spring - Spring Security-acl。用户未获得权限

Question

好像没事。授权有效，用户获得角色。我保护了使用注释的方法（例如 @PreAuthorize("hasPermission(#post, 'READ')") ），它有效并且我被拒绝访问。我创建了一个数据库，他在其中描述了用户对对象的权利。我创建了一个数据库，其中包含用户对对象的权限。

我的问题是，在用户授权后，它没有获得权限，即使用户有权反对，他也被拒绝访问。另外，我注意到在用户登录服务器的日志文件后应该得到一个字符串，该字符串将写入他获得的权限，但我没有这样的行。

我的文件片段：

web.xml

...
<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml
        /WEB-INF/acl-context.xml
        /WEB-INF/mvc-dispatcher-servlet.xml 
    </param-value>
</context-param>...

mvc-调度程序-servlet.xml

    ...
<security:global-method-security pre-post-annotations="enabled">
    <security:expression-handler ref="expressionHandler" />
</security:global-method-security>

<context:annotation-config />

<tx:annotation-driven />
<tx:jta-transaction-manager />

<context:component-scan base-package="com.bla-bla.bla.controllers" />

<mvc:annotation-driven />
...

弹簧安全.xml

    ...
<security:http auto-config="true" use-expressions="true"
    access-denied-page="/auth/denied.html">
    <security:intercept-url pattern="/auth/login.html" access="permitAll" />
    <security:form-login login-page="/auth/login.html"
        authentication-failure-url="/auth/login.html?error=true"
        default-target-url="/index.html" />
    <security:logout invalidate-session="true"
        logout-success-url="/auth/login.html" logout-url="/auth/logout.html" />
</security:http>

<security:authentication-manager>
    <security:authentication-provider
        user-service-ref="userService">
        <security:password-encoder ref="pswEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<bean id="userService"
    class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="dataSource" ref="jndiJboss" />
    <property name="usersByUsernameQuery"
        value="SELECT login, pass, enabled FROM accounts WHERE login=?" />
    <property name="authoritiesByUsernameQuery"
        value="SELECT login, authority FROM accounts WHERE login=?" />
</bean>

<bean
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
    id="pswEncoder" />
...

acl-context.xml

    ...
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"
    p:permissionEvaluator-ref="permissionEvaluator"
    p:roleHierarchy-ref="roleHierarchy" />

<bean class="org.springframework.security.acls.AclPermissionEvaluator" id="permissionEvaluator">
    <constructor-arg ref="aclService"/>
</bean>

<bean class="org.springframework.security.acls.jdbc.JdbcMutableAclService" id="aclService">
    <constructor-arg ref="jndiJboss"/>
    <constructor-arg ref="lookupStrategy"/>
    <constructor-arg ref="aclCache"/>
</bean>

<bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
    <constructor-arg ref="jndiJboss"/>
    <constructor-arg ref="aclCache"/>
    <constructor-arg ref="aclAuthorizationStrategy"/>
    <constructor-arg ref="auditLogger"/>
</bean>

 <bean id="jndiJboss" class="org.springframework.jndi.JndiObjectFactoryBean">
    <property name="jndiName" value="java:/JBossDB"/>
</bean>

<bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
    <constructor-arg>
        <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
            <property name="cacheManager">
                <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
            </property>
            <property name="cacheName" value="aclCache"/>
        </bean>
    </constructor-arg>
</bean>

<bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                <constructor-arg value="ROLE_ADMIN"/>
            </bean>
            <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                <constructor-arg value="ROLE_ADMIN"/>
            </bean>
            <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                <constructor-arg value="ROLE_ADMIN"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

<bean id="auditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>


<bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>
            ROLE_ADMIN > ROLE_USER
        </value>
    </property>
</bean>
...

控制器的受保护方法示例

@Override
@RequestMapping(value = "/post/delete.html", method = RequestMethod.GET)
@Transactional
@PreAuthorize("hasPermission(#post, 'READ')")
public String delete(final Post post) {
    //some actions
    return "post/view";
}

可能是什么问题？

升级版。我的问题是错误填写 acl_object_identity

Answer 1

发布使用 ACL（安全方法调用）的代码，并在 Spring 配置文件中突出显示这些类。另外，为什么要将<security:global-method-security />元素放在 MVC 配置文件中？