为什么我的自定义PermissionEvaluator没有被调用？

Question

为什么我的自定义PermissionEvaluator没有被调用？

7

我正在苦恼于我的Spring Security配置，到目前为止我还没有能够使它起作用。我不知道为什么我的自定义PermissionEvaluator没有被调用，我的@PreAuthorize注释使用hasPermission表达式也被忽略了。

我正在使用Spring 4.2.4和Spring security 4.1.0

这是我的代码:

Web安全配置

@Configuration
@EnableWebSecurity
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http //
                .addFilterBefore(wafflePreAuthFilter(), AbstractPreAuthenticatedProcessingFilter.class) //
                .authenticationProvider(preauthAuthProvider()) //
                .csrf().disable() //
                .authorizeRequests() //
                .antMatchers("/ui/**").authenticated() //
                .anyRequest().permitAll();
    }

    @Bean
    public WafflePreAuthFilter wafflePreAuthFilter() throws Exception {
        WafflePreAuthFilter filter = new WafflePreAuthFilter();
        filter.setAuthenticationManager(authenticationManager());
        return filter;
    }

    @Bean
    public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
        PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
        preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
        return preauthAuthProvider;
    }

    @Bean
    public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
        UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>();
        wrapper.setUserDetailsService(myUserDetailsService());
        return wrapper;
    }

    @Bean
    public UserDetailsService myUserDetailsService() {
        return new myUserDetailsService();
    }
}

方法安全配置

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = true)
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
    @Bean
    public PermissionEvaluator myPermissionEvaluator() {
        return new DcePermissionEvaluator();
    }

    @Override
    public MethodSecurityExpressionHandler createExpressionHandler() {
        DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(myPermissionEvaluator());
        return expressionHandler;
    }
}

PermissionEvaluator

public class MyPermissionEvaluator implements PermissionEvaluator {
    @Autowired
    private MyService myAutowiredService;

    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        // checking permissions
        return true;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        // checking permissions
        return true;
    }
}

有人能给我指点一下该怎么做吗？

顺便说一句，如果我将MyServiceMethodSecurityConfig更改为以下内容，则会处理myPermissionEvaluator，但由于它不受Spring管理，因此依赖项注入无法正常工作：

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = false)
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Override
    public MethodSecurityExpressionHandler createExpressionHandler() {
        DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(new DcePermissionEvaluator());
        return expressionHandler;
    }
}

- Arthur

这个有进展了吗？ - eduyayo

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- yarrichar · Accepted Answer

我遇到了这个问题。似乎是由于在多个地方指定了注解@EnableGlobalMethodSecurity引起的。

一旦我从除上面实现的GlobalMethodSecurityConfiguration之外的其他位置中移除它，事情就开始按预期工作了。