我如何检查方法级别的弹簧安全性 [英] How do I check method level spring security

问题描述

我已经在控制器方法中实现了 spring 安全性.

I have implemented spring security in controller method.

下面是我的spring security.xml

Below is my spring security.xml

-->

<!-- URL pattern based security -->
<security:http auto-config="false" entry-point-ref="authenticationEntryPoint"
    use-expressions="true">
    <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
    <security:intercept-url access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" pattern="/common/admin/**" />
    <security:intercept-url pattern="/common/accounting/**" access="hasRole('ROLE_USER')" />
    <security:logout logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login"/>

</security:http>

下面是我的控制器

@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.GET)
public String add(ModelMap map) {
    map.addAttribute(new Administrator());
    return "/common/admin/addAdmin";
}

@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.POST)
public String processadd(
        @ModelAttribute("administrator") Administrator administrator) {
    this.administratorManager.addAdmin(administrator);
    return "/common/admin/success";
}

我允许 url/common/admin/** 用于管理员和用户角色.但是我在管理控制器中做了一些限制.当用户以用户角色进入/common/admin/* 时，他可以，但他也可以进入仅适用于管理员角色的方法.

I allow the url /common/admin/** for both admin and user role. But i do some restriction in the admin controller. when user is go in to /common/admin/* as a user role, he can but he can also go in to method that is only for admin role only.

我该如何解决?

谢谢！

推荐答案

您已经添加了 @Secured 注释.

You already have added the @Secured annotation.

但您需要启用它:

<!-- secured-annotations = (@Secured("ROLE_ADMIN")) -->
<!-- jsr250-annotations = (@RunAs @RolesAllowed @PermitAll @DenyAll @DeclareRoles) -->
<!-- pre-post-annotations = @PreAuthorized("hasAuthority('ROLE_ADMIN')") -->
<global-method-security
    secured-annotations="enabled" 
    jsr250-annotations="disabled"
    pre-post-annotations="disabled">        
</global-method-security>

@Secured 可以担任一个或多个角色.

@Secured can take a single or several roles.

• @Secured("ROLE_USER")
• @Secured({"ROLE_USER", "ROLE_ADMIN"})//如果用户具有此角色之一，则授予大权限

• @Secured("ROLE_USER")
• @Secured({"ROLE_USER", "ROLE_ADMIN"}) //grand access if the user has one of this roles

BWT:来自 Spring Security 3 Book (http://www.springsecuritybook.com/):

BWT: From Spring Security 3 Book (http://www.springsecuritybook.com/):

@Secured 注释的功能和语法与 @RollesAllowed 相同......因为 @Secured 功能与 JSR 标准相同@RollesAllowed 在新代码中使用它(@Secured)并没有令人信服的理由......

The @Secured annotation is functionallz and syntactiallz the same as @RollesAllowed ... As @Secured functions the same as the JSR standard @RollesAllowed there's not reallz a compelling reason to use it (@Secured) in in new code...

(不要忘记启用它jsr250-annotations="enabled")

这篇关于我如何检查方法级别的弹簧安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！