我在 Spring Security 中使用角色层次结构我spring-securityConfig.xml
是
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_ADMIN > ROLE_WORKFLOW
ROLE_ADMIN > ROLE_ISBN_INSERTION
ROLE_ADMIN > ROLE_PERMISSION_UPDATE
ROLE_ADMIN > ROLE_ASSIGNMENT
ROLE_ADMIN > ROLE_CALIBRATION
</value>
</property>
</bean>
<bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy" />
</bean>
<bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler">
<ref bean="expressionHandler" />
</property>
</bean>
<bean id="roleVoter"
class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg>
<ref bean ="roleHierarchy"/>
</constructor-arg>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<ref bean="roleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<ref bean="webExpressionHandler"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.htm" />
</bean>
<security:http entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
<security:custom-filter position="FORM_LOGIN_FILTER"
ref="cdlAuthenticationProcessingFilter" />
<security:intercept-url pattern="/displayGroupRoleEditView.htm" access="ROLE_PERMISSION_UPDATE" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:access-denied-handler ref="accessDeniedHandler" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<bean name="commonPropertyBean" class="com.qait.cdl.commons.domain.CommonPropertyBean"
abstract="true">
<property name="userDao" ref="userDao"/>
</bean>
<bean name="commonAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.AuthoritiesPopulator" parent ="commonPropertyBean" />
<bean id="cdlLdapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="customLdapBindAuthenticator"/>
<constructor-arg ref="cdlAuthoritiesPopulator"/>
</bean>
<bean id="customLdapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="cdlLdapContextSource" />
<property name="userDnPatterns">
<list>
<value>${ldap.userDnPatterns}</value>
</list>
</property>
</bean>
<bean id="cdlLdapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="${ldap.url}"/>
</bean>
<bean id="cdlAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.CdlUserAuthoritiesPopulator" parent="commonAuthoritiesPopulator"/>
<bean id="cdlUserDetailService" class="com.qait.cdl.authentication.service.impl.UserDetailsServiceImpl" parent="commonAuthoritiesPopulator"/>
<bean id="cdlAuthenticationProcessingFilter" class="com.qait.cdl.authentication.customfilter.CustomAuthenticationProcessingFilter" parent="commonPropertyBean">
<property name="authenticationManager" ref="authenticationManager" />
<property name="notificationService" ref="notificationService"/>
<property name="userGroupDao" ref="userGroupDao"/>
</bean>
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/cdlAccessDenied.htm" />
</bean>
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<bean name="/cdlAccessDenied.htm" class="com.qait.cdl.authentication.web.CDLAccessDeniedHandler"/>
</beans>
在我使用的服务方法中,@Secured({ "ROLE_PERMISSION_UPDATE"})
如果具有角色 ROLE_ADMIN 的用户正在登录应用程序并尝试访问此安全方法,那么它会引发 Access denied 异常。