Spring Security 方法级别安全注释不起作用

发布于 2024-12-16 02:47:50 字数 4118 浏览 0 评论 0原文

我正在使用 Struts 2 + Spring Security 3 制作一个简单的 Web 应用程序。我想使用 Pre-Post Annotations 来实现方法级别的安全性。

但注释不起作用。

这是我的 web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>MyCustomSpringSecurity</display-name>

  <context-param>
<param-name>contextConfiguration</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
  </context-param>

  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

  <filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

  <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
  <filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>

  <filter-mapping>
    <filter-name>struts2</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
  <welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

这是我的 struts.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.1//EN" "http://struts.apache.org/dtds/struts-2.1.dtd">
<struts>
<package name="default" extends="struts-default">
    <action name="firstPage" class="code.action.MyAction" method="showPage">
        <result name="success">/firstPage.jsp</result>
    </action>
</package>
</struts>

这是我的 applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <global-method-security pre-post-annotations="enabled" >
    </global-method-security>

    <beans:bean id="myAction" class="code.action.MyAction">
        <intercept-methods>
            <protect access="ROLE_ADMIN" method="showPage"/>
        </intercept-methods>
    </beans:bean>

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/index.jsp" access="permitAll" />
        <intercept-url pattern="/firstPage" access="hasRole('ROLE_USER')" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user" password="user" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

最后这是 MyAction.java

package code.action;

import org.springframework.security.access.prepost.PreAuthorize;

public class MyAction {
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public String showPage(){
        System.out.println("in showPage");
        return "success";
    }
}

您可以清楚地看到我为用户分配的角色是 ROLE_USER 但我希望在访问该方法时它是 ROLE_ADMIN，所以从逻辑上讲，运行此代码时应该出现 403 Access Denied 错误。但它能够访问该方法并显示下一页。

所以我认为注释不起作用。

有人知道发生了什么事吗？

原文

I am making a simple web application using Struts 2 + Spring Security 3. And I want to use Pre-Post Annotations for Method Level Security.

But the Annotations are not working.

Here is my web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>MyCustomSpringSecurity</display-name>

  <context-param>
<param-name>contextConfiguration</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
  </context-param>

  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

  <filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

  <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
  <filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>

  <filter-mapping>
    <filter-name>struts2</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
  <welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

This is my struts.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.1//EN" "http://struts.apache.org/dtds/struts-2.1.dtd">
<struts>
<package name="default" extends="struts-default">
    <action name="firstPage" class="code.action.MyAction" method="showPage">
        <result name="success">/firstPage.jsp</result>
    </action>
</package>
</struts>

This is my applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <global-method-security pre-post-annotations="enabled" >
    </global-method-security>

    <beans:bean id="myAction" class="code.action.MyAction">
        <intercept-methods>
            <protect access="ROLE_ADMIN" method="showPage"/>
        </intercept-methods>
    </beans:bean>

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/index.jsp" access="permitAll" />
        <intercept-url pattern="/firstPage" access="hasRole('ROLE_USER')" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user" password="user" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

Finally This is MyAction.java

package code.action;

import org.springframework.security.access.prepost.PreAuthorize;

public class MyAction {
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public String showPage(){
        System.out.println("in showPage");
        return "success";
    }
}

You can clearly see that I am assigning role to user is ROLE_USER but I want it to be ROLE_ADMIN when accessing that method, so logically there should be error of 403 Access Denied when running this code. But it is able to access that method and shows next page.

So I think the annotations are not working.

Any body knows whats going on ?

分享到QQ

分享到微博