Spring Security，注释@Secured 不起作用

Question

我正在使用 Spring MVC。

@Secured 注释不起作用。

我尝试了很多选项，但似乎没有任何效果。告诉我，我做错了什么？

我正在查看此页面 - Spring Security, Method Security annotation (@Secured ) is not working (java config) 它对我没有帮助。

。 . .

这是我的 github 代码。 https://github.com/MyTestPerson/securede

Personal.class

    @Controller
    public class Personal {


        @GetMapping(value = "/personal")
        public ModelAndView personalGet () {

            ModelAndView modelAndView = new ModelAndView("/personal");

            modelAndView.addObject("msg", myMsg());

            return modelAndView;

        }



        @Secured(value = {"ROLE_ADMIN"})
        private String myMsg() {

            return "Hello USER!!!";

        }

    }

SecurityConfig.class

    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {


        @Autowired
        UserDetailsService userDetailsService;


        @Autowired
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
        }


        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http

                    .authorizeRequests()
                    .mvcMatchers("/").permitAll()
                    .mvcMatchers("/personal/**").hasAnyRole("ADMIN","USER")
                    .mvcMatchers("/login").anonymous()
                    .anyRequest()
                    .authenticated()

                    .and()
                    .formLogin()

                    .and()
                    .logout()
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/")
                    .deleteCookies("JSESSIONID")
                    .invalidateHttpSession(true);


        }


    }

RootConfig.class

    @EnableWebMvc
    @Configuration
    @ComponentScan("com.securede.security")
    @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
    public class RootConfig implements WebMvcConfigurer {

        @Bean
        public PasswordEncoder encoder() {
            return new BCryptPasswordEncoder();
        }
    }

UserDetail.class

    @Service
    public class UserDetail implements UserDetailsService {

        @Autowired
        PasswordEncoder passwordEncoder;


        @Override
        public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {

            return new org.springframework.security.core.userdetails.User(
                    "user",
                    passwordEncoder.encode("user"),
                    true,
                    true,
                    true,
                    true,
                    getAuthorities());
        }

        private Collection<? extends GrantedAuthority> getAuthorities(){

            List<SimpleGrantedAuthority> authList = new ArrayList<>();
            authList.add(new SimpleGrantedAuthority("ROLE_USER"));

            return authList;

        }

    }        

Answer 1

当你调用 secured 方法时

modelAndView.addObject("msg", myMsg());

你实际上是在调用本地方法（就像你在调用this.myMsg()一样），完全绕过了Spring Security的注解处理。

如果您将myMsg() 方法移至服务层（即在UserDetailsService 中），您可以实现您的目标，将其注入您的控制器，然后调用该方法：

@Controller
public class Personal {


    @Autowired
    UserDetailsService userDetailsService;

    @GetMapping(value = "/personal")
    public ModelAndView personalGet () {

        ModelAndView modelAndView = new ModelAndView("/personal");
        modelAndView.addObject("msg", userDetailsService.myMsg());
        return modelAndView;

    }

}

Answer 2

为了实现你想要的，你也可以在控制器方法级别使用@PreAuthorization注解。 示例：

@PreAuthorization("hasRole('ROLE_ADMIN')") 
@GetMapping(value = "/personal")
public ModelAndView personalGet () {..}

Spring 不能在私有方法上应用基于注释的逻辑。