Java Spring安全性不是安全方法_Java_Spring_Spring Mvc_Spring Security

Java Spring安全性不是安全方法

java spring spring-mvc spring-security

Java Spring安全性不是安全方法,java,spring,spring-mvc,spring-security,Java,Spring,Spring Mvc,Spring Security,我正在试用Spring安全性，我用@PreAuthorize注释了RestController的一些方法。但是，我可以访问所有这些文件，而无需进行身份验证 Web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app ...> <context-param> <param-name>contextConfigLocation</param-name>

我正在试用Spring安全性，我用@PreAuthorize注释了RestController的一些方法。但是，我可以访问所有这些文件，而无需进行身份验证

Web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app ...>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/root-context.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>

    <servlet>
        <servlet-name>appServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring/servlet-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>appServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

有什么问题吗？

将

移动到

DispatcherServlet

加载的上下文中。与所有AOP一样，它们只应用于相同上下文中的bean。您已经在根上下文中定义了它，因此只考虑根上下文中的bean。您的控制器是子系统（

DispatcherServlet

）的一部分，因此它对它一无所知。谢谢，这就是重点。请移动它作为答案，以便我可以接受它。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans ...>  
    <global-method-security pre-post-annotations="enabled" />

    <http auto-config="true">
        <intercept-url pattern="/service/public/**" />
        <intercept-url pattern="/service/user/**" access="ROLE_USER,ROLE_ADMIN" />
        <intercept-url pattern="/service/admin/**" access="ROLE_ADMIN" />
    </http>

    <authentication-manager alias="authenticationManager">
         <authentication-provider> <user-service> <user name="admin" password="admin" 
            authorities="ROLE_ADMIN" /> <user name="user" password="user" authorities="ROLE_USER" 
            /> </user-service> </authentication-provider>    
    </authentication-manager>
</beans:beans>

@RestController
@RequestMapping("/service")
public class Service {
    @RequestMapping(value = "/public/{name}", method = RequestMethod.GET)
    public String storeEntityPublic(@PathVariable String name) {
        String result = "Hello " + name + ", I am saving on the db. (PUBLIC)";
        return result;
    }

    @PreAuthorize("hasAnyRole('ROLE_USER','ROLE_ADMIN')")
    @RequestMapping(value = "/user/{name}", method = RequestMethod.GET)
    public String storeEntityUserOrAdmin(@PathVariable String name) {
        String result = "Hello " + name
                + ", I am saving on the db. (USER OR ADMIN)";
        return result;
    }

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @RequestMapping(value = "/admin/{name}", method = RequestMethod.GET)
    public String storeEntityAdmin(@PathVariable String name) {
        String result = "Hello Admin " + name
                + ", I am saving on the db. (ADMIN ONLY)";
        return result;
    }
}