Spring 安全 3.1 +JSF 2.0 。在 ManagedBeans 中注释方法有问题吗?
Hy。我想做的是将 Spring security 与 Jsf+spring IOC +hibernate 应用程序集成。我已经设法设置登录页面并过滤其他一些页面。到目前为止一切顺利,但是当我尝试将@Secured或者在 ManagedBeans 内部的方法上使用 @PreAuthorize 注释(在 Dao 的注释中确实有效),我意识到它们绝对没有做任何事情。我读到我需要 FORCE 类代理。 Spring使用基于代理的aop,托管bean实现一个接口,因此使用jdk动态代理而不是类代理。所以我在我的配置文件中这样做了:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"**
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<aop:aspectj-autoproxy proxy-target-class="true"/>
//the rest of the beans
</beans>
applicationContext-security Xml 看起来像这样:
<?xml version="1.0" encoding="UTF-8"?>
<!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml
3019 2008-05-01 17:51:48Z luke_t $ -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<http pattern="/css/**" security="none" />
<http pattern="/pages/login.xhtml" security="none" />
<http auto-config='false'>
<intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/**"
access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />
<form-login login-page="/pages/login.xhtml"
default-target-url='/pages/reports.xhtml' always-use-default-target='true'
authentication-failure-handler-ref="userLoginService" />
<logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref='userLoginService'>
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">
<beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />
<beans:property name="userDao" ref="userDao" />
<beans:property name="loginReportDao" ref="loginReportDao" />
</beans:bean>
</beans:beans>
有人可以告诉我为什么注释在托管 bean 中不起作用,以及如何解决该问题吗?例如:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
谢谢
Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"**
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<aop:aspectj-autoproxy proxy-target-class="true"/>
//the rest of the beans
</beans>
The applicationContext-security Xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml
3019 2008-05-01 17:51:48Z luke_t $ -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<http pattern="/css/**" security="none" />
<http pattern="/pages/login.xhtml" security="none" />
<http auto-config='false'>
<intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/**"
access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />
<form-login login-page="/pages/login.xhtml"
default-target-url='/pages/reports.xhtml' always-use-default-target='true'
authentication-failure-handler-ref="userLoginService" />
<logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref='userLoginService'>
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">
<beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />
<beans:property name="userDao" ref="userDao" />
<beans:property name="loginReportDao" ref="loginReportDao" />
</beans:bean>
</beans:beans>
Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
thx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
问题已经解决了。解决方案是将 Managed beans 转换为 Spring beans。方法如下:
web.xml 不需要 jsf 侦听器,只需要 sprin 侦听器:
应用程序上下文首先需要此配置才能工作:
请注意,前两个需要为 spring beans(对于组件)定义基本包,并且这些 beans 是注解。需要第三个配置来强制类代理,这就是您需要它的原因。
好的。一旦我们知道我们将注释从 jsf ManagedBeans 更改为 Spring 组件:
就
这样。如果您已经有了此配置并且不起作用,您应该设置
The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
web.xml does not need the jsf listener only the sprin ones :
The application context need this config to work at first :
Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,here is why you need that.
Ok.once we know that we change the annotations from jsf managedBeans to Spring components :
to:
That's all.If you have already this config and doesn't work you should set
<aop:config proxy-target-class="true" />into your applicationContext.xml.