Spring 安全性,注解@Secured 无效
Spring Security, annotation @Secured is not working
我正在使用 Spring MVC。
@Secured 注释不起作用。
我尝试了很多选项,但似乎没有任何效果。告诉我,我做错了什么?
我正在查看此页面 - 它对我没有帮助。
。
.
.
这是我的 github 代码。
https://github.com/MyTestPerson/securede
Personal.class
@Controller
public class Personal {
@GetMapping(value = "/personal")
public ModelAndView personalGet () {
ModelAndView modelAndView = new ModelAndView("/personal");
modelAndView.addObject("msg", myMsg());
return modelAndView;
}
@Secured(value = {"ROLE_ADMIN"})
private String myMsg() {
return "Hello USER!!!";
}
}
SecurityConfig.class
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.mvcMatchers("/").permitAll()
.mvcMatchers("/personal/**").hasAnyRole("ADMIN","USER")
.mvcMatchers("/login").anonymous()
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
}
}
RootConfig.class
@EnableWebMvc
@Configuration
@ComponentScan("com.securede.security")
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class RootConfig implements WebMvcConfigurer {
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
}
UserDetail.class
@Service
public class UserDetail implements UserDetailsService {
@Autowired
PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
return new org.springframework.security.core.userdetails.User(
"user",
passwordEncoder.encode("user"),
true,
true,
true,
true,
getAuthorities());
}
private Collection<? extends GrantedAuthority> getAuthorities(){
List<SimpleGrantedAuthority> authList = new ArrayList<>();
authList.add(new SimpleGrantedAuthority("ROLE_USER"));
return authList;
}
}
当您在
调用 secured 方法时
modelAndView.addObject("msg", myMsg());
你实际上是在调用本地方法(就好像你在调用this.myMsg()),完全绕过了Spring安全性的注解处理。
如果将myMsg()方法移动到服务层(即在UserDetailsService中),将其注入到您的控制器中,然后调用方法,就可以实现您的目标:
@Controller
public class Personal {
@Autowired
UserDetailsService userDetailsService;
@GetMapping(value = "/personal")
public ModelAndView personalGet () {
ModelAndView modelAndView = new ModelAndView("/personal");
modelAndView.addObject("msg", userDetailsService.myMsg());
return modelAndView;
}
}
要实现您想要的效果,您还可以在控制器方法级别使用 @PreAuthorization 注释。
示例:
@PreAuthorization("hasRole('ROLE_ADMIN')")
@GetMapping(value = "/personal")
public ModelAndView personalGet () {..}
Spring 无法在私有方法上应用基于注释的逻辑。
我正在使用 Spring MVC。
@Secured 注释不起作用。
我尝试了很多选项,但似乎没有任何效果。告诉我,我做错了什么?
我正在查看此页面 -
。 . .
这是我的 github 代码。 https://github.com/MyTestPerson/securede
Personal.class
@Controller
public class Personal {
@GetMapping(value = "/personal")
public ModelAndView personalGet () {
ModelAndView modelAndView = new ModelAndView("/personal");
modelAndView.addObject("msg", myMsg());
return modelAndView;
}
@Secured(value = {"ROLE_ADMIN"})
private String myMsg() {
return "Hello USER!!!";
}
}
SecurityConfig.class
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.mvcMatchers("/").permitAll()
.mvcMatchers("/personal/**").hasAnyRole("ADMIN","USER")
.mvcMatchers("/login").anonymous()
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
}
}
RootConfig.class
@EnableWebMvc
@Configuration
@ComponentScan("com.securede.security")
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class RootConfig implements WebMvcConfigurer {
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
}
UserDetail.class
@Service
public class UserDetail implements UserDetailsService {
@Autowired
PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
return new org.springframework.security.core.userdetails.User(
"user",
passwordEncoder.encode("user"),
true,
true,
true,
true,
getAuthorities());
}
private Collection<? extends GrantedAuthority> getAuthorities(){
List<SimpleGrantedAuthority> authList = new ArrayList<>();
authList.add(new SimpleGrantedAuthority("ROLE_USER"));
return authList;
}
}
当您在
调用 secured 方法时modelAndView.addObject("msg", myMsg());
你实际上是在调用本地方法(就好像你在调用this.myMsg()),完全绕过了Spring安全性的注解处理。
如果将myMsg()方法移动到服务层(即在UserDetailsService中),将其注入到您的控制器中,然后调用方法,就可以实现您的目标:
@Controller
public class Personal {
@Autowired
UserDetailsService userDetailsService;
@GetMapping(value = "/personal")
public ModelAndView personalGet () {
ModelAndView modelAndView = new ModelAndView("/personal");
modelAndView.addObject("msg", userDetailsService.myMsg());
return modelAndView;
}
}
要实现您想要的效果,您还可以在控制器方法级别使用 @PreAuthorization 注释。
示例:
@PreAuthorization("hasRole('ROLE_ADMIN')")
@GetMapping(value = "/personal")
public ModelAndView personalGet () {..}
Spring 无法在私有方法上应用基于注释的逻辑。