我无法让 sec:authorize hasRole() 使用角色层次结构。如果我有一个角色为 ROLE_BOSS 的用户,它是 ROLE_WORKER 的父级,则由于某种原因为 false。然而,在我的服务类中 @PreAuthorize("hasRole('ROLE_WORKER')") 确实有效。我假设他们都使用相同的评估器,那么为什么标签库不起作用呢?感谢您的帮助。
JSP:
<sec:authorize access="hasRole('ROLE_BOSS')">
<p>This shows up.</p>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_WORKER')">
<p>This does not show up, but should.</p>
</sec:authorize>
-config.xml 安全性:
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
<property name="roleHierarchy" ref="roleHierarchy"/>
</bean>
<sec:global-method-security pre-post-annotations="enabled">
<sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>
<bean id="permissionEvaluator" class="com.myapp.security.MyPermissionEvaluator">
<constructor-arg index="0">
<map key-type="java.lang.String" value-type="com.myapp.security.Permission">
<entry key="contractReadAccess" value-ref="contractReadPermission"/>
<entry key="contractWriteAccess" value-ref="contractWritePermission"/>
</map>
</constructor-arg>
</bean>
<bean id="contractReadPermission" class="com.myapp.security.ContractReadPermission"/>
<bean id="contractWritePermission" class="com.myapp.security.ContractWritePermission"/>
<sec:http use-expressions="true" access-decision-manager-ref="accessDecisionManager">
<sec:intercept-url pattern="/worker/**" access="isAuthenticated()" requires-channel="https"/>
<sec:intercept-url pattern="/boss/**" access="hasRole('ROLE_BOSS')" requires-channel="https"/>
<sec:form-login login-page="/login" authentication-failure-url="/login?login_error=1" authentication-success-handler-ref="successHandler"/>
<sec:logout logout-url="/logout" logout-success-url="/login" invalidate-session="true"/>
<sec:remember-me/>
</sec:http>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<ref bean="roleVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler">
<bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy"/>
</bean>
</property>
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_BOSS > ROLE_WORKER
</value>
</property>
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService"/>
</sec:authentication-manager>
最佳答案
对于像我这样使用 Java Config 的人来说。这是一个非常简单的解决方案,只需在扩展 WebSecurityConfigurerAdapter 的类中添加以下代码:
@Bean
public RoleHierarchyVoter roleVoter() {
return new RoleHierarchyVoter(roleHierarchy());
}
@Bean
public RoleHierarchy roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy("ROLE_BOSS > ROLE_WORKER");
return roleHierarchy;
}
private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy());
return defaultWebSecurityExpressionHandler;
}
@Override
public void init(WebSecurity web) throws Exception {
web.expressionHandler(webExpressionHandler());
super.init(web);
}
关于Spring Security taglib 秒 :authorize with role hierarchy not working,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13132922/