• Spring Security @PreAuthorize 拦截无效

    1. 在使用spring security的时候使用注解,@PreAuthorize("hasAnyRole('ROLE_Admin')")

    放在对方法的访问权限进行控制失效,其中配置如:

    @Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserDetailsService userDetailsService;


    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/res/**", "/login/login*").permitAll()
            .anyRequest().authenticated()
            .and().formLogin().loginPage("/login/login").defaultSuccessUrl("/")
                .passwordParameter("password")
                .usernameParameter("username")
            .and().logout().logoutSuccessUrl("/login/login");
    }
}

      Controller中的方法如下:

    @Controller
@RequestMapping("/demo")
public class DemoController extends CommonController{


    @Autowired
    private UserService userService;

    @PreAuthorize("hasAnyRole('ROLE_Admin')")
    @RequestMapping(value = "user-list")
    public void userList() {
        
    }


}

     

    使用一个没有ROLE_Admin权限的用户去访问此方法发现无效。

    修改一下:

     @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/res/**", "/login/login*").permitAll()
            .antMatchers("/demo/user-list").access("hasRole('ROLE_Admin')")
            .anyRequest().authenticated()
            .and().formLogin().loginPage("/login/login").defaultSuccessUrl("/")
                .passwordParameter("password")
                .usernameParameter("username")
            .and().logout().logoutSuccessUrl("/login/login");
    }

      添加上:

    .antMatchers("/demo/user-list").access("hasRole('ROLE_Admin')")

    可以被正常拦截,说明是方法拦截没有生效。

    如果是基于xml,则需要在配置文件中加上:

    <security:global-method-security
    pre-post-annotations="enabled" proxy-target-class="true" />

    换成Annotation方式以后,则需要使用@EnableGlobalMethodSecurity(prePostEnabled=true)注解来开启。

    并且需要提供以下方法:

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
    }

    至此可以正常拦截
  • 相关阅读:
    为图片指定区域添加链接
    数值取值范围问题
    【leetcode】柱状图中最大的矩形(第二遍)
    【leetcode 33】搜索旋转排序数组(第二遍)
    【Educational Codeforces Round 81 (Rated for Div. 2) C】Obtain The String
    【Educational Codeforces Round 81 (Rated for Div. 2) B】Infinite Prefixes
    【Educational Codeforces Round 81 (Rated for Div. 2) A】Display The Number
    【Codeforces 716B】Complete the Word
    一个简陋的留言板
    HTML,CSS,JavaScript,AJAX,JSP,Servlet,JDBC,Structs,Spring,Hibernate,Xml等概念
  • 原文地址:https://www.cnblogs.com/ranger2016/p/3914146.html
Copyright © 2020-2023  润新知