spring @PreAuthorize 不适用于 @EnableGlobalMethodSecurity(prePostEnabled = true) [英] spring @PreAuthorize not working with @EnableGlobalMethodSecurity(prePostEnabled = true)
问题描述
这是我的代码:
@Configuration
@ComponentScan(basePackages = "com.webapp")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
authorizeRequests().antMatchers("/resources/**").permitAll().
antMatchers("/admin/**").hasRole("ADMIN").
anyRequest().authenticated().
and().
formLogin().loginPage("/login").permitAll().
and().
logout().permitAll();
}
@Autowired
public void configureGlobal(UserDetailsService userDetailsService, AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(userDetailsService);
}
}
当请求/admin/* 进来时,它会通过调用antMatchers("/admin/**").hasRole("ADMIN")来验证用户是否具有管理员角色.,但在我的控制器中,它不会检查用户是否具有 @PreAuthorize 的其他权限.
when a request /admin/* comes in, it will verify if the user has admin role by calling "antMatchers("/admin/**").hasRole("ADMIN")." , but in my controller, it does not check if the user has other permissions with @PreAuthorize .
@Controller
@SessionAttributes({ "user" })
@RequestMapping(value = "/admin/user")
public class UserController {
static Logger logger = LoggerFactory.getLogger(UserController.class);
@Autowired
private RoleDAO roleDao;
@Autowired
private MessageSource messageSource;
@Autowired
private UserDAO userDao;
@RequestMapping(value = { "/", "/list" }, method = RequestMethod.GET)
@PreAuthorize("hasRole('USER_VIEW')")
public ModelAndView listUsers() {
List<User> users = userDao.list();
ModelAndView model = new ModelAndView("/admin/user/user-list");
model.addObject("users", users);
if (model.getModel().get("user") == null) {
model.getModel().put("user", new User());
}
this.loadRoles(model);
return model;
}
}
推荐答案
通常,Spring Security 在根应用程序上下文中可用,并且 Spring MVC bean 在子上下文中初始化.因此 org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor
无法检测到您的控制器 bean,因为它们位于根上下文未知的子上下文中.
Normally, Spring Security becomes available in the root application context and Spring MVC beans are initialized in a child context.
Hence org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor
can't detect your controller beans because they live in a child context that is unknown to the root context.
@EnableGlobalMethodSecurity
或
必须放置在 Spring MVC 配置所在的相同配置类或 xml 文件中才能启用@PreAuthorize
和 @PostAuthorize
.
@EnableGlobalMethodSecurity
or <global-method-security>
has to be placed inside the same configuration class or xml file where your Spring MVC configration lives in order to enable @PreAuthorize
and @PostAuthorize
.
这篇关于spring @PreAuthorize 不适用于 @EnableGlobalMethodSecurity(prePostEnabled = true)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!