Spring安全性 - 方法级安全性不适用于从另一个方法调用 [英] Spring security- Method level security doesn't work on calling from another method

问题描述

假设我有两种方法

 @Secured("ROLE_ADMIN")
 @RequestMapping(value = "/methodA", method = RequestMethod.GET)
 public void MethodA(){
 // code
 }

和另一种调用第一种方法的方法

and another method which calls the first method

@RequestMapping(value = "/MethodB", method = RequestMethod.GET)
public void MethodB(){
MethodA();
//code
}

如果我使用权限登录应用程序 ROLE_USER 并尝试访问URL / methodA 我获得访问被拒绝的异常 - 完美！但如果我访问URL / methodB 即使我使用 ROLE_USER 权威。是应该像那样工作还是我做错了什么。

If I login to the application with an authority ROLE_USER and tries accessing the URL /methodA I get an access denied exception - perfect! but if i access URL /methodB I don't get an access denied exception even though i am accessing MethodA there with a ROLE_USERauthority. Is it supposed to work like that or am i doing something wrong.

PS：这不是一个实时应用场景，但我只是在玩代码。

PS: This isn't a real time application scenario, but I was just playing around with the code.

推荐答案

这是因为Spring安全性通过代理您的安全类来实现。这意味着它为您现有的类提供了一个包装器。如果使用基于接口的代理，则可以是java.lang.Proxy，也可以是cglib增强的子类。我不想在这里过分重视。

This is because spring security works by proxying your secured classes. This means that it puts a wrapper around your existing class. This can either be a java.lang.Proxy if using an interface based proxy, or it can be a cglib enhanced subclass. I don't want to go too heavily into that here though.

但最重要的是，当外部调用者调用你的一个方法时，会发生以下情况：

But the bottom line is that when an External caller calls one of your methods this is what happens:

来电--->代理--->安全拦截器--->实施类

Caller ---> Proxy ---> Security Interceptor ---> Implementation class

安全拦截器检查注释并确定要应用的安全性。但是，一旦你进入实际的实现类，你只是在没有涉及代理和安全拦截器的情况下调用方法，因此没有安全检查。

It's the Security interceptor that inspects the annotations and determines what security to apply. However, once you're in the actual implementation class, you're just calling methods without the proxy and security interceptor being involved, and thus no security checks.

因此，你需要使用适合它的@Secured注释保护你的每个入口点，以及它内部调用的任何东西。

As such, you need to protect your each entry point with the @Secured annotation that's appropriate for it, and whatever it calls internally.

这篇关于Spring安全性 - 方法级安全性不适用于从另一个方法调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！