Question

我使用春季MVC和春季保安系统

我有笔记驱动控制器并试图加加安全说明

主计长代码 :

@Controller
public class SomeController implements MessageSourceAware {

    @Secured("ROLE_ADMIN")
    @RequestMapping(value = "/somepage", method = RequestMethod.GET)
    public String getPage(HttpServletRequest request, ModelMap model) {
        // logic
        return ADMIN_VIEW_NAME;
    }

我的springring-security.xml :

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:global-method-security secured-annotations="enabled" />

    <security:http auto-config="true" use-expressions="true" access-denied-page="/denied">

        <security:intercept-url pattern="/login" access="permitAll"/>
        <!--<security:intercept-url pattern="/admin" access="hasRole( ROLE_ADMIN )"/>-->

        <security:form-login
                login-page="/login"
                authentication-failure-url="/login?error=true"
                default-target-url="/index"/>

        <security:logout
                invalidate-session="true"
                logout-success-url="/login"
                logout-url="/logout"/>

    </security:http>

    <!-- Declare an authentication-manager to use a custom userDetailsService -->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="authManager">
            <security:password-encoder ref="passwordEncoder"/>
        </security:authentication-provider>
    </security:authentication-manager>

    <!-- Use a SHA encoder since the user s passwords are stored as SHA in the database -->
    <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>

    <!-- A custom service where Spring will retrieve users and their corresponding access levels  -->
    <bean id="authManager" class="some.package.AdminManager"/>

</beans>

当我尝试打开安全页面时, 我就会有以下错误:

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.IllegalArgumentException: object is not an instance of declaring class
HandlerMethod details: 
Controller [$Proxy139]
Method [public java.lang.String SomeController.getPage(javax.servlet.http.HttpServletRequest,org.springframework.ui.ModelMap)]
Resolved arguments: 
[0] [type=org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper] [value=SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.connector.RequestFacade@7a31c825]]]
[1] [type=org.springframework.validation.support.BindingAwareModelMap] [value={}]

如果我在 spring-security.xml 中移除符合线条的加密注解和未加注:

<security:intercept-url pattern="/admin" access="hasRole( ROLE_ADMIN )"/>

一切顺利。

谢谢你的帮助

Answer 1

移动

<security:global-method-security secured-annotations="enabled" />

从春季- security. xml 到主调度器服务器引用的 xml 文件, 通常类似 servlet- context. xml 或 application- context. xml 或 application- context. xml

See here http://static.springsource.org/spring-security/site/faq/faq.html#faq-method-security-in-web-context

而且,我认为你需要加入代理目标类 ="真实" 在全球 - 方法安全说明和类似

<security:global-method-security secured-annotations="enabled" proxy-target-class="true"/>

友情链接