Java 具有Spring角色库安全性的GWT RPC
我的问题很简单“在使用Spring security和GWT RPC时可能会有任何问题?” 我想在GWT的RPC方法上使用spring的方法级安全性Java 具有Spring角色库安全性的GWT RPC,java,spring,gwt,spring-security,gwt-rpc,Java,Spring,Gwt,Spring Security,Gwt Rpc,我的问题很简单“在使用Spring security和GWT RPC时可能会有任何问题?” 我想在GWT的RPC方法上使用spring的方法级安全性 @PreAuthorize("hasRole('ROLE_ADMIN')") public final String getById(Long id) { ......... } 若取消授权角色访问用户尝试访问处理此rpc方法的页面,则会引发异常,并且不会重定向到“我的访问被拒绝”页面。我不知道为什么不去我的拒绝访问页面?我在控制台上遇到
@PreAuthorize("hasRole('ROLE_ADMIN')")
public final String getById(Long id) {
.........
}
spring security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:sec="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<sec:global-method-security
secured-annotations="enabled" pre-post-annotations="enabled" />
<sec:http auto-config="false" entry-point-ref="authenticateFilterEntryPoint">
<sec:access-denied-handler ref="accessDeniedHandler" />
<sec:intercept-url pattern="/login.html" />
<sec:logout logout-url="/logout.html" logout-success-url="/login.html"
invalidate-session="true" />
<sec:form-login login-page="/login.html"
login-processing-url="/login_check" authentication-failure-url="/login.html?error=1" />
<sec:session-management invalid-session-url="/login.html">
<sec:concurrency-control max-sessions="50"
error-if-maximum-exceeded="true" />
</sec:session-management>
<sec:remember-me key="mykey"
token-validity-seconds="604800" />
</sec:http>
<beans:bean id="authenticateFilterEntryPoint"
class="mypackage.common.security.SessionTimeoutEntryPoint">
<beans:property name="loginFormUrl" value="/login.html" />
</beans:bean>
<beans:bean id="accessDeniedHandler"
class="mypackage.common.security.AccessDeniedEntryPoint">
<beans:property name="errorPage" value="/unSecure.html" />
</beans:bean>
<beans:bean
class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<beans:property name="defaultErrorView" value="uncaughtException" />
<beans:property name="excludedExceptions"
value="org.springframework.security.access.AccessDeniedException" />
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key=".DataAccessException">dataAccessFailure</beans:prop>
<beans:prop key=".NoSuchRequestHandlingMethodException">resourceNotFound</beans:prop>
<beans:prop key=".TypeMismatchException">resourceNotFound</beans:prop>
<beans:prop key=".MissingServletRequestParameterException">resourceNotFound</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
<beans:bean id="authenticationUserService"
class="mypackage.common.security.AuthenticationUserService" />
<sec:authentication-manager>
<sec:authentication-provider
user-service-ref="authenticationUserService">
<sec:password-encoder hash="md5" />
</sec:authentication-provider>
</sec:authentication-manager>
<beans:bean id="authLoggerListener"
class="org.springframework.security.authentication.event.LoggerListener" />
<beans:bean id="eventLoggerListener"
class="org.springframework.security.access.event.LoggerListener" />
public class AccessDeniedEntryPoint extends org.springframework.security.web.access.AccessDeniedHandlerImpl {
private static final Logger logger = LoggerFactory.getLogger(AccessDeniedEntryPoint.class);
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
super.handle(request, response, accessDeniedException);
}
}
public class SessionTimeoutEntryPoint extends LoginUrlAuthenticationEntryPoint {
@Override
public final void commence(final HttpServletRequest request, final HttpServletResponse response,
final AuthenticationException authException) throws IOException, ServletException {
super.commence(request, response, authException);
}
}
因此,当取消授权角色用户访问此方法时,我希望获得unSecure.html。我非常感谢你的任何建议。对不起,我的问题太长了。我不想再撞我的头了!谢谢。就像我上次的回答一样,我很久以前就用过这个。在我的例子中,我不总是处理URL,而是将其委托给处理程序 我的意思是,如果您想将GWT-RPC与Spring安全性集成,我做的第一件事就是从我的GWT应用程序尝试登录Spring 因此,您需要做的第一件事是创建一个登录名 我发现注释
@RemoteServiceRelativePath(“examplelogin.rpc”)spring security.xml....
<http use-expressions="true" entry-point-ref="http401UnauthorizedEntryPoint">
<intercept-url pattern="/yourProject/public.rpc" access="permitAll" />
<intercept-url pattern="/yourProject/examplelogin.rpc" access="hasRole('ROLE_ADMIN')" />
<form-login authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"/>
..... //logout, session-management, custom-filters....
<beans:bean id="http401UnauthorizedEntryPoint"
class="your.project.Http401UnauthorizedEntryPoint" />
<beans:bean id="authenticationSuccessHandler"
class="your.project.GWTAuthenticationSuccessHandler"/>
<beans:bean id="authenticationFailureHandler"
class="your.project.GWTAuthenticationFailureHandler"/>
</http>
....
。。。。
..... //注销、会话管理、自定义筛选器。。。。
....
Spring SecurityGWT-RPC.RPC- 指定RPC调用或/login.html的侦听器url
- 像我一样委托处理者(小心,也许你做得很好 错误在另一部分,但至少我喜欢这个例子 工作)
谢谢。如我所述,我还使用了Spring security的登录安全性,效果很好。但对于方法级安全性,我错了什么?这不会重定向到我的unSecure.html页面,除非以
AccessDenied@PreAuthorize(“hasRole('ROLE\u ADMIN')”)