public Contact getContact(int contactId);
}

我的安全上下文:

<global-method-security   secured-annotations="enabled" jsr250-annotations="enabled">
</global-method-security>

<http auto-config="true" >
    <intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
    <intercept-url pattern="/addcontact**" access="IS_AUTHENTICATED_REMEMBERED" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    <concurrent-session-control max-sessions="1"
        exception-if-maximum-exceeded="true"/>
    <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
    <logout logout-success-url="/welcome.do" logout-url="/logout"/>
</http>
    <authentication-provider>
    <password-encoder hash="md5"/>
    <user-service>
        <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
    </user-service>
</authentication-provider>

推荐答案

你有说法吗

<global-method-security   secured-annotations="enabled" jsr250-annotations="enabled" />

在与您定义 MyServiceManager bean 相同的配置文件中?在我为 org.springframework 打开调试之前，我遇到了同样的问题，并注意到 spring 安全仅应用于与定义 global-method-security 的文件相同的文件.

in the same configuration file as the one you defined the MyServiceManager bean? I had the same problem until I turned on debug for org.springframework, and noticed that spring security was only applied on the same file as the ones where global-method-security was defined in.

这篇关于spring 不强制执行方法安全注释的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！