Spring Security 中的安全注释
我正在尝试在 spring security 中配置安全注释。但我对此有一个疑问 -
....
<security:http auto-config="true" use-expressions="true">
....
当我使用
@Secured("CUSTOM_ACCESS")
public String query();
它时它不起作用。但我使用
@PreAuthorize("hasRole('CUSTOM_ACCESS')")
public String query();
它可以正常工作并应用相关角色。这是否意味着 @Secured 注释不能与 @PreAuthorize 一起使用?
我也尝试添加
<security:global-method-security secured-annotations="enabled" />
但没有帮助。
<security:global-method-security pre-post-annotations="enabled" />
上面的配置工作正常。有什么想法吗?
I am trying to configure security annotations in spring security. But I have a question about this -
....
<security:http auto-config="true" use-expressions="true">
....
and when I use
@Secured("CUSTOM_ACCESS")
public String query();
it doesn't work. But I use
@PreAuthorize("hasRole('CUSTOM_ACCESS')")
public String query();
it works correctly and applies relevant Role. Does this mean @Secured annotations doesn't work with @PreAuthorize?
I also tried adding
<security:global-method-security secured-annotations="enabled" />
But it doesn't help.
<security:global-method-security pre-post-annotations="enabled" />
The above config works fine. Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,
use-expressions设置对方法安全注释没有影响。这些是使用global-method-security启用的。使用
将启用
PreAuthorize及其相关注释。当您启用安全注释时,安全注释不起作用的原因是没有投票者知道CUSTOM_ACCESS的含义。在其默认设置中,Spring Security 的 RoleVoter 仅使用以前缀 ROLE_ 开头的属性。有关详细信息,请参阅此常见问题解答。投票者除了检查简单角色之外还可以用于其他用途,因此他们通常需要某种方式来确定为方法配置的哪些属性适用于他们。基于表达式的注释的操作方式与标准投票器不同。
hasRole表达式只是查找分配给用户的命名权限。因此,如果您为方法安全性创建了一个
AccessDecisionManager,并使用一个AccessDecisionVoter来消耗您的CUSTOM_ACCESS属性,那么@Secured注释会有效果。然而,由于您已经将其与 PostAuthorize 一起使用,您可能只想坚持下去。First off, the
use-expressionssetting in your<http>element has no effect on method security annotations. Those are enabled usingglobal-method-security.Using
will enable
PreAuthorizeand its related annotations. The reason the secured annotation isn't working when you enable that is because there is no voter which knows whatCUSTOM_ACCESSmeans. In its default setup Spring Security'sRoleVoteronly consumes attributes which start with the prefixROLE_. See this FAQ for more information.Voters can be used for things other than checking for simple roles, so they typically need some way of determining which of the attributes configured for a method apply to them. The expression-based annotations operate differently from the standard voters. The
hasRoleexpression just looks for a named authority which is assigned to the user.So if you created an
AccessDecisionManagerfor method security, with anAccessDecisionVoterwhich consumes yourCUSTOM_ACCESSattribute then the@Securedannotation would have an effect. However since you have it working withPostAuthorizealready you may just want to stick with that.