Java 尽管授予了权限,Spring Security仍拒绝访问“@Secured”方法
因此,我有一个Vaadin(8)视图,我为Spring Security提供了Java 尽管授予了权限,Spring Security仍拒绝访问“@Secured”方法,java,spring-boot,kotlin,spring-security,vaadin,Java,Spring Boot,Kotlin,Spring Security,Vaadin,因此,我有一个Vaadin(8)视图,我为Spring Security提供了@Secured: @Secured(SUPERADMIN_ROLE) @SpringView(name = AdminHomeView.NAME) class AdminHomeView : DemoViewWithLabel(){ companion object { const val NAME = "admin/home" } override val labelCon
@Secure
d:
@Secured(SUPERADMIN_ROLE)
@SpringView(name = AdminHomeView.NAME)
class AdminHomeView : DemoViewWithLabel(){
companion object {
const val NAME = "admin/home"
}
override val labelContent = "This is the protected admin section. You are authenticated and authorized."
}
其中DemoViewWithLabel
只是一个非常简单的抽象类
VerticalLayout(Label(labelContent))
因此,如果我以Superadmin
角色的身份登录,我可以很好地访问此视图
但是,让我们做一个小的更改并重写一个方法
@Secured(SUPERADMIN_ROLE)
@SpringView(name = AdminHomeView.NAME)
class AdminHomeView : DemoViewWithLabel(){
companion object {
const val NAME = "admin/home"
}
override val labelContent = "This is the protected admin section. You are authenticated and authorized."
override fun enter(event: ViewChangeListener.ViewChangeEvent?) {
super.enter(event)
}
}
这会给我一个AccessDeniedException
。。。我不明白为什么
所以我打开了Spring Security的调试loggign,它必须这么说:
Secure object: ReflectiveMethodInvocation: public void ch.cypherk.myapp.ui.views.admin.AdminHomeView.enter(com.vaadin.navigator.ViewChangeListener$ViewChangeEvent);
target is of class [ch.cypherk.myapp.ui.views.admin.AdminHomeView];
Attributes: [Superadmin]
到目前为止,这似乎还可以。它需要一个Superadmin
权限,并且它有一个具有该Superadmin
权限的经过身份验证的用户
然而
Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@7ddc2dd1, returned: 0
Voter: org.springframework.security.access.vote.RoleVoter@75d3fbb7, returned: 0
Voter: org.springframework.security.access.vote.AuthenticatedVoter@391740fc, returned: 0
因此
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:70)
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:89)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)
at ch.cypherk.myapp.ui.views.admin.AdminHomeView$$EnhancerBySpringCGLIB$$ae16a97c_4.enter(<generated>)
at com.vaadin.navigator.Navigator.performNavigateTo(Navigator.java:778)
at com.vaadin.navigator.Navigator.lambda$navigateTo$9a874efd$1(Navigator.java:702)
at com.vaadin.navigator.ViewBeforeLeaveEvent.navigate(ViewBeforeLeaveEvent.java:54)
at com.vaadin.navigator.View.beforeLeave(View.java:79)
at com.vaadin.navigator.Navigator.runAfterLeaveConfirmation(Navigator.java:730)
at com.vaadin.navigator.Navigator.navigateTo(Navigator.java:701)
at ...
org.springframework.security.access.AccessDeniedException:访问被拒绝
在org.springframework.security.access.vote.AbstractAccessDecisionManager.CheckAllowIfallDecisions上(AbstractAccessDecisionManager.java:70)
位于org.springframework.security.access.vote.AffirmativeBased.decise(AffirmativeBased.java:89)
位于org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
位于org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65)
位于org.springframework.aop.framework.ReflectiveMethodInvocation.procedue(ReflectiveMethodInvocation.java:186)
位于org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)
在ch.cypherk.myapp.ui.views.admin.AdminHomeView$$EnhancerBySpringCGLIB$$ae16a97c_4.enter()
位于com.vaadin.navigator.navigator.performNavigateTo(navigator.java:778)
在com.vaadin.navigator.navigator.lambda$navigateTo$9a874efd$1(navigator.java:702)
在com.vaadin.navigator.ViewBeforeLeaveEvent.navigate上(ViewBeforeLeaveEvent.java:54)
位于com.vaadin.navigator.View.beforeLeave(View.java:79)
位于com.vaadin.navigator.navigator.runAfterLeaveConfirmation(navigator.java:730)
位于com.vaadin.navigator.navigator.navigateTo(navigator.java:701)
在
为什么
希望您能帮我解决这个问题。简而言之 授予的权限不显示
角色
-前缀,因此被角色提醒器
忽略
用前缀为空的自定义实现替换RoleVoter
,解决了该问题
完整故事
现在剩下的问题是为什么我们可以访问视图。解释很简单,但需要更多的上下文
我们正在将Thorntail应用程序迁移到Spring Boot
我们使用的是Vaadin 8(因为我们有遗留的Vaadin 7东西,我们还没有摆脱,需要支持)
那么呢
Vaadin是一个单页框架,而Vaadin 8引用视图的方式很糟糕,也就是说,它使用了#根url上的code>(例如https://://#!foo/bar/baz/…
)
#
之后没有任何内容发送到服务器,这意味着我们无法区分对/
的访问和对/#的访问!foo/bar/baz/…
因此,我们不能使用Spring安全性来保护对视图的访问
我们有一个Vaadin视图,我们需要允许未经验证的访问
因此,我们被迫允许未经验证的访问/
。MainUI
(处理所有传入请求)将检查用户是否经过身份验证,如果没有,则重定向到登录页面
访问视图本身是由Vaadin而不是Spring保护的。SpringViewProvider
将找不到用户无权访问的视图(因此,用户无法在那里导航)
然而,只要我们在该视图上调用一个方法,Spring安全性就会启动并执行访问检查。正是这些检查失败了,因为授予的授权没有Spring预期的“角色”前缀。(我假设这只是一个惯例,但事实并非如此;RoleVoter
实际上忽略了不显示前缀的权限,因此您必须这样做,或者您必须提供自己的RoleVoter
)
解决方案相对简单
@Configuration
@EnableGlobalMethodSecurity(
securedEnabled = true,
prePostEnabled = true,
proxyTargetClass = true
)
class GlobalSecurityConfiguration : GlobalMethodSecurityConfiguration(){
override fun accessDecisionManager(): AccessDecisionManager {
return (super.accessDecisionManager() as AffirmativeBased).apply {
decisionVoters.replaceAll {
when(it){
is RoleVoter -> MyRoleVoter()
else -> it
}
}
}
}
}
在哪里
@Configuration
@EnableGlobalMethodSecurity(
securedEnabled = true,
prePostEnabled = true,
proxyTargetClass = true
)
class GlobalSecurityConfiguration : GlobalMethodSecurityConfiguration(){
override fun accessDecisionManager(): AccessDecisionManager {
return (super.accessDecisionManager() as AffirmativeBased).apply {
decisionVoters.replaceAll {
when(it){
is RoleVoter -> MyRoleVoter()
else -> it
}
}
}
}
}
class MyRoleVoter : RoleVoter(){
init {
rolePrefix = ""
}
}