Spring-Security 3 / Spring MVC和可怕的@Secured / RequestMapping [英] Spring-Security 3/Spring MVC and the dreaded @Secured/RequestMapping
问题描述
我在向控制器添加安全注释时遇到了很多问题。
i had lots of problems adding Secured annotations to my Controllers.
事实证明让我的Controller实现InitializingBean是一个坏主意。
it turns out letting my Controller implement an InitializingBean was a bad idea.
public class MyController implements InitializingBean {
@Secured(value="ROLE_ADMIN")
@RequestMapping(method = RequestMethod.GET, value = "/{id}/edit")
public String getView(Model model, @PathVariable("id") long id) {
return "some view";
}
}
这失败了:
WARN PageNotFound:962 - 找不到带有URI [...]的HTTP请求的映射
WARN PageNotFound:962 - No mapping found for HTTP request with URI[...]
删除@Secured Annotation会有效,但显然我不想这样做。在网上浪费了大量时间之后
我注意到工作和非工作控制器之间的最后一个区别是它实现了InitializingBean接口。现在这就像一个魅力:
removing the @Secured Annotation would work, but obviously i didn't want to do that. after lots of wasted time on the net i noticed the last difference beetween a working and a non working controller was that it implemented the InitializingBean Interface. And now this works like a charm:
public class MyController{
@Secured(value="ROLE_ADMIN")
@RequestMapping(method = RequestMethod.GET, value = "/{id}/edit")
public String getView(Model model, @PathVariable("id") long id) {
return "some view";
}
}
任何人都可以帮我理解这种行为吗?
Can anyone help me understand that behaviour?
推荐答案
这是因为当使用JDK动态代理应用安全方面时,对注释的访问会丢失,默认情况下,当建议bean实现任何接口。
This happens because access to the annotations is lost when security aspect is applied using JDK dynamic proxy, which happens by default when advised bean implements any interfaces.
要解决此问题,您应该告诉Spring Security仅使用< global-method-来应用基于目标类的代理。 security proxy-target-class =true...> ...
(< aop:config proxy-target-class =true/>
也有效。)
To solve this problem, you should tell Spring Security to apply target-class-based proxies only, using <global-method-security proxy-target-class = "true" ...> ...
(<aop:config proxy-target-class = "true" />
works too).
有关AOP代理的更多信息这里。
More about AOP proxies here.
这篇关于Spring-Security 3 / Spring MVC和可怕的@Secured / RequestMapping的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!