Spring Security和AOP问题 [英] Spring Security and AOP issue

问题描述

我要在Tomcat 7服务器上部署的Spring-Security应用程序上添加AOP功能.自从我添加AspectJ依赖关系以来，该应用程序运行良好.

I am adding AOP feature on a Spring-Security application deployed on a Tomcat 7 server. The application worked fine since I added the AspectJ dependency.

这是我在POM中的Maven依赖项:

This is my Maven dependencies in my POM:

<properties>
    <spring.framework.version>4.0.5.RELEASE</spring.framework.version>
    <spring.security.version>3.2.4.RELEASE</spring.security.version>
</properties>
<!-- Spring dependencies -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>${spring.framework.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context</artifactId>
        <version>${spring.framework.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-tx</artifactId>
        <version>${spring.framework.version}</version>
    </dependency>
            <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-jdbc</artifactId>
        <version>${spring.framework.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-aop</artifactId>
        <version>${spring.framework.version}</version>
    </dependency>
    <dependency>
        <groupId>org.aspectj</groupId>
        <artifactId>aspectjtools</artifactId>
        <version>1.8.1</version>
    </dependency>
</dependencies>

在这里，我的Spring配置(至少是最相关的):

And here, my Spring configuration (at least, the most relevant):

<security:global-method-security secured-annotations="enabled" />

<bean id="myAuthenticationDetailsSource"
    class="net.classnotfound.MyAuthenticationDetailsSource">
</bean>

<bean id="oracleLoginChecker"
    class="net.classnotfound.OracleLoginChecker">
</bean>

<bean id="ldapLoginChecker"
    class="net.classnotfound.LdapLoginChecker">
</bean>

<bean id="myAuthenticationProvider" class="net.classnotfound.MyAuthenticationProvider">
    <property name="loginCheckerMap">
        <map>
            <entry key="ORACLE" value-ref="oracleLoginChecker"/>
            <entry key="LDAP" value-ref="ldapLoginChecker"/>
        </map>
    </property>
</bean>

<bean id="loggerListener"
    class="org.springframework.security.authentication.event.LoggerListener" />

<security:authentication-manager
    alias="authenticationManager">
    <!-- create a custom AuthenticationProvider class to tune the login 
        process -->
    <security:authentication-provider
        ref="myAuthenticationProvider" />
</security:authentication-manager>

    <security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/faces/login/**" access="anonymous" />
    <security:intercept-url pattern="/faces/**"
        access="authenticated" />
    <security:form-login login-page="/faces/login/login.xhtml"
        authentication-failure-url="/faces/login/login.xhtml?error=1"
        default-target-url="/faces/index.xhtml"
        authentication-details-source-ref="myAuthenticationDetailsSource"
        username-parameter="username" password-parameter="password" />
</security:http>


<tx:annotation-driven />
<beans>
    <bean id="aroundAspect" class="net.classnotfound.AroundAdvice" />
    <aop:aspectj-autoproxy />
    <aop:config>
        <aop:aspect ref="aroundAspect">
            <aop:pointcut id="aroundPointCut" expression="@target(org.springframework.transaction.annotation.Transactional)" />
            <aop:around pointcut-ref="aroundPointCut" method="doBasicProfiling" />
        </aop:aspect>
    </aop:config>
</beans>

现在，当我启动Tomcat时，出现此错误:

And now, when I start Tomcat, I have this error:

[...]
Caused by: java.lang.NoSuchMethodException: com.sun.proxy.$Proxy34.isEraseCredentialsAfterAuthentication()
at java.lang.Class.getMethod(Class.java:1655)
at org.springframework.util.MethodInvoker.prepare(MethodInvoker.java:174)
at org.springframework.beans.factory.config.MethodInvokingFactoryBean.afterPropertiesSet(MethodInvokingFactoryBean.java:103)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1612)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1549)
... 64 more

我用Google搜索了一下，似乎JDK代理机制无法代理"在接口级别定义的方法，因此我尝试通过以下方式使配置适应代理类:

I googled a bit and it seems that the JDK proxy mechanism cannot "proxy" method which are note defined at the interface level, I tried to adapt my configuration to proxy classes with:

<aop:aspectj-autoproxy proxy-target-class="true"/>

但是现在，我有:

[...]
Caused by: java.lang.IllegalArgumentException: Cannot subclass final class class org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser$AuthenticationManagerDelegator
at org.springframework.cglib.proxy.Enhancer.generateClass(Enhancer.java:446)
at org.springframework.cglib.transform.TransformingClassGenerator.generateClass(TransformingClassGenerator.java:33)
at org.springframework.cglib.core.DefaultGeneratorStrategy.generate(DefaultGeneratorStrategy.java:25)
at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:216)
at org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:377)
at org.springframework.cglib.proxy.Enhancer.createClass(Enhancer.java:317)
at org.springframework.aop.framework.ObjenesisCglibAopProxy.createProxyClassAndInstance(ObjenesisCglibAopProxy.java:57)
at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:202)
... 34 more

我认为这很正常，因为这是AspectJ的已知限制.

I guess it's normal because it's a known limitation of AspectJ.

所以现在，我被困住了，我是否必须放弃在同一项目(怪异)中使用Spring安全性和AOP的想法，或者是否存在一些晦涩的配置，或者要使用某些依赖项?感谢您的帮助.

So now, i am stuck, do I have to give up the idea to use Spring security and AOP in the same project (weird) or there is some obscure configuration, or some dependencies to use? Thanks for your help.

推荐答案

最后，经过一天的不同尝试，我认为我已经解决了.

Finally, after one day of different attempts, I think that I solved it.

在集成AOP的测试中，我使用了一个教程，该教程定义了一个太通用的切入点(如.*这样的正则表达式)，这意味着我的托管bean的所有方法都可以作为代理，包括Spring-security和boum中的方法.:-(

In my test to integrate AOP, I used a tutorial which defines an pointcut too generic (a regular expression like .*) meaning that all methods of my managed beans were candidate to be proxified, including whose from Spring-security and boum :-(

定义一个更具体的切入点(基本上基于包名称)可以避免在启动我的应用程序时出现错误.

Defining a more specific pointcut (basically based on package name) avoid the error when starting my application.

这是一个愚蠢的错误，但也许这个答案会有所帮助.

It's a stupid error but maybe this answer will help some one else.

这篇关于Spring Security和AOP问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！