我正在尝试在我的项目中实现自定义权限评估程序。我已经配置了spring security 3.2 and spring 4。但是,我无法使其正常运行。
springframework.version:4.0.2.RELEASE
springsecurity.version:3.2.1发布
我已经用@PreAuthorize("hasPermission()")注释来注释我所有的控制器方法。但是该调用不会进入我的自定义评估程序中的hasPermission()方法。
我的代码粘贴在下面:
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<http auto-config="true" use-expressions="true" access-denied-page="/auth/auth/denied" >
<intercept-url pattern="/auth/auth/login" access="denyAll"/>
<intercept-url pattern="/auth/main/admin" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/auth/main/common" access="hasRole('ROLE_USER')"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<!--<bean id="customUserDetailsService" class="com.cj.customAuthProvider"/>-->
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>
<beans:bean id="permissionEvaluator" class="com.mycompany.common.evaluators.AuthorizationEvaluatorController"/>
</beans:beans>
rest-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
<context:component-scan base-package="com.reactore.common.web.controller"/>
<mvc:annotation-driven/>
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="order" value="1"/>
<property name="messageConverters">
<list>
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
<property name="supportedMediaTypes" value="application/json"/>
</bean>
<bean class="org.springframework.http.converter.StringHttpMessageConverter">
<property name="supportedMediaTypes" value="text/plain;charset=UTF-8"/>
</bean>
</list>
</property>
</bean>
</beans>
web.xml
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:domain-config.xml /WEB-INF/spring-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/rest-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/auth/*</url-pattern>
</servlet-mapping>
</web-app>
权限评估程序
public class AuthorizationEvaluatorController extends ModuleController implements PermissionEvaluator{
private boolean checkPermission(Long userId, String permissionId){
//get user details and check if access is there.
return false;
}
@Override
public boolean hasPermission(Authentication authentication, Object userId, Object permissionId) {
System.out.println("Checking the permission......");
return checkPermission((Long)userId, (String)permissionId);
}
@Override
public boolean hasPermission(Authentication authentication, Serializable serializable, String s, Object o) {
return false;
}
}
控制器
@Controller
public class RoleController {
@RequestMapping(value="/role/{roleId}", method = RequestMethod.GET)
@ResponseBody
**@PreAuthorize("hasPermission(#roleId,3)")**
public ResponseEntity<Object> getRoleFromId(@PathVariable("roleId") Long roleId) throws Exception {
return getRoleService(roleId);
}
}
最佳答案
终于,这个问题为我解决了。
我将<aop:config proxy-target-class="true" />行添加到我的配置文件中,现在正在调用评估程序。