0

我有一个带有 Spring Security 的 Java Web 应用程序。我使用@PreAuthorize 注释,但它不起作用。

我有一个PermissionResolver类,它实现PermissionEvaluator接口和使用@PreAuthorize注释的AccessClassService

当我在PermissionResolver类中的hasPermission方法上设置断点并在调试模式下运行应用程序时,我看到没有调用hasPermission方法。

有谁能够帮我?

我的securityContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:global-method-security pre-post-annotations="enabled">
        <security:expression-handler ref="permissionHandler"/>
    </security:global-method-security>

    <bean id="permissionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <property name="permissionEvaluator" ref="eval"/>
    </bean>

    <bean id="eval" class="org.mydomain.myapp.infrastructure.security.PermissionResolver" />

    <security:http auto-config="true"  use-expressions="true" disable-url-rewriting="true">
        <security:intercept-url pattern="/favicon.ico" access="permitAll" />
        <security:intercept-url pattern="/resources/**" access="permitAll"/>
        <security:intercept-url pattern="/login" access="isAnonymous()"/>
        <security:intercept-url pattern="/registration/**" access="isAnonymous()"/>
        <security:intercept-url pattern="/restorePassword" access="isAnonymous()"/>
        <security:intercept-url pattern="/**" access="isAuthenticated()"/>

        <security:form-login login-page="/login" authentication-failure-url="/login?fail" default-target-url="/" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider user-service-ref="hibernateUserService" />
    </security:authentication-manager>

</beans>

我的PermissionResolver.java

public class PermissionResolver implements PermissionEvaluator{

    @Autowired
    private AccessClassService service;

    @Override
    public boolean hasPermission(Authentication a, Object o, Object o1) {
        return false;
    }

    @Override
    public boolean hasPermission(Authentication a, Serializable targetId, String targetType, Object o) {        
        return false;
    }

}

以及带有@PreAuthorize注释的服务(带有测试参数)

@Service
public class AccessClassService {

    @Autowired
    private PersistableDAO dao;

    public AccessClass getInitialAccessClass(){
        return dao.getOneByAttr(AccessClass.class, "number", 0);
    }

    @Transactional
    @PreAuthorize("hasPermission('12','AccessClass')")
    public AccessClass get(Long id){
        return dao.get(AccessClass.class, id);
    }

    public Integer getAccessClassNumber(Long id){
        return (Integer)dao.getCriteria(AccessClass.class)
                .setProjection(Projections.property("number"))
                .add(Restrictions.eq("id", id)).uniqueResult();
    }

}
4

1 回答 1

0

问题解决了。我无法在 PermissionResolver 中使用服务。如果我不使用它或使用 dao 一切正常

于 2013-10-16T14:07:30.587 回答