春季安全的taglib秒：授权与角色层次不工作 [英] Spring Security taglib sec:authorize with role hierarchy not working

问题描述

我不能得到秒：授权hasRole（）与角色层次的工作。如果我有作用ROLE_BOSS这是ROLE_WORKER的父用户，则是出于某种原因假的。在我服务类@ preAuthorize（hasRole（'ROLE_WORKER'）），但是确实工作。我以为他们都使用相同的评估，那么为什么没有标签库的工作？感谢您的帮助。

JSP：

 ＆LT;秒：授权访问=hasRole（'ROLE_BOSS'）＆GT;
  ＆所述; P＆gt;这示出了与所述; / P＆GT;
＆LT; /秒：授权＆GT;
＆LT;秒：授权访问=hasRole（'ROLE_WORKER'）＆GT;
  ＆LT; P＆gt;这显示不出来，而应该与LT; / P＆GT;
＆LT; /秒：授权＆GT;
 

-config.xml安全性：

 ＆LT;豆的id =前pressionHandler class=\"org.springframework.security.access.ex$p$pssion.method.DefaultMethodSecurityEx$p$pssionHandler\">
  ＆LT;属性名=permissionEvaluatorREF =permissionEvaluator/＆GT;
  ＆LT;属性名=roleHierarchyREF =roleHierarchy/＆GT;
＆LT; /豆＆GT;其中p秒：全球方法的安全性pre-后注释=已启用＆GT;
  ＆LT;秒：前pression处理程序REF =前pressionHandler/＆GT;
＆LT; /秒：全球法安全＆GT;＆LT;豆的id =permissionEvaluator级=com.myapp.security.MyPermissionEvaluator＆GT;
  ＆LT;构造带参数的指数=0＆GT;
    ＆LT;映射键式=java.lang.String中价值型=com.myapp.security.Permission＆GT;
      ＆LT;输入键=contractReadAccess价值参考=contractReadPermission/＆GT;
      ＆LT;输入键=contractWriteAccess价值参考=contractWritePermission/＆GT;
    ＆LT; /图＆GT;
  ＆LT; /构造带参数＆GT;
＆LT; /豆＆GT;＆LT;豆的id =contractReadPermission级=com.myapp.security.ContractReadPermission/＆GT;
＆LT;豆的id =contractWritePermission级=com.myapp.security.ContractWritePermission/＆GT;＆LT;秒：使用http-EX pressions =真正的访问决策管理-REF =的AccessDecisionManager＆GT;
  ＆LT;秒：拦截-URL模式=/工人/ **访问=isAuthenticated（）要求渠道=HTTPS/＆GT;
  ＆LT;秒：拦截-URL模式=/老板/ **访问=hasRole（'ROLE_BOSS'）要求渠道=HTTPS/＆GT;  ＆LT;秒：表单登录登录页=/登录认证失败-URL =？/登录login_error = 1认证成功处理程序-REF =successHandler/＆GT;
  ＆LT;秒：注销注销-URL =/注销注销-成功-URL =/登录无效会话=真/＆GT;
＆LT;秒：记得，我/＆GT;
＆LT; /秒：HTTP＆GT;＆LT;豆ID =的AccessDecisionManager级=org.springframework.security.access.vote.AffirmativeBased＆GT;
  ＆LT;构造带参数＆GT;
    ＆LT;列表＆gt;
      ＆LT;参考豆=的RoleVoter/＆GT;
      ＆LT; bean类=org.springframework.security.web.access.ex pression.WebEx pressionVoter＆GT;
        ＆LT;属性名=前pressionHandler＆GT;
          ＆LT; bean类=org.springframework.security.web.access.ex pression.DefaultWebSecurityEx pressionHandler＆GT;
            ＆LT;属性名=roleHierarchyREF =roleHierarchy/＆GT;
          ＆LT; /豆＆GT;
        ＆LT; /性＆gt;
      ＆LT; /豆＆GT;
      ＆LT; bean类=org.springframework.security.access.vote.AuthenticatedVoter/＆GT;
    ＆LT; /列表＆gt;
  ＆LT; /构造带参数＆GT;
＆LT; /豆＆GT;＆LT;豆ID =的RoleVoter级=org.springframework.security.access.vote.RoleHierarchyVoter＆GT;
  ＆LT;构造带参数REF =roleHierarchy/＆GT;
＆LT; /豆＆GT;＆LT;豆的id =roleHierarchy级=org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl＆GT;
  ＆LT;属性名=层次＆GT;
    ＆LT; VALUE＆GT;
      ROLE_BOSS＆GT; ROLE_WORKER
    ＆LT; /值＆GT;
  ＆LT; /性＆gt;
＆LT; /豆＆GT;＆LT;秒：认证管理器别名=AuthenticationManager会＆GT;
  ＆LT;秒：认证提供商的用户服务-REF =myUserDetailsS​​ervice/＆GT;
＆LT; /秒：认证经理＆gt;
 

解决方案

很奇怪，我不认为这是正确的，但它似乎工作。我开始通过春源$ C ​​$ C挖，我想我得到了它通过利用DefaultWebSecurityEx pressionHandler出的AccessDecisionManager，并把它在我的所有安全配置的最高层工作。因此，在我-config.xml顶部我有这样的：

 ＆LT;豆的id =WebEx的pressionHandler级=org.springframework.security.web.access.ex pression.DefaultWebSecurityEx pressionHandler＆GT ;
  ＆LT;属性名=permissionEvaluatorREF =permissionEvaluator/＆GT;
  ＆LT;属性名=roleHierarchyREF =roleHierarchy/＆GT;
＆LT; /豆＆GT;
 

现在我的AccessDecisionManager是：

 ＆LT;豆ID =的AccessDecisionManager级=org.springframework.security.access.vote.AffirmativeBased＆GT;
  ＆LT;构造带参数＆GT;
    ＆LT;列表＆gt;
      ＆LT;参考豆=的RoleVoter/＆GT;
      ＆LT; bean类=org.springframework.security.web.access.ex pression.WebEx pressionVoter＆GT;
        ＆LT;属性名=前pressionHandlerREF =WebEx的pressionHandler/＆GT;
      ＆LT; /豆＆GT;
      ＆LT; bean类=org.springframework.security.access.vote.AuthenticatedVoter/＆GT;
    ＆LT; /列表＆gt;
  ＆LT; /构造带参数＆GT;
＆LT; /豆＆GT;
 

I can't get sec:authorize hasRole() to work with the role hierarchy. If I have a user with role ROLE_BOSS which is the parent of ROLE_WORKER, then is false for some reason. In my service classes @PreAuthorize("hasRole('ROLE_WORKER')") does work however. I assumed they both used the same evaluator, so why doesn't the taglib work? Thanks for the help.

JSP:

<sec:authorize access="hasRole('ROLE_BOSS')">
  <p>This shows up.</p>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_WORKER')">
  <p>This does not show up, but should.</p>
</sec:authorize>

-config.xml security:

<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <property name="permissionEvaluator" ref="permissionEvaluator"/>
  <property name="roleHierarchy" ref="roleHierarchy"/>
</bean>

<sec:global-method-security pre-post-annotations="enabled">
  <sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>

<bean id="permissionEvaluator" class="com.myapp.security.MyPermissionEvaluator">
  <constructor-arg index="0">
    <map key-type="java.lang.String" value-type="com.myapp.security.Permission">
      <entry key="contractReadAccess" value-ref="contractReadPermission"/>
      <entry key="contractWriteAccess" value-ref="contractWritePermission"/>
    </map>
  </constructor-arg>
</bean>

<bean id="contractReadPermission" class="com.myapp.security.ContractReadPermission"/>
<bean id="contractWritePermission" class="com.myapp.security.ContractWritePermission"/>

<sec:http use-expressions="true" access-decision-manager-ref="accessDecisionManager">
  <sec:intercept-url pattern="/worker/**" access="isAuthenticated()" requires-channel="https"/>
  <sec:intercept-url pattern="/boss/**" access="hasRole('ROLE_BOSS')" requires-channel="https"/>

  <sec:form-login login-page="/login" authentication-failure-url="/login?login_error=1" authentication-success-handler-ref="successHandler"/>
  <sec:logout logout-url="/logout" logout-success-url="/login" invalidate-session="true"/>
<sec:remember-me/>
</sec:http>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
  <constructor-arg>
    <list>
      <ref bean="roleVoter" />
      <bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
        <property name="expressionHandler">
          <bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
            <property name="roleHierarchy" ref="roleHierarchy"/>
          </bean>
        </property>
      </bean>
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
    </list>
  </constructor-arg>
</bean>

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
  <constructor-arg ref="roleHierarchy" />
</bean>

<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
  <property name="hierarchy">
    <value>
      ROLE_BOSS > ROLE_WORKER
    </value>
  </property>
</bean>

<sec:authentication-manager alias="authenticationManager">
  <sec:authentication-provider user-service-ref="myUserDetailsService"/>
</sec:authentication-manager>

解决方案

Very strange and I don't think this is correct, but it seems to work. I started digging through the Spring source code and I think I got it to work by taking the DefaultWebSecurityExpressionHandler out of the accessDecisionManager and placing it at the very top of all my security configurations. So at the top of my -config.xml I have this:

<bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
  <property name="permissionEvaluator" ref="permissionEvaluator"/>
  <property name="roleHierarchy" ref="roleHierarchy"/>
</bean>

And my accessDecisionManager is now:

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
  <constructor-arg>
    <list>
      <ref bean="roleVoter" />
      <bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
        <property name="expressionHandler" ref="webExpressionHandler"/>
      </bean>
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
    </list>
  </constructor-arg>
</bean>

这篇关于春季安全的taglib秒：授权与角色层次不工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！