春季安全的taglib秒:授权与角色层次不工作 [英] Spring Security taglib sec:authorize with role hierarchy not working
问题描述
我不能得到秒:授权hasRole()与角色层次的工作。如果我有作用ROLE_BOSS这是ROLE_WORKER的父用户,则是出于某种原因假的。在我服务类@ preAuthorize(hasRole('ROLE_WORKER')),但是确实工作。我以为他们都使用相同的评估,那么为什么没有标签库的工作?感谢您的帮助。
JSP:
<秒:授权访问=hasRole('ROLE_BOSS')>
&所述; P>这示出了与所述; / P>
< /秒:授权>
<秒:授权访问=hasRole('ROLE_WORKER')>
< P>这显示不出来,而应该与LT; / P>
< /秒:授权>
-config.xml安全性:
<豆的id =前pressionHandler class=\"org.springframework.security.access.ex$p$pssion.method.DefaultMethodSecurityEx$p$pssionHandler\">
<属性名=permissionEvaluatorREF =permissionEvaluator/>
<属性名=roleHierarchyREF =roleHierarchy/>
< /豆>其中p秒:全球方法的安全性pre-后注释=已启用>
<秒:前pression处理程序REF =前pressionHandler/>
< /秒:全球法安全><豆的id =permissionEvaluator级=com.myapp.security.MyPermissionEvaluator>
<构造带参数的指数=0>
<映射键式=java.lang.String中价值型=com.myapp.security.Permission>
<输入键=contractReadAccess价值参考=contractReadPermission/>
<输入键=contractWriteAccess价值参考=contractWritePermission/>
< /图>
< /构造带参数>
< /豆><豆的id =contractReadPermission级=com.myapp.security.ContractReadPermission/>
<豆的id =contractWritePermission级=com.myapp.security.ContractWritePermission/><秒:使用http-EX pressions =真正的访问决策管理-REF =的AccessDecisionManager>
<秒:拦截-URL模式=/工人/ **访问=isAuthenticated()要求渠道=HTTPS/>
<秒:拦截-URL模式=/老板/ **访问=hasRole('ROLE_BOSS')要求渠道=HTTPS/> <秒:表单登录登录页=/登录认证失败-URL =?/登录login_error = 1认证成功处理程序-REF =successHandler/>
<秒:注销注销-URL =/注销注销-成功-URL =/登录无效会话=真/>
<秒:记得,我/>
< /秒:HTTP><豆ID =的AccessDecisionManager级=org.springframework.security.access.vote.AffirmativeBased>
<构造带参数>
<列表>
<参考豆=的RoleVoter/>
< bean类=org.springframework.security.web.access.ex pression.WebEx pressionVoter>
<属性名=前pressionHandler>
< bean类=org.springframework.security.web.access.ex pression.DefaultWebSecurityEx pressionHandler>
<属性名=roleHierarchyREF =roleHierarchy/>
< /豆>
< /性>
< /豆>
< bean类=org.springframework.security.access.vote.AuthenticatedVoter/>
< /列表>
< /构造带参数>
< /豆><豆ID =的RoleVoter级=org.springframework.security.access.vote.RoleHierarchyVoter>
<构造带参数REF =roleHierarchy/>
< /豆><豆的id =roleHierarchy级=org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl>
<属性名=层次>
< VALUE>
ROLE_BOSS> ROLE_WORKER
< /值>
< /性>
< /豆><秒:认证管理器别名=AuthenticationManager会>
<秒:认证提供商的用户服务-REF =myUserDetailsService/>
< /秒:认证经理>
很奇怪,我不认为这是正确的,但它似乎工作。我开始通过春源$ C $ C挖,我想我得到了它通过利用DefaultWebSecurityEx pressionHandler出的AccessDecisionManager,并把它在我的所有安全配置的最高层工作。因此,在我-config.xml顶部我有这样的:
<豆的id =WebEx的pressionHandler级=org.springframework.security.web.access.ex pression.DefaultWebSecurityEx pressionHandler&GT ;
<属性名=permissionEvaluatorREF =permissionEvaluator/>
<属性名=roleHierarchyREF =roleHierarchy/>
< /豆>
现在我的AccessDecisionManager是:
<豆ID =的AccessDecisionManager级=org.springframework.security.access.vote.AffirmativeBased>
<构造带参数>
<列表>
<参考豆=的RoleVoter/>
< bean类=org.springframework.security.web.access.ex pression.WebEx pressionVoter>
<属性名=前pressionHandlerREF =WebEx的pressionHandler/>
< /豆>
< bean类=org.springframework.security.access.vote.AuthenticatedVoter/>
< /列表>
< /构造带参数>
< /豆>
I can't get sec:authorize hasRole() to work with the role hierarchy. If I have a user with role ROLE_BOSS which is the parent of ROLE_WORKER, then is false for some reason. In my service classes @PreAuthorize("hasRole('ROLE_WORKER')") does work however. I assumed they both used the same evaluator, so why doesn't the taglib work? Thanks for the help.
JSP:
<sec:authorize access="hasRole('ROLE_BOSS')">
<p>This shows up.</p>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_WORKER')">
<p>This does not show up, but should.</p>
</sec:authorize>
-config.xml security:
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
<property name="roleHierarchy" ref="roleHierarchy"/>
</bean>
<sec:global-method-security pre-post-annotations="enabled">
<sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>
<bean id="permissionEvaluator" class="com.myapp.security.MyPermissionEvaluator">
<constructor-arg index="0">
<map key-type="java.lang.String" value-type="com.myapp.security.Permission">
<entry key="contractReadAccess" value-ref="contractReadPermission"/>
<entry key="contractWriteAccess" value-ref="contractWritePermission"/>
</map>
</constructor-arg>
</bean>
<bean id="contractReadPermission" class="com.myapp.security.ContractReadPermission"/>
<bean id="contractWritePermission" class="com.myapp.security.ContractWritePermission"/>
<sec:http use-expressions="true" access-decision-manager-ref="accessDecisionManager">
<sec:intercept-url pattern="/worker/**" access="isAuthenticated()" requires-channel="https"/>
<sec:intercept-url pattern="/boss/**" access="hasRole('ROLE_BOSS')" requires-channel="https"/>
<sec:form-login login-page="/login" authentication-failure-url="/login?login_error=1" authentication-success-handler-ref="successHandler"/>
<sec:logout logout-url="/logout" logout-success-url="/login" invalidate-session="true"/>
<sec:remember-me/>
</sec:http>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<ref bean="roleVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler">
<bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy"/>
</bean>
</property>
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_BOSS > ROLE_WORKER
</value>
</property>
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService"/>
</sec:authentication-manager>
Very strange and I don't think this is correct, but it seems to work. I started digging through the Spring source code and I think I got it to work by taking the DefaultWebSecurityExpressionHandler out of the accessDecisionManager and placing it at the very top of all my security configurations. So at the top of my -config.xml I have this:
<bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
<property name="roleHierarchy" ref="roleHierarchy"/>
</bean>
And my accessDecisionManager is now:
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<ref bean="roleVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="webExpressionHandler"/>
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
这篇关于春季安全的taglib秒:授权与角色层次不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!