spring @PreAuthorize 不适用于 @EnableGlobalMethodSecurity(prePostEnabled = true) [英] spring @PreAuthorize not working with @EnableGlobalMethodSecurity(prePostEnabled = true)

问题描述

这是我的代码:

@Configuration
@ComponentScan(basePackages = "com.webapp")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

 @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.
       authorizeRequests().antMatchers("/resources/**").permitAll().
       antMatchers("/admin/**").hasRole("ADMIN").
       anyRequest().authenticated().
       and().
       formLogin().loginPage("/login").permitAll().
       and().
       logout().permitAll();
}

@Autowired
public void configureGlobal(UserDetailsService userDetailsService, AuthenticationManagerBuilder auth)
        throws Exception {

    auth.userDetailsService(userDetailsService);

}
}

当请求/admin/* 进来时，它会通过调用antMatchers("/admin/**").hasRole("ADMIN")来验证用户是否具有管理员角色.，但在我的控制器中，它不会检查用户是否具有 @PreAuthorize 的其他权限.

when a request /admin/* comes in, it will verify if the user has admin role by calling "antMatchers("/admin/**").hasRole("ADMIN")." , but in my controller, it does not check if the user has other permissions with @PreAuthorize .

@Controller
@SessionAttributes({ "user" })
@RequestMapping(value = "/admin/user")
public class UserController {

static Logger logger = LoggerFactory.getLogger(UserController.class);

@Autowired
private RoleDAO roleDao;

@Autowired
private MessageSource messageSource;

@Autowired
private UserDAO userDao;

@RequestMapping(value = { "/", "/list" }, method = RequestMethod.GET)
@PreAuthorize("hasRole('USER_VIEW')")
public ModelAndView listUsers() {

    List<User> users = userDao.list();
    ModelAndView model = new ModelAndView("/admin/user/user-list");
    model.addObject("users", users);
    if (model.getModel().get("user") == null) {
        model.getModel().put("user", new User());
    }
    this.loadRoles(model);
    return model;
}
}

推荐答案

通常，Spring Security 在根应用程序上下文中可用，并且 Spring MVC bean 在子上下文中初始化.因此 org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor 无法检测到您的控制器 bean，因为它们位于根上下文未知的子上下文中.

Normally, Spring Security becomes available in the root application context and Spring MVC beans are initialized in a child context. Hence org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor can't detect your controller beans because they live in a child context that is unknown to the root context.

@EnableGlobalMethodSecurity 或 必须放置在 Spring MVC 配置所在的相同配置类或 xml 文件中才能启用@PreAuthorize 和 @PostAuthorize.

@EnableGlobalMethodSecurity or <global-method-security> has to be placed inside the same configuration class or xml file where your Spring MVC configration lives in order to enable @PreAuthorize and @PostAuthorize.

这篇关于spring @PreAuthorize 不适用于 @EnableGlobalMethodSecurity(prePostEnabled = true)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！