Fatal编程技术网
  • java/
  • Java 为什么我的自定义PermissionEvaluator不工作?

Java 为什么我的自定义PermissionEvaluator不工作?

java spring spring-security

Java 为什么我的自定义PermissionEvaluator不工作?,java,spring,spring-security,Java,Spring,Spring Security,我不明白为什么我的安全装置不能正常工作。Evaluator类中的方法hasPermission()甚至未调用。我想我的安全配置有问题 我的安全配置: <?xml version="1.0" encoding="UTF-8"?> <bean:beans xmlns:bean="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-in

我不明白为什么我的安全装置不能正常工作。Evaluator类中的方法hasPermission()甚至未调用。我想我的安全配置有问题

我的安全配置:

<?xml version="1.0" encoding="UTF-8"?>
<bean:beans xmlns:bean="http://www.springframework.org/schema/beans"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xmlns:sec="http://www.springframework.org/schema/security"
            xmlns="http://www.springframework.org/schema/security"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security.xsd">

    <sec:http use-expressions="true">
        <sec:intercept-url pattern="/favicon.ico" access="permitAll"/>
        <sec:intercept-url pattern="/resources/**" access="permitAll"/>
        <sec:intercept-url pattern="/login" access="permitAll"/>
        <sec:form-login login-page="/login"
                        username-parameter="login"
                        password-parameter="password"
                        authentication-failure-url="/login?error"
                        authentication-success-handler-ref="successHandler"/>
        <sec:logout logout-url="/logout" logout-success-url="/login?logout"/>
        <sec:access-denied-handler error-page="/WEB-INF/views/error/403.jsp"/>
    </sec:http>

    <sec:authentication-manager>
        <sec:authentication-provider ref="userAuthenticationProvider"/>
    </sec:authentication-manager>

    <sec:global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
        <sec:expression-handler ref="expressionHandler"/>
    </sec:global-method-security>

    <bean:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <bean:property name="permissionEvaluator" ref="permissionEvaluator"/>
    </bean:bean>

    <bean:bean id="permissionEvaluator" class="de.mark.project.security.UserPermissionEvaluator">
        <bean:constructor-arg ref="userSecurityService"/>
    </bean:bean>

    <bean:bean id="successHandler" class="de.mark.project.security.UrlAuthenticationSuccessHandler"/>
    <bean:bean id="userSecurityService" class="de.mark.project.service.UserService"/>

    <bean:bean name="userAuthenticationProvider" class="de.mark.project.security.UserAuthenticationProvider">
        <bean:constructor-arg ref="userSecurityService"/>
    </bean:bean>

</bean:beans>
有没有办法解决这个问题

UPD:


log4jConfigLocation
类路径:/log4j.properties
org.springframework.web.util.Log4jConfigListener
上下文配置位置
classpath:/spring config/security.xml
类路径:/spring config/data.xml
org.springframework.web.context.ContextLoaderListener
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
mvc
org.springframework.web.servlet.DispatcherServlet
上下文配置位置
类路径:/spring config/mvc.xml
1.
mvc
/
404
/WEB-INF/views/error/404.jsp
UPD 2

Spring MVC配置:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:ctx="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd">

    <mvc:annotation-driven/>
    <ctx:component-scan base-package="de.mark.project.web"/>
    <sec:global-method-security pre-post-annotations="enabled"/>
    <mvc:resources mapping="/resources/**" location="classpath:/style/"/>

    <mvc:interceptors>
        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
            <property name="cacheSeconds" value="0"/>
            <property name="useExpiresHeader" value="true"/>
            <property name="useCacheControlHeader" value="true"/>
            <property name="useCacheControlNoStore" value="true"/>
        </bean>
    </mvc:interceptors>

    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/views/"/>
        <property name="suffix" value=".jsp"/>
    </bean>
</beans>
这可能是因为
标记需要与Spring MVC配置处于相同的上下文中,否则控制器将不会被后处理。这是

例如,如果web.xml如下所示:

<!--
  - Location of the XML file that defines the root application context
  - Applied by ContextLoaderListener.
  -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/*.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<!--
  - Loads the root application context of this web app at startup.
  - The application context is then available via
  - WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/mvc/*.xml</param-value>
    </init-param>
</servlet>


上下文配置位置
/WEB-INF/spring/*.xml
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
org.springframework.web.context.ContextLoaderListener
春天
org.springframework.web.servlet.DispatcherServlet
上下文配置位置
/WEB-INF/mvc/*.xml
要在控制器上支持方法安全性,请确保在/WEB-INF/mvc/*.xml中的某个位置定义了
标记。请注意,配置的其余部分应保持原样。如果您希望在服务上支持方法安全性,您可能还需要父级中的
(即现在可能的位置)

如果这没有帮助,请发布您的web.xml或WebApplicationInitializer,如果您没有使用web.xml

请同时发布更新的/spring config/mvc.xml(确保其中包含
)。我添加了mvc.xml。但是现在在我的UserController中,所有映射都消失了(找不到ViewResolver)。请尝试使用
,不幸的是,它没有帮助。我得到了:org.springframework.beans.factory.parsing.bean定义ParsingException:配置问题:检测到重复。有问题的资源:文件[…blahblah…\WEB-INF\classes\spring config\security.xml]诸如此类诸如此类非常重要:)请发布完整的堆栈。还要确保将PermissionEvaluator连接到mvc.xml中 
<web-app
        version="2.4"
        xmlns="http://java.sun.com/xml/ns/j2ee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
        http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd">


    <!-- log4j configuration -->
    <context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>classpath:/log4j.properties</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
    </listener>


    <!-- Config Setup -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:/spring-config/security.xml
            classpath:/spring-config/data.xml
        </param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


    <!-- Spring MVC -->
    <servlet>
        <servlet-name>mvc</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:/spring-config/mvc.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>mvc</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>


    <!-- Error handling -->
    <error-page>
        <error-code>404</error-code>
        <location>/WEB-INF/views/error/404.jsp</location>
    </error-page>
</web-app>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:ctx="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd">

    <mvc:annotation-driven/>
    <ctx:component-scan base-package="de.mark.project.web"/>
    <sec:global-method-security pre-post-annotations="enabled"/>
    <mvc:resources mapping="/resources/**" location="classpath:/style/"/>

    <mvc:interceptors>
        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
            <property name="cacheSeconds" value="0"/>
            <property name="useExpiresHeader" value="true"/>
            <property name="useCacheControlHeader" value="true"/>
            <property name="useCacheControlNoStore" value="true"/>
        </bean>
    </mvc:interceptors>

    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/views/"/>
        <property name="suffix" value=".jsp"/>
    </bean>
</beans>

<!--
  - Location of the XML file that defines the root application context
  - Applied by ContextLoaderListener.
  -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/*.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<!--
  - Loads the root application context of this web app at startup.
  - The application context is then available via
  - WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/mvc/*.xml</param-value>
    </init-param>
</servlet>