【发布时间】:2014-08-03 16:07:01
【问题描述】:
我正在尝试使用 Spring Security (3.2.4) 来授权对控制器方法的访问。我正在使用 Spring JavaConfig 来配置我的应用程序。应用程序成功启动,不幸的是@PreAuthoize 表达式永远不会被执行。
这是我配置应用程序的方式:
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] {WebSecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] {WebAppConfig.class};
}
@Override
protected String[] getServletMappings() {
return new String[] {"/"};
}
}
public class WebAppSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}
@Configuration
@EnableWebMvc
@Import({ CoreAppConfig.class })
@ComponentScan(basePackageClasses = ControllerScanningMarker.class)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebAppConfig extends WebMvcConfigurerAdapter {
}
目前,我实际上并没有对任何用户进行身份验证,所以我希望每个人都可以访问 @PreAuthorize 注释控制器方法,但这并没有发生。显然,最终目标也是对用户进行实际身份验证。
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void registerGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
@Controller
@RequestMapping(produces = APPLICATION_JSON_VALUE)
public class RegistrationController {
@Autowired
private RegistrationService registrationService;
@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping(value = "/orders/{orderId}/registrations", method = POST, consumes = APPLICATION_JSON_VALUE)
@ResponseBody
public RegistrationResponse registerVerification(@PathVariable String orderId, @RequestBody @Valid Registration registration) {
RegistrationResult result = registrationService.registerVerification(registration);
return new RegistrationResponse(result);
}
}
如果有人以前见过这样的东西,我将不胜感激。
谢谢。
2014 年 11 月 7 日更新
我已经重新审视了这个问题并解决了找不到身份验证管理器的问题,但我仍然无法让 @PreAuthorize 注释工作(请参阅上面的所有更改)。
我在日志中收到以下警告:
00:04:06.090 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@5c694679' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.154 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'enableGlobalAuthenticationAutowiredConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.161 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$$EnhancerByCGLIB$$47d25495] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.188 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerByCGLIB$$6313a932] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.223 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.229 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'metaDataSourceAdvisor' of type [class org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
【问题讨论】:
-
您还没有配置 Spring Security,所以没有检查任何内容。添加另一个
WebApplicationInitializer来设置 Spring Security 的过滤器链。见docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/…。 -
我已根据您的评论和 spring 文档进行了更改(如上),但我仍然没有触发 @PreAuthorise 表达式。
-
您的
@EnableGlobalMethodSecurity必须放在您的WebAppConfig上。它将注册一些 AOP 内容,并且只会在配置它的同一上下文中应用。当在根上下文中加载时,它不会为 servlet 上下文做任何事情。 -
我尝试将 EnableGlobalMethodSecurity 添加到 WebAppConfig,但随后它抱怨无法找到身份验证管理器。从 WebSecurityConfig 复制 registerGlobal 方法后,应用程序成功启动,但仍未评估 PreAuthorize 表达式。我也尝试过,将安全配置添加到 servlet 上下文和其他一些愚蠢的事情,但没有任何效果。我想知道在控制器方法上添加 PreAuthorize 是否不是正确的方法。到目前为止,我看到的所有示例都只针对服务方法。
-
@PreAuthorize注释放在哪里并不重要,尽管将它们放在控制器上可能会更难,因为代理可能会破坏对其他注释的检测。您无法找到身份验证管理器的错误让我想知道您是否已正确配置。确保所有内容都正确加载。
标签: spring security controller