1. 在使用spring security的时候使用注解,@PreAuthorize("hasAnyRole('ROLE_Admin')")
放在对方法的访问权限进行控制失效,其中配置如:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
@Configuration
@EnableWebSecurity
public
class
SecurityConfig
extends
WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Bean
@Override
public
AuthenticationManager authenticationManagerBean()
throws
Exception {
return
super
.authenticationManagerBean();
}
@Override
protected
void
configure(AuthenticationManagerBuilder auth)
throws
Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected
void
configure(HttpSecurity http)
throws
Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(
"/res/**"
,
"/login/login*"
).permitAll()
.anyRequest().authenticated()
.and().formLogin().loginPage(
"/login/login"
).defaultSuccessUrl(
"/"
)
.passwordParameter(
"password"
)
.usernameParameter(
"username"
)
.and().logout().logoutSuccessUrl(
"/login/login"
);
}
}
|
Controller中的方法如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
@Controller
@RequestMapping
(
"/demo"
)
public
class
DemoController
extends
CommonController{
@Autowired
private
UserService userService;
@PreAuthorize
(
"hasAnyRole('ROLE_Admin')"
)
@RequestMapping
(value =
"user-list"
)
public
void
userList() {
}
}
|
使用一个没有ROLE_Admin权限的用户去访问此方法发现无效。
修改一下:
1
2
3
4
5
6
7
8
9
10
11
12
|
@Override
protected
void
configure(HttpSecurity http)
throws
Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(
"/res/**"
,
"/login/login*"
).permitAll()
.antMatchers(
"/demo/user-list"
).access(
"hasRole('ROLE_Admin')"
)
.anyRequest().authenticated()
.and().formLogin().loginPage(
"/login/login"
).defaultSuccessUrl(
"/"
)
.passwordParameter(
"password"
)
.usernameParameter(
"username"
)
.and().logout().logoutSuccessUrl(
"/login/login"
);
}
|
添加上:
.antMatchers("/demo/user-list").access("hasRole('ROLE_Admin')")
可以被正常拦截,说明是方法拦截没有生效。
如果是基于xml,则需要在配置文件中加上:
<security:global-method-security
pre-post-annotations="enabled" proxy-target-class="true" />
换成Annotation方式以后,则需要使用@EnableGlobalMethodSecurity(prePostEnabled=true)注解来开启。
并且需要提供以下方法:
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
至此可以正常拦截