带有@EnableGlobalMethodSecurity的Spring Security AspectJMode不起作用 [英] Spring Security AspectJMode with @EnableGlobalMethodSecurity not working
问题描述
我正在尝试使用spring-security 4.0.0.M1从XML Config迁移到JavaConfig
I am trying to move from XML Config to JavaConfig with spring-security 4.0.0.M1
这是我的有效配置:
@Configuration
@ImportResource("classpath:applicationContext-security.xml")
public class MethodSecurityXmlConfig
{}
和applicationContext-security.xml
and applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
">
<security:global-method-security mode="aspectj" proxy-target-class="false" pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler" />
</security:global-method-security>
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="delegatingPermissionEvaluator" />
</bean>
</beans>
我有这样的服务方法:
@Transactional(readOnly = false)
@PreAuthorize("hasPermission(#form, 'idForm')")
public boolean runAction ( IdForm form, Errors errors ) throws Exception {...}
此外,我还有这样的方面订购建议,因为我的PermissionEvaluator也需要事务.因此,Transactional应该在安全性之前运行.
Additionally I have an Aspect Ordering Advice like this as my PermissionEvaluator needs a Transaction too. So Transactional should run before Security.
public aspect AspectOrdering
{
declare precedence : AnnotationTransactionAspect, *SecurityAspect;
}
我确实在考虑弹簧安全方面编译了与Maven的时间编织.如果我对其进行调试,则可以看到正在此方法上调用AspectJMethodSecurityInterceptor(在Transactional ..之后).
所以,这很好用.
I do compile time weaving with maven with spring-security-aspects. If I debug it I can see AspectJMethodSecurityInterceptor is being invoked on this method (after Transactional..).
So, this just works fine.
现在,我仅从我的MethodSecurityXmlConfig切换到此配置类:
Now I only switch from my MethodSecurityXmlConfig to this configuration class:
@Configuration
@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration
{
@Resource
private DelegatingPermissionEvaluator delegatingPermissionEvaluator;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler ( )
{
DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler = new DefaultMethodSecurityExpressionHandler();
defaultMethodSecurityExpressionHandler.setPermissionEvaluator(delegatingPermissionEvaluator);
return defaultMethodSecurityExpressionHandler;
}
}
Spring Security仍然拦截了该方法调用,但是在AspectJ模式下却没有,它使用AopProxy!
由于不使用AspectJ,因此我的订购无法正常工作,因此Spring Security在@Transactional之前运行.
And because of not using AspectJ my ordering isn't working, so Spring Security runs before @Transactional.
当我调试它时,我可以看到正在调用MethodSecurityInterceptor,但是没有看到AspectJMethodSecurityInterceptor.仍然建议使用此方法,但是可能未调用AspectJMethodSecurityInterceptor,因为未配置AnnotationSecurityAspect且调用返回的proced(),因为它无权访问AspectJMethodSecurityInterceptor.
When I debug this, I can see MethodSecurityInterceptor being invoked, but not AspectJMethodSecurityInterceptor. The method is still advised but AspectJMethodSecurityInterceptor might never get called because the AnnotationSecurityAspect is not configured and calls return proceed() as it does not have access to an AspectJMethodSecurityInterceptor.
对我来说,这似乎是一个错误.在提出问题之前,我想问一下:
For me it seems to be a bug. Before raising an issue I would like to ask:
我是否错过了一些配置以使AspectJ能够运行方法安全性?
Did I miss some configuration to get Method Security with AspectJ working?
推荐答案
它是Spring Security 4.0.0.M1中的一个错误,请参见
It is a bug in Spring Security 4.0.0.M1, see https://jira.spring.io/browse/SEC-2698
这篇关于带有@EnableGlobalMethodSecurity的Spring Security AspectJMode不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
