Spring @Secured 和 @PreAuthorize 在普通(非网络)应用程序中不起作用 [英] Spring @Secured and @PreAuthorize have no effect in plain (non-web) application

问题描述

我使用两个安全方法创建了一个 Application Spring 组件:

I created a Application Spring component with two secured methods:

@Component
public class Application {

    public void run() {
        onlyAdminMethod();
        onlyAdminMethod2();
    }

    @Secured( "ROLE_ADMIN" )
    public void onlyAdminMethod() {
        System.out.println( "Admin-only method called" );
    }

    @PreAuthorize( "hasRole('ROLE_ADMIN')" )
    public void onlyAdminMethod2() {
        System.out.println( "Admin-only method 2 called" );
    }
}

我对该 bean 调用了 run() 方法，该方法是从 Spring XML 上下文中获取的:

I call run() method on that bean, which I take from Spring XML context:

ClassPathXmlApplicationContext context = 
     new ClassPathXmlApplicationContext("applicationContext.xml");  
context.getBean( Application.class).run();

什么都没有发生 - 方法被正常调用，即使没有身份验证并且 SecurityContextHolder.getContext().getAuthentication() 返回 null

Nothings happen - methods are called normally even if there is no authentication and SecurityContextHolder.getContext().getAuthentication() returns null

我的 Spring XML:

<context:annotation-config />
<context:component-scan base-package="practice" />

<security:authentication-manager>
   <security:authentication-provider>
      <security:user-service>
         <security:user name="admin" password="stackoverflow" authorities="ROLE_USER,ROLE_ADMIN" />
      </security:user-service>
   </security:authentication-provider>
</security:authentication-manager>

<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>

我为 Spring 3.2.4

推荐答案

2 Things

Spring 使用基于代理的 AOP 解决方案.这意味着只拦截外部方法调用，您进行内部方法调用，而那些绕过代理.

Spring uses a proxy based solution for AOP. Which means only external method calls are intercepted, you are making internal method calls and those bypass the proxy.

第二，确保您使用的是基于类的代理(您没有使用接口，因此 JDK 动态代理将不起作用).将 proxy-target-class="true" 添加到您的 <global-method-security ../> 元素.确保类路径上有 cglib，因为这是基于类的代理所必需的.

Second make sure you are using class based proxies (you aren't using interfaces so JDK Dynamic Proxies won't work). Add proxy-target-class="true" to your <global-method-security .. /> element. Make sure you have cglib on your classpath as that is required for classbased proxies.

这篇关于Spring @Secured 和 @PreAuthorize 在普通(非网络)应用程序中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！