问题描述

限时删除！！

我在控制器方法执行春天的安全性。

I have implemented spring security in controller method.

下面是我的春天的security.xml

Below is my spring security.xml

    
  - >
    

-->

<!-- URL pattern based security -->
<security:http auto-config="false" entry-point-ref="authenticationEntryPoint"
    use-expressions="true">
    <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
    <security:intercept-url access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" pattern="/common/admin/**" />
    <security:intercept-url pattern="/common/accounting/**" access="hasRole('ROLE_USER')" />
    <security:logout logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login"/>

</security:http>

下面是我的控制器

Below is my controller

@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.GET)
public String add(ModelMap map) {
    map.addAttribute(new Administrator());
    return "/common/admin/addAdmin";
}

@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.POST)
public String processadd(
        @ModelAttribute("administrator") Administrator administrator) {
    this.administratorManager.addAdmin(administrator);
    return "/common/admin/success";
}

我允许网址/通用/管理/ **为管理员和用户角色。但我确实在管理控制器中的一些限制。当用户进入到/普通/管理/ *作为用户角色，他可以，但他也可以去到方法只适用于只有admin角色。

I allow the url /common/admin/** for both admin and user role. But i do some restriction in the admin controller. when user is go in to /common/admin/* as a user role, he can but he can also go in to method that is only for admin role only.

我该如何解决呢？

谢谢！

推荐答案

您已经添加了 @Secured 注释。

但你需要启用它：

<!-- secured-annotations = (@Secured("ROLE_ADMIN")) -->
<!-- jsr250-annotations = (@RunAs @RolesAllowed @PermitAll @DenyAll @DeclareRoles) -->
<!-- pre-post-annotations = @PreAuthorized("hasAuthority('ROLE_ADMIN')") -->
<global-method-security
    secured-annotations="enabled"
    jsr250-annotations="disabled"
    pre-post-annotations="disabled">
</global-method-security>

@Secured 可以采取单个或多个角色。

@Secured can take a single or several roles.

• @Secured（ROLE_USER）


• @Secured（{ROLE_USER，ROLE_ADMIN}） //隆重如果用户有这个角色之一
访问

• @Secured("ROLE_USER")
• @Secured({"ROLE_USER", "ROLE_ADMIN"}) //grand access if the user has one of this roles

BWT：从春季安全（3）图书（http://www.springsecuritybook.com/）：

BWT: From Spring Security 3 Book (http://www.springsecuritybook.com/):

的 @Secured 注释是functionallz和syntactiallz为 @RollesAllowed ...一样的 @Secured 函数一样的JSR标准 @RollesAllowed 有不是reallz一个令人信服的理由来使用它（ @在新的code抵押）...

（不forgett启用它 JSR250的注解=已启用）

(do not forgett to enable it jsr250-annotations="enabled")

这篇关于如何检查方法级别春季安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！

1403页，肝出来的..