【发布时间】:2010-09-21 08:46:41
【问题描述】:
我目前遇到了spring security问题,我一直在关注最后两个参考on the spring security article page的教程
使用org.springframework.security.access.annotation.Secured 保护的方法似乎不会触发任何 Spring Security 逻辑。
这是我的测试文件:
public class AclServiceTest {
@Autowired
PersonDataOnDemand pdod;
@Autowired
MyAclService aclService;
UserDetailsService uds = new MyUserDetailsService();
@Test
public void testWriteResourceAnnotation(){
Person p0 = pdod.getSpecificPerson(0);
Person p1 = pdod.getSpecificPerson(1);
Assert.isTrue(!p0.getId().equals(p1.getId()));
Resource r = new Resource(p0.getSite(), p0, p0.getPrivateFolder());
authenticatePerson(p0);
securedWriteResource(r);
authenticatePerson(p1);
try{
securedWriteResource(r);
fail();
} catch(Exception e){
}
}
@Secured("ACL_RESOURCE_WRITE")
public void securedWriteResource(Resource r){
return;
}
private void authenticatePerson(Person p){
UserDetails ud = uds.loadUserByUsername(p.getEmail());
SecurityContextHolder.getContext().setAuthentication(new RunAsUserToken("user-"+p.getId(), ud, p.getPassword(), ud.getAuthorities().toArray(new GrantedAuthority[0]), null));
}
}
如果将以下行添加到我的web.xml
<!--Spring security filter-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这是我使用的 bean 的 security.xml 配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd" >
<beans:bean id="ehCacheBasedAclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<beans:constructor-arg>
<beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager">
<beans:bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
</beans:property>
<beans:property name="cacheName" value="aclCache"/>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<!--
Partie gestion de la business logic ACL
-->
<global-method-security secured-annotations="enabled" access-decision-manager-ref="businessAccessDecisionManager"/>
<beans:bean id="businessAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:property name="allowIfAllAbstainDecisions" value="false"/>
<beans:property name="decisionVoters">
<beans:list>
<beans:ref local="roleVoter"/>
<beans:ref local="aclResourceReadVoter"/>
<beans:ref local="aclResourceWriteVoter"/>
<beans:ref local="aclResourceDeleteVoter"/>
<beans:ref local="aclResourceAdminVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
<beans:bean id="aclResourceReadVoter" class="org.springframework.security.acls.AclEntryVoter">
<beans:constructor-arg ref="jdbcMutableAclService"/>
<beans:constructor-arg value="ACL_RESOURCE_READ"/>
<beans:constructor-arg>
<beans:list>
<beans:ref local="administrationPermission"/>
<beans:ref local="readPermission"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="processDomainObjectClass" value="myapp.models.Resource"/>
<beans:property name="internalMethod" value="getRootFolder"/>
</beans:bean>
<beans:bean id="aclResourceWriteVoter" class="org.springframework.security.acls.AclEntryVoter">
<beans:constructor-arg ref="jdbcMutableAclService"/>
<beans:constructor-arg value="ACL_RESOURCE_WRITE"/>
<beans:constructor-arg>
<beans:list>
<beans:ref local="administrationPermission"/>
<beans:ref local="writePermission"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="processDomainObjectClass" value="myapp.models.Resource"/>
<beans:property name="internalMethod" value="getRootFolder"/>
</beans:bean>
<beans:bean id="aclResourceDeleteVoter" class="org.springframework.security.acls.AclEntryVoter">
<beans:constructor-arg ref="jdbcMutableAclService"/>
<beans:constructor-arg value="ACL_RESOURCE_DELETE"/>
<beans:constructor-arg>
<beans:list>
<beans:ref local="administrationPermission"/>
<beans:ref local="deletePermission"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="processDomainObjectClass" value="myapp.models.Resource"/>
<beans:property name="internalMethod" value="getRootFolder"/>
</beans:bean>
<beans:bean id="aclResourceAdminVoter" class="org.springframework.security.acls.AclEntryVoter">
<beans:constructor-arg ref="jdbcMutableAclService"/>
<beans:constructor-arg value="ACL_RESOURCE_ADMIN"/>
<beans:constructor-arg>
<beans:list>
<beans:ref local="administrationPermission"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="processDomainObjectClass" value="myapp.models.Resource"/>
<beans:property name="internalMethod" value="getRootFolder"/>
</beans:bean>
<beans:bean id="administrationPermission" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
<beans:property name="staticField" value="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
</beans:bean>
<beans:bean id="readPermission" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
<beans:property name="staticField" value="org.springframework.security.acls.domain.BasePermission.READ"/>
</beans:bean>
<beans:bean id="writePermission" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
<beans:property name="staticField" value="org.springframework.security.acls.domain.BasePermission.WRITE"/>
</beans:bean>
<beans:bean id="deletePermission" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
<beans:property name="staticField" value="org.springframework.security.acls.domain.BasePermission.DELETE"/>
</beans:bean>
businessAccessDecisionManager bean 被创建并被赋予投票者,但决不调用该方法。
有人知道出了什么问题吗?
感谢您的帮助。
【问题讨论】:
标签: annotations spring-security acl