Spring Boot 中的全局方法安全性 [英] Global method security in Spring Boot

问题描述

我在尝试在 Spring Boot 应用程序中启用全局方法安全时遇到了一些问题.我或多或少有这样的配置:

I'm having some issues when trying to enable the global method security in a Spring Boot application. More or less I've this configuration:

@ComponentScan
@Configuration
@EnableAutoConfiguration
@EnableConfigurationProperties
public class Main extends SpringBootServletInitializer {

    public static void main(String[] args) throws Exception {
        SpringApplication app = new SpringApplication(Main.class);
        app.setShowBanner(false);
        ApplicationContext context = app.run(args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Main.class);
    }
}

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, proxyTargetClass = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        ...
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ...
    }
}

@Controller
public class SampleController {

    @RequestMapping("/api/hello")
    @ResponseBody
    String hello() {
        return "Hello!";
    }

    @Secured(SecurityGrant.WRITE_PROJECT)
    @RequestMapping("/api/bye")
    @ResponseBody
    String bye() {
        return "Bye!";
    }
}

@Secure 注释在服务上工作正常，但在控制器中工作正常，所以我在这里读到 (http://docs.spring.io/spring-security/site/faq/faq.html#faq-method-security-in-web-context) 我认为是因为方法安全性仅在根应用程序上下文中配置，而不是在 servlet 中配置.但是，我找不到通过 Java 配置而不是使用 web.xml 文件进行设置的方法.有什么想法吗?

The @Secure annotations are working OK at services, but not in controllers, so as I read here (http://docs.spring.io/spring-security/site/faq/faq.html#faq-method-security-in-web-context) I think is because method security is only configured in the root application context and not in the one for the servlet. However, I can't find the way to set this via Java Configuration, instead of using a web.xml file. Any ideas?

更新:

正如评论中所指出的，方法应该是公开的以进行代理.

As pointed in the comments, methods should be public to be proxied.

推荐答案

控制器方法需要是公共的，以便为 @Secured 代理.这样做应该可以解决问题.

The controller methods need to be public in order to be proxied for @Secured. Just doing that should fix it.

这篇关于Spring Boot 中的全局方法安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！