Java 尽管授予了权限,Spring Security仍拒绝访问“@Secured”方法
因此,我有一个Vaadin(8)视图,我为Spring Security提供了Java 尽管授予了权限,Spring Security仍拒绝访问“@Secured”方法,java,spring-boot,kotlin,spring-security,vaadin,Java,Spring Boot,Kotlin,Spring Security,Vaadin,因此,我有一个Vaadin(8)视图,我为Spring Security提供了@Secured: @Secured(SUPERADMIN_ROLE) @SpringView(name = AdminHomeView.NAME) class AdminHomeView : DemoViewWithLabel(){ companion object { const val NAME = "admin/home" } override val labelCon
@Secure@Secured(SUPERADMIN_ROLE)
@SpringView(name = AdminHomeView.NAME)
class AdminHomeView : DemoViewWithLabel(){
companion object {
const val NAME = "admin/home"
}
override val labelContent = "This is the protected admin section. You are authenticated and authorized."
}
DemoViewWithLabelVerticalLayout(Label(labelContent))
Superadmin@Secured(SUPERADMIN_ROLE)
@SpringView(name = AdminHomeView.NAME)
class AdminHomeView : DemoViewWithLabel(){
companion object {
const val NAME = "admin/home"
}
override val labelContent = "This is the protected admin section. You are authenticated and authorized."
override fun enter(event: ViewChangeListener.ViewChangeEvent?) {
super.enter(event)
}
}
AccessDeniedExceptionSecure object: ReflectiveMethodInvocation: public void ch.cypherk.myapp.ui.views.admin.AdminHomeView.enter(com.vaadin.navigator.ViewChangeListener$ViewChangeEvent);
target is of class [ch.cypherk.myapp.ui.views.admin.AdminHomeView];
Attributes: [Superadmin]
SuperadminSuperadminVoter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@7ddc2dd1, returned: 0
Voter: org.springframework.security.access.vote.RoleVoter@75d3fbb7, returned: 0
Voter: org.springframework.security.access.vote.AuthenticatedVoter@391740fc, returned: 0
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:70)
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:89)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)
at ch.cypherk.myapp.ui.views.admin.AdminHomeView$$EnhancerBySpringCGLIB$$ae16a97c_4.enter(<generated>)
at com.vaadin.navigator.Navigator.performNavigateTo(Navigator.java:778)
at com.vaadin.navigator.Navigator.lambda$navigateTo$9a874efd$1(Navigator.java:702)
at com.vaadin.navigator.ViewBeforeLeaveEvent.navigate(ViewBeforeLeaveEvent.java:54)
at com.vaadin.navigator.View.beforeLeave(View.java:79)
at com.vaadin.navigator.Navigator.runAfterLeaveConfirmation(Navigator.java:730)
at com.vaadin.navigator.Navigator.navigateTo(Navigator.java:701)
at ...
org.springframework.security.access.AccessDeniedException:访问被拒绝
在org.springframework.security.access.vote.AbstractAccessDecisionManager.CheckAllowIfallDecisions上(AbstractAccessDecisionManager.java:70)
位于org.springframework.security.access.vote.AffirmativeBased.decise(AffirmativeBased.java:89)
位于org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
位于org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65)
位于org.springframework.aop.framework.ReflectiveMethodInvocation.procedue(ReflectiveMethodInvocation.java:186)
位于org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)
在ch.cypherk.myapp.ui.views.admin.AdminHomeView$$EnhancerBySpringCGLIB$$ae16a97c_4.enter()
位于com.vaadin.navigator.navigator.performNavigateTo(navigator.java:778)
在com.vaadin.navigator.navigator.lambda$navigateTo$9a874efd$1(navigator.java:702)
在com.vaadin.navigator.ViewBeforeLeaveEvent.navigate上(ViewBeforeLeaveEvent.java:54)
位于com.vaadin.navigator.View.beforeLeave(View.java:79)
位于com.vaadin.navigator.navigator.runAfterLeaveConfirmation(navigator.java:730)
位于com.vaadin.navigator.navigator.navigateTo(navigator.java:701)
在
希望您能帮我解决这个问题。简而言之 授予的权限不显示
角色角色提醒器RoleVoter#(例如https://://#!foo/bar/baz/…
)
#
之后没有任何内容发送到服务器,这意味着我们无法区分对/
的访问和对/#的访问!foo/bar/baz/…
因此,我们不能使用Spring安全性来保护对视图的访问
我们有一个Vaadin视图,我们需要允许未经验证的访问
因此,我们被迫允许未经验证的访问/
。MainUI
(处理所有传入请求)将检查用户是否经过身份验证,如果没有,则重定向到登录页面
访问视图本身是由Vaadin而不是Spring保护的。SpringViewProvider
将找不到用户无权访问的视图(因此,用户无法在那里导航)
然而,只要我们在该视图上调用一个方法,Spring安全性就会启动并执行访问检查。正是这些检查失败了,因为授予的授权没有Spring预期的“角色”前缀。(我假设这只是一个惯例,但事实并非如此;RoleVoter
实际上忽略了不显示前缀的权限,因此您必须这样做,或者您必须提供自己的RoleVoter
)
解决方案相对简单
@Configuration
@EnableGlobalMethodSecurity(
securedEnabled = true,
prePostEnabled = true,
proxyTargetClass = true
)
class GlobalSecurityConfiguration : GlobalMethodSecurityConfiguration(){
override fun accessDecisionManager(): AccessDecisionManager {
return (super.accessDecisionManager() as AffirmativeBased).apply {
decisionVoters.replaceAll {
when(it){
is RoleVoter -> MyRoleVoter()
else -> it
}
}
}
}
}
在哪里
@Configuration
@EnableGlobalMethodSecurity(
securedEnabled = true,
prePostEnabled = true,
proxyTargetClass = true
)
class GlobalSecurityConfiguration : GlobalMethodSecurityConfiguration(){
override fun accessDecisionManager(): AccessDecisionManager {
return (super.accessDecisionManager() as AffirmativeBased).apply {
decisionVoters.replaceAll {
when(it){
is RoleVoter -> MyRoleVoter()
else -> it
}
}
}
}
}
class MyRoleVoter : RoleVoter(){
init {
rolePrefix = ""
}
}