我正在苦恼于我的Spring Security配置,到目前为止我还没有能够使它起作用。 我不知道为什么我的自定义PermissionEvaluator没有被调用,我的@PreAuthorize注释使用hasPermission表达式也被忽略了。
我正在使用Spring 4.2.4和Spring security 4.1.0
这是我的代码:
Web安全配置
@Configuration
@EnableWebSecurity
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http //
.addFilterBefore(wafflePreAuthFilter(), AbstractPreAuthenticatedProcessingFilter.class) //
.authenticationProvider(preauthAuthProvider()) //
.csrf().disable() //
.authorizeRequests() //
.antMatchers("/ui/**").authenticated() //
.anyRequest().permitAll();
}
@Bean
public WafflePreAuthFilter wafflePreAuthFilter() throws Exception {
WafflePreAuthFilter filter = new WafflePreAuthFilter();
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return preauthAuthProvider;
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>();
wrapper.setUserDetailsService(myUserDetailsService());
return wrapper;
}
@Bean
public UserDetailsService myUserDetailsService() {
return new myUserDetailsService();
}
}
方法安全配置
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = true)
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Bean
public PermissionEvaluator myPermissionEvaluator() {
return new DcePermissionEvaluator();
}
@Override
public MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(myPermissionEvaluator());
return expressionHandler;
}
}
PermissionEvaluator
public class MyPermissionEvaluator implements PermissionEvaluator {
@Autowired
private MyService myAutowiredService;
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
// checking permissions
return true;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
// checking permissions
return true;
}
}
有人能给我指点一下该怎么做吗?
顺便说一句,如果我将MyServiceMethodSecurityConfig更改为以下内容,则会处理myPermissionEvaluator,但由于它不受Spring管理,因此依赖项注入无法正常工作:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = false)
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
public MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new DcePermissionEvaluator());
return expressionHandler;
}
}