Java 在具有角色和权限的Spring security中使用@PreAuthorize
我正在对用户、角色、正确的实体使用spring安全性,并且用户已成功通过身份验证,我可以访问其权限集合 我使用AJAX调用视图页面,并在前端和后端之间发送json。问题是,我不知道如何配置我的spring安全文件,因为@PreAuthorize注释不起作用。加载应用程序时会显示“我的登录”页面,如果控制器以json格式发送的凭据不正确,则会重定向到“登录”页面。如果你能帮我解决这个问题,我将不胜感激Java 在具有角色和权限的Spring security中使用@PreAuthorize,java,spring-mvc,spring-security,authorization,Java,Spring Mvc,Spring Security,Authorization,我正在对用户、角色、正确的实体使用spring安全性,并且用户已成功通过身份验证,我可以访问其权限集合 我使用AJAX调用视图页面,并在前端和后端之间发送json。问题是,我不知道如何配置我的spring安全文件,因为@PreAuthorize注释不起作用。加载应用程序时会显示“我的登录”页面,如果控制器以json格式发送的凭据不正确,则会重定向到“登录”页面。如果你能帮我解决这个问题,我将不胜感激 @PreAuthorize("hasRole('ROLE_RIGHT_READ_USER_LIS
@PreAuthorize("hasRole('ROLE_RIGHT_READ_USER_LIST')")
// @Secured("ROLE_RIGHT_READ_USER_LIST")
@RequestMapping(value = "/findAll", method = RequestMethod.GET, produces = {"application/json"})
@ResponseBody
public String findAll(HttpServletRequest request) {
以下是我的spring安全文件内容:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security pre-post-annotations="enabled" secured-annotations="enabled"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/user/findAll/" access="hasRole('ROLE_RIGHT_READ_USER_LIST')" />
</http>
<beans:bean id="jdbcAuthenticationProvider" class="com.my.app.spring.JdbcAuthenticationProvider"/>
<authentication-manager>
<authentication-provider ref="jdbcAuthenticationProvider"/>
</authentication-manager>
</beans:beans>
这是我的控制器:
@Controller
@RequestMapping("/auth")
public class SecurityHandler extends AbstractHandler {
@Autowired
protected UserService userService;
@Resource(name = "authenticationProvider")
AuthenticationProvider authenticationProvider;
@RequestMapping(value = "/login", method = RequestMethod.POST, produces = {"application/json"})
@ResponseBody
public String logon(
@RequestParam(value = "username", required = true) String username,
@RequestParam(value = "password", required = true) String password,
HttpServletRequest request) {
Authentication req = new UsernamePasswordAuthenticationToken( username, password );
Authentication result = authenticationProvider.authenticate( req );
SecurityContextHolder.getContext().setAuthentication( result );
UserDetails userDetails=null;
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!(auth instanceof AnonymousAuthenticationToken)) {
userDetails
= (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
User user = (User)userDetails;
Collection<? extends GrantedAuthority> ga = userDetails.getAuthorities();
HttpSession session = request.getSession(true);
session.setAttribute(SESSION_ATTRIB_USER, user);
return getJsonSuccessData(user);
} else {
return getJsonErrorMsg(ar.getMsg());
}
}
@控制器
@请求映射(“/auth”)
公共类SecurityHandler扩展了AbstractHandler{
@自动连线
受保护的用户服务用户服务;
@资源(name=“authenticationProvider”)
AuthenticationProvider AuthenticationProvider;
@RequestMapping(value=“/login”,method=RequestMethod.POST,products={“application/json”})
@应答器
公共字符串登录(
@RequestParam(value=“username”,required=true)字符串用户名,
@RequestParam(value=“password”,required=true)字符串密码,
HttpServletRequest(请求){
认证请求=新用户名PasswordAuthenticationToken(用户名、密码);
验证结果=authenticationProvider.Authentication(请求);
SecurityContextHolder.getContext().setAuthentication(结果);
UserDetails UserDetails=null;
Authentication auth=SecurityContextHolder.getContext().getAuthentication();
if(!(匿名身份验证令牌的身份验证实例)){
用户详细信息
=(UserDetails)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
用户=(用户)用户详细信息;
Collection好的,我真的不知道您是如何配置您的上下文的,但是,我将在这里粘贴一个我正在使用的基于Java的配置:
import org.aopalliance.intercept.MethodInterceptor;
import org.springframework.context.annotation.AdviceMode;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
import com.comilion.fw.app.security.MyPermissionEvaluator;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class GlobalMethodSecurityCtxConfiguration extends GlobalMethodSecurityConfiguration {
}
如果您使用的是基于XML的配置,只需使用将其添加到您的配置中即可。虽然您的配置中存在一些重复,但似乎已经足够工作了。您确定要保护的控制器是与Spring安全上下文分离的同一上下文的一部分吗?是的,只有一个上下文。不是吗这是否等于我的xml配置?