2

我在 Spring Security 中使用角色层次结构我spring-securityConfig.xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
              http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security 
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">

     <bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
        <property name="hierarchy">
            <value>
                ROLE_ADMIN > ROLE_WORKFLOW
                ROLE_ADMIN > ROLE_ISBN_INSERTION
                ROLE_ADMIN > ROLE_PERMISSION_UPDATE
                ROLE_ADMIN > ROLE_ASSIGNMENT
                ROLE_ADMIN > ROLE_CALIBRATION
            </value>
        </property>
    </bean>

    <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
        <property name="roleHierarchy" ref="roleHierarchy" />
    </bean>

    <bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.WebExpressionVoter">
        <property name="expressionHandler">
            <ref bean="expressionHandler" />
        </property>
    </bean>

    <bean id="roleVoter"
          class="org.springframework.security.access.vote.RoleHierarchyVoter">
        <constructor-arg>
            <ref bean ="roleHierarchy"/>
        </constructor-arg>
    </bean> 

    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <constructor-arg>
            <list>
                <ref bean="roleVoter" />
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
                <ref bean="webExpressionHandler"/>  
            </list>
        </constructor-arg>
    </bean>

     <bean id="authenticationEntryPoint"
          class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/login.htm" />
    </bean>





    <security:http entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">

        <security:session-management>
            <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
        </security:session-management>

        <security:custom-filter position="FORM_LOGIN_FILTER"
                                ref="cdlAuthenticationProcessingFilter" />


        <security:intercept-url pattern="/displayGroupRoleEditView.htm" access="ROLE_PERMISSION_UPDATE" />

        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

        <security:access-denied-handler ref="accessDeniedHandler" />

    </security:http>


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="cdlLdapAuthenticationProvider"/> 
        <security:authentication-provider user-service-ref="cdlUserDetailService"/>
    </security:authentication-manager>


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="cdlLdapAuthenticationProvider"/> 
        <security:authentication-provider user-service-ref="cdlUserDetailService"/>
    </security:authentication-manager>

    <bean name="commonPropertyBean" class="com.qait.cdl.commons.domain.CommonPropertyBean"
          abstract="true">
        <property name="userDao" ref="userDao"/>
    </bean> 

    <bean name="commonAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.AuthoritiesPopulator" parent ="commonPropertyBean"  />

    <bean id="cdlLdapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <constructor-arg ref="customLdapBindAuthenticator"/>
        <constructor-arg ref="cdlAuthoritiesPopulator"/>
    </bean>

    <bean id="customLdapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <constructor-arg ref="cdlLdapContextSource" />
        <property name="userDnPatterns">
            <list>
                <value>${ldap.userDnPatterns}</value>
            </list>
        </property>
    </bean>

    <bean id="cdlLdapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <constructor-arg value="${ldap.url}"/>
    </bean>

    <bean id="cdlAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.CdlUserAuthoritiesPopulator" parent="commonAuthoritiesPopulator"/>

    <bean id="cdlUserDetailService" class="com.qait.cdl.authentication.service.impl.UserDetailsServiceImpl" parent="commonAuthoritiesPopulator"/>

    <bean id="cdlAuthenticationProcessingFilter" class="com.qait.cdl.authentication.customfilter.CustomAuthenticationProcessingFilter" parent="commonPropertyBean">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="notificationService" ref="notificationService"/>
        <property name="userGroupDao" ref="userGroupDao"/>
    </bean>

    <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
       <property name="errorPage" value="/cdlAccessDenied.htm" />
    </bean>

    <security:global-method-security secured-annotations="enabled"  pre-post-annotations="enabled" />
   <bean name="/cdlAccessDenied.htm" class="com.qait.cdl.authentication.web.CDLAccessDeniedHandler"/>
</beans>              

在我使用的服务方法中,@Secured({ "ROLE_PERMISSION_UPDATE"})如果具有角色 ROLE_ADMIN 的用户正在登录应用程序并尝试访问此安全方法,那么它会引发 Access denied 异常。

4

2 回答 2

2

我找到了解决方案

<security:global-method-security secured-annotations="enabled"  
                                             pre-post-annotations="enabled">
          <security:expression-handler ref="defaultMethodSecurityExpressionHandler"/>
</security:global-method-security>

将其添加到dispatcher-servlet.xml. 春季安全应该有不同的背景

添加

<context-param>
     <param-name>contextConfigLocation</param-name>
     <param-value>
         WEB-INF/applicationContext.xml
         WEB-INF/dispatcher-servlet.xml
     </param-value>
</context-param>

到您的 web.xml 并导入,这样做spring-security.xmlapplicationContext.xml唯一目的是为 spring 安全性提供单独的上下文。

要应用基于方法的安全性来处理角色层次结构,请使用@PreAuthorize("SpEL")代替@Secured({})

于 2013-10-23T10:38:31.340 回答
1

您只为 DefaultWebSecurityExpressionHandler 启用了 roleHierarchy,它将适用于您的 http 请求,但不适用于 @Secured 注释。也将其添加到 DefaultMethodSecurityExpressionHandler

<global-method-security ...>
    <expression-handler ref = "methodSecurityExpressionHandler" />
</global-method-security>

<beans:bean id = "methodSecurityExpressionHandler" 
    class = "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name = "roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
于 2013-10-23T09:47:49.223 回答