@Spring Security中的预授权注释';不行。可能是配置错误的.xml文件
我正在使用SpringSecurity(SpringBootApp)和AngularJS,并试图根据用户授予的权限允许/拒绝对特定映射的访问 User.java@Spring Security中的预授权注释';不行。可能是配置错误的.xml文件,spring,spring-security,spring-boot,pre-authentication,Spring,Spring Security,Spring Boot,Pre Authentication,我正在使用SpringSecurity(SpringBootApp)和AngularJS,并试图根据用户授予的权限允许/拒绝对特定映射的访问 User.java public class User implements UserDetails { ... private String username; private String password; private boolean enabled; private List<GrantedAuth
public class User implements UserDetails {
...
private String username;
private String password;
private boolean enabled;
private List<GrantedAuthority> grantedAuthorities;
public User(...) {...}
private class Permission implements GrantedAuthority {
String permission;
public Permission(String permission) {
this.permission = permission;
}
@Override
public String getAuthority() {
return permission;
}
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return grantedAuthorities;
}
...
}
如果用户有权限“10001”,但没有权限“00000”,则应允许访问/yes
,但不允许访问/no
。不幸的是,这两种路径都是允许的
我有spring安全配置
作为前面提到的maven依赖项
My WEB-INF/WEB.xml
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>
用户“We are Borg”要求我发布解决方案作为答案,因此如下所示:
基本上,因为我的应用程序是SpringBoot应用程序,所以它忽略了(忽略了我的.xml配置文件)。解决方案非常简单:扩展websecurityConfigureAdapter
并覆盖configure(HttpSecurity)
方法。重写时,请确保用户具有访问路径(antMatchers)的权限和/或权限。它应该是这样的:
SecurityConfiguration.java
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.authorizeRequests()
.antMatchers("/login.html", "/index.html", "/").permitAll()
.antMatchers("/yes").hasAuthority("10001")
.antMatchers("/no").hasAuthority("00000")
.anyRequest().authenticated();
}
}
您不再需要@PreAuthorize
注释,也不再需要.xml配置文件(security.xml、web.xml等)
祝你好运;) 安全性是使用SpringAOP应用的,这意味着使用了代理,这会导致注释无效。只有对对象的方法调用通过代理传递,您正在进行内部方法调用,因此没有代理,没有安全性。@M.Deinum我是Spring security的新手,您能解释一下吗?我有什么选择?我知道你所说的
内部方法调用是什么意思,我可以轻松地将@PreAuth注释移动到@RequestMapping,但这并不能解决任何问题。如果您可以指向另一个SO问题/答案或博客帖子,我将非常感激您还需要在包含带注释的bean的上下文中使用
标记。我假设您还有一个DispatcherServlet
,负责包含@RequestMapping
的@Controller
s。在父上下文(ContextLoaderListener
one)中定义的AOP不会影响子上下文(DispatcherServlet
)中的bean。我确实有
,但即使在web.xml中指定了配置路径,我也不确定是否正在读取xml。我没有任何DispatcherServlet
。。。我不知道我需要一个,因为一切似乎都很好(并没有说我需要一个)。你是否遵循指南?因为本指南使用Spring引导,这基本上放弃了web.xml和xml配置。您需要将@EnableGlobalMethodSecurity
添加到应用程序类中。多角色和多个uri的示例可以是AntMatcher(“/drug/deleteDrug/**”、“/drug/editDrug/**”、“/drug/saveDrugs/**”、“/drug/newDruge/**”)。hasAnyAuthority(“管理员”、“经理”)
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<context:component-scan base-package="com.mycompany.project" />
<global-method-security pre-post-annotations="enabled" />
</beans:beans>
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.authorizeRequests()
.antMatchers("/login.html", "/index.html", "/").permitAll()
.antMatchers("/yes").hasAuthority("10001")
.antMatchers("/no").hasAuthority("00000")
.anyRequest()
.authenticated().and()
.addFilterAfter(new CSRFHeaderFilter(), CsrfFilter.class)
.csrf().csrfTokenRepository(csrfTokenRepository());
}
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.authorizeRequests()
.antMatchers("/login.html", "/index.html", "/").permitAll()
.antMatchers("/yes").hasAuthority("10001")
.antMatchers("/no").hasAuthority("00000")
.anyRequest().authenticated();
}
}