【发布时间】:2016-12-06 18:14:57
【问题描述】:
我正在尝试使用 preAuthorize 来保护 url。只有在课程中注册的人才能访问课程。这是我的代码:
控制器:
@Controller
@RequestMapping(value = "/course/{courseId}")
@PreAuthorize("@userService.isCurrentUserinCourse(authentication, courseId)")
public class SyllabusController {
@RequestMapping(value = { "/syllabus" }, method = RequestMethod.GET)
public ModelAndView syllabusPage(@PathVariable("courseId") int courseId) {
...}
UserServiceImpl:
@Service("userService")
public class UserServiceImpl implements UserService {
@Autowired
private UserDAO userDAO;
@Override
public boolean isUserinCourse(int userId, int courseId) {
return userDAO.isUserinCourse(userId, courseId);
}
@Override
public boolean isCurrentUserinCourse(Authentication authentication, int courseId) {
if (!(authentication instanceof AnonymousAuthenticationToken)) {
return isUserinCourse(((UserModel) authentication.getPrincipal()).getId(), courseId);
}
return false;
}
spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security pre-post-annotations="enabled" />
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
我们在没有登录的情况下进入 /course/{id}/syllabus,它显示了不应该登录的页面。并且调试不是进入 UserServiceImpl 中的 isCurrentUserinCourse(Authentication authentication, int courseId) 方法。
【问题讨论】:
-
重新阅读手册:docs.spring.io/spring-security/site/docs/3.0.x/reference/…(不是当前版本,但仍然适用)
标签: java spring spring-mvc spring-security