开发者

global-method-security works on some beans but not others using spring security

开发者 https://www.devze.com 2023-03-07 08:31 出处:网络
i\'ve a service , <bean id=\"myservicie\" class=\"org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter\">

i've a service ,

   <bean id="myservicie" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
            <property name="service" ref="aService"/>
            <property name="serviceInterface" value="com.statestr.oms.fx.ws.service.IService"/>
   </bean>  

inside this aservice,

   @Secured ({"ROLE_USER"})
   private void mythod(),

but it's not working,

however, if i move this method to another bean, say, mybean,the security annotation will work,

i've enabled both in the configuration like below, can anyone help? thx.

   <global-method-security   secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
        <protect-pointcut expression="execution(* *..com.states开发者_JAVA技巧tr.oms.service.impl.*Mybean*.*(..))" access="ROLE_USER"/>
        <protect-pointcut expression="execution(* *..com.statestr.oms.service.impl.*Service*.*(..))" access="ROLE_USER"/>
   </global-method-security>


I guess it is because your application uses Spring Proxy AOP. And this AOP Style has no influence if the method is invoked directly (from the same bean). And I think that is what you do, because the method you mentioned is a private method.

So what you can do is:

  • use AspectJ (I strongly recommend it),
  • put the @Secured annotation to a method that is invoked from outside of the bean

Anyway your configuration looks a bit strange - why do you use @Secured AND <protect-pointcut... for the same Class? One of them should be enough.

0

精彩评论

暂无评论...
验证码 换一张
取 消