@PreAuthorize注释不起作用的弹簧安全性 [英] @PreAuthorize annotation not working spring security

问题描述

我发现了许多类似的问题，但没有一个问题解决了我的问题。
我的问题是 ROLE_USER 可以访问 ROLE_ADMIN的函数

I found many similar questions but none has solved my problem. My problem is ROLE_USER can access functions of ROLE_ADMIN

我的spring-security.xml代码如下。

My spring-security.xml code is following.

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:s="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security-3.0.xsd">   

<s:http auto-config="true" use-expressions="true">
    <s:intercept-url pattern="/index.jsp" access="permitAll" />
    <s:intercept-url pattern="/welcome*" access="hasRole('ROLE_USER')" />
    <s:intercept-url pattern="/helloadmin*" access="hasRole('ROLE_ADMIN')" />

    <s:form-login login-page="/login" default-target-url="/welcome"
        authentication-failure-url="/loginfailed" />
    <s:logout logout-success-url="/logout" />
</s:http>

<s:authentication-manager>
  <s:authentication-provider>
    <s:user-service>
        <s:user name="asif" password="123456" authorities="ROLE_USER,ROLE_ADMIN" />
        <s:user name="raheel" password="123456" authorities="ROLE_USER" />          
    </s:user-service>
  </s:authentication-provider>
</s:authentication-manager>

当我添加<$ c时$ c>< s：global-method-security pre-post-annotations =enabled/>
我的代码显示资源未找到错误，当我删除代码时执行成功但 ROLE_USER 可以访问 ROLE_ADMIN 函数

when I add <s:global-method-security pre-post-annotations="enabled"/> my code shows resource not found error and when I remove my code execute successfully but ROLE_USER can access ROLE_ADMIN functions

我的控制器功能是。

@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value="/delete", method = RequestMethod.GET)
public String DeleteAll(ModelMap model, Principal principal ) {

    org.springframework.security.core.userdetails.User activeUser = (org.springframework.security.core.userdetails.User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    System.out.println("Active user is "+activeUser.getUsername()+"Authorities are "+activeUser.getAuthorities());
    return "deleteUsers";

}

推荐答案

你应该拥有

<s:global-method-security pre-post-annotations="enabled"/>

如果您想要 @PreAuthorize 注释工作。

回答评论：

它看起来就像你错过了 spring-aop 依赖。

It looks like you're missing the spring-aop dependency.

如果你正在使用maven，你需要：

If you're using maven you need:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-aop</artifactId>
    <version>${org.springframework.version}</version>
</dependency>

如果没有，你可以从这里。

这篇关于@PreAuthorize注释不起作用的弹簧安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！