1

I have a custom authentication provider that's returning a concrete implementation of 'AbstractAuthenticationTokenwithROLE_ADMINonly. I have a method annotated with@PreAuthorize("hasRole('ROLE_USER')")`. I'm trying to set up a role hierarchy to give my admin user access to this method.

I have the following in my spring-security.xml:

<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
        <beans:value>
            ROLE_ADMIN > ROLE_USER
        </beans:value>
    </beans:property>
</beans:bean>

<beans:bean id="methodExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name="roleHierarchy" ref="roleHierarchy" />
</beans:bean>

<sec:global-method-security pre-post-annotations="enabled">
    <sec:expression-handler ref="methodExpressionHandler" />
</sec:global-method-security>

The request to the protected method gets denied, although it works if I change the annotation to @PreAuthorize("hasRole('ROLE_ADMIN')").

I put a breakpoint on the AccessDeniedException, which was being thrown from AffirmativeBased.decide(...). The issue appears to be that the PreInvocationAuthorizationAdviceVoter's expressionHandler is null. That suggests to me that there's something wrong in my wiring up of my roleHierarchy or methodExpressionHandler.

I there anything obviously wrong with my spring-security.xml? Is there something I'm misunderstanding about how this stuff should be working?

4

2 回答 2

1

哦,我真傻……我的问题没有足够的上下文来回答这个问题,但我已经解决了。

我的和我<global-method-security>的都有。我只是在 spring-security 中进行更改。spring-security.xmldispatcher-servlet.xml

DefaultMethodSecurityExpressionHandler赠品是当我在's 的构造函数上放置一个断点时。它被调用了两次。一个setRoleHierarchy打电话,另一个没有。

解决方案是:

  1. 将通用角色层次结构定义移到单独的文件中,以便由spring-security.xml和导入dispatcher-servlet.xml
  2. 将bean 从移动<global-method-security>到。methodExpressionHandlerspring-security.xmldispatcher-servlet.xml
于 2013-07-10T02:59:43.443 回答
0

尝试roleHierarhy注入roleVoter. 来自官方文档的示例:

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy"
        class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>
            ROLE_ADMIN > ROLE_STAFF
            ROLE_STAFF > ROLE_USER
            ROLE_USER > ROLE_GUEST
        </value>
    </property>
</bean>
于 2013-07-09T10:34:40.030 回答