我正在做一些 RnD 来学习 Spring Security。在使用方法级安全性时,我尝试了以下操作:
Controller 界面
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@RequestMapping("/admin")
public interface AdminCtrl {
@RequestMapping(value = { "/get" }, method = { RequestMethod.GET })
public @ResponseBody
String getSomething();
}
Controller 实现类
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@RequestMapping("/admin")
@Controller
public class AdminCtrlImpl implements AdminCtrl {
@Override
@RequestMapping(value = "/get", method = RequestMethod.GET)
@Secured(value = "ROLE_ADMIN")
public @ResponseBody
String getSomething() {
return SecurityContextHolder.getContext().getAuthentication().getName()
+ "==> Responding with HI";
}
}
Spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:global-method-security
secured-annotations="enabled" />
<security:http>
<security:form-login />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="alpha" authorities="ROLE_ADMIN"
password="password" />
<security:user name="beta" authorities="ROLE_USER"
password="password" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
app-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.2.xsd">
<mvc:annotation-driven />
<context:component-scan base-package="com.alpha.sample" />
</beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>SpringSecurity</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>springDispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/app-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map all requests to the DispatcherServlet for handling -->
<servlet-mapping>
<servlet-name>springDispatcherServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>
但是当我访问 http://localhost:8080/SpringMethodLevelSecurity/admin/get
时。它总是以匿名用户登录并始终显示:
anonymousUser==> 回复 HI .
为什么它不显示任何身份验证机制屏幕,例如表单登录或 http 登录
__
附言虽然我知道security annotations主要属于Service Layer。但是我想知 Prop 体情况如上。
谢谢
最佳答案
你应该插入
<security:intercept-url pattern="/admin/get" access="ROLE_ADMIN"/>
下<security:http>
标记如下:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:global-method-security
secured-annotations="enabled" />
<security:http>
<security:form-login />
<security:intercept-url pattern="/admin/get" access="ROLE_ADMIN"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="alpha" authorities="ROLE_ADMIN"
password="password" />
<security:user name="beta" authorities="ROLE_USER"
password="password" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
关键是您的系统已准备好执行安全检查,但您没有指定 Spring Security 必须应用安全检查的 url 模式。
事实上,@Secured 注释执行安全检查,但不是直接在 Web 上下文中,而是在“应用程序上下文”中,在 Web 上下文中更正确的方法是配置 <security:http>...</security:http>
配置的一部分,换句话说,您的配置不起作用,因为您配置的过滤器在 <security:http>...</security:http>
的基础上起作用。配置
希望对你有帮助
关于java - 在 Controller 方法上使用 @Secured 注释时基于 Spring Security JDK 的代理问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35860442/