@PreAuthorize注释不起作用的弹簧安全性 [英] @PreAuthorize annotation not working spring security
问题描述
我发现了许多类似的问题,但没有一个问题解决了我的问题。
我的问题是 ROLE_USER
可以访问 ROLE_ADMIN的函数
I found many similar questions but none has solved my problem.
My problem is ROLE_USER
can access functions of ROLE_ADMIN
我的spring-security.xml代码如下。
My spring-security.xml code is following.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<s:http auto-config="true" use-expressions="true">
<s:intercept-url pattern="/index.jsp" access="permitAll" />
<s:intercept-url pattern="/welcome*" access="hasRole('ROLE_USER')" />
<s:intercept-url pattern="/helloadmin*" access="hasRole('ROLE_ADMIN')" />
<s:form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<s:logout logout-success-url="/logout" />
</s:http>
<s:authentication-manager>
<s:authentication-provider>
<s:user-service>
<s:user name="asif" password="123456" authorities="ROLE_USER,ROLE_ADMIN" />
<s:user name="raheel" password="123456" authorities="ROLE_USER" />
</s:user-service>
</s:authentication-provider>
</s:authentication-manager>
当我添加<$ c时$ c>< s:global-method-security pre-post-annotations =enabled/>
我的代码显示资源未找到错误,当我删除代码时执行成功但 ROLE_USER
可以访问 ROLE_ADMIN
函数
when I add <s:global-method-security pre-post-annotations="enabled"/>
my code shows resource not found error and when I remove my code execute successfully but ROLE_USER
can access ROLE_ADMIN
functions
我的控制器功能是。
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value="/delete", method = RequestMethod.GET)
public String DeleteAll(ModelMap model, Principal principal ) {
org.springframework.security.core.userdetails.User activeUser = (org.springframework.security.core.userdetails.User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
System.out.println("Active user is "+activeUser.getUsername()+"Authorities are "+activeUser.getAuthorities());
return "deleteUsers";
}
推荐答案
你应该拥有
<s:global-method-security pre-post-annotations="enabled"/>
如果您想要 @PreAuthorize
注释工作。
回答评论:
它看起来就像你错过了 spring-aop
依赖。
It looks like you're missing the spring-aop
dependency.
如果你正在使用maven,你需要:
If you're using maven you need:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${org.springframework.version}</version>
</dependency>
如果没有,你可以从这里。
这篇关于@PreAuthorize注释不起作用的弹簧安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!