我正在努力应对我的Spring Security配置,到目前为止我无法使其正常运行。 我不知道为什么我的自定义PermissionEvaluator没有被调用,而且使用hasPermission表达式的@PreAuthorize注释被忽略。
我使用的是Spring 4.2.4和Spring security 4.1.0
她是我的代码:
网络安全配置
@Configuration
@EnableWebSecurity
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http //
.addFilterBefore(wafflePreAuthFilter(), AbstractPreAuthenticatedProcessingFilter.class) //
.authenticationProvider(preauthAuthProvider()) //
.csrf().disable() //
.authorizeRequests() //
.antMatchers("/ui/**").authenticated() //
.anyRequest().permitAll();
}
@Bean
public WafflePreAuthFilter wafflePreAuthFilter() throws Exception {
WafflePreAuthFilter filter = new WafflePreAuthFilter();
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return preauthAuthProvider;
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>();
wrapper.setUserDetailsService(myUserDetailsService());
return wrapper;
}
@Bean
public UserDetailsService myUserDetailsService() {
return new myUserDetailsService();
}
}
方法安全配置
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = true)
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Bean
public PermissionEvaluator myPermissionEvaluator() {
return new DcePermissionEvaluator();
}
@Override
public MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(myPermissionEvaluator());
return expressionHandler;
}
}
PermissionEvaluator
public class MyPermissionEvaluator implements PermissionEvaluator {
@Autowired
private MyService myAutowiredService;
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
// checking permissions
return true;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
// checking permissions
return true;
}
}
任何人都可以给我一个暗示该做什么的提示?
顺便说一句,如果我将MyServiceMethodSecurityConfig更改为this,那么myPermissionEvaluator会被处理,但依赖注入并不起作用,因为它不是由Spring管理的:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = false)
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
public MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new DcePermissionEvaluator());
return expressionHandler;
}
}