我已经按照很多线程将
Spring Security实现到我的rest API.最初我被卡在@Secured注释被忽略,现在我已经解决了,我被困在获得拒绝访问.
感觉像我的问题听起来非常相似:@secured with granted authorities throws access denied exception – 但我仍然被拒绝访问.
这是我的设置:
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.PlaintextPasswordEncoder"/>
<user-service id="userDetailsService">
<user name="john" password="john1" authorities="ROLE_USER,ROLE_ADMIN" />
<user name="jane" password="jane1" authorities="ROLE_USER" />
<user name="apiuser" password="apiuser" authorities="PERMISSION_TEST" />
</user-service>
控制器:
@Controller
@RequestMapping("/secure")
public class SecureController
{
private static final Logger logger = Logger.getLogger(SecureController.class);
@Secured("PERMISSION_TEST")
@RequestMapping(value = "/makeRequest",method = RequestMethod.GET)
@ResponseBody
public SimpleDTO executeSecureCall()
{
logger.debug("[executeSecureCall] Received request to a secure method");
SimpleDTO dto = new SimpleDTO();
dto.setStringVariable("You are authorized!");
return dto;
}
}
现在 – 没有正确的
<security:global-method-security secured-annotations="enabled"/>
我的请求通过(这是因为@Secured注释被忽略).当我把它放入并使用“apiuser”/“apiuser”访问它时,我一直拒绝访问,调试日志:
11:42:43,899 [http-apr-8080-exec-4] DEBUG MethodSecurityInterceptor - PrevIoUsly Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc12af5d: Principal: org.springframework.security.core.userdetails.User@d059c8e5: Username: apiuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: PERMISSION_TEST; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: PERMISSION_TEST 11:42:43,899 [http-apr-8080-exec-4] DEBUG AffirmativeBased - Voter: org.springframework.security.access.Vote.RoleVoter@2a9a42ef,returned: 0 11:42:43,900 [http-apr-8080-exec-4] DEBUG AffirmativeBased - Voter: org.springframework.security.access.Vote.AuthenticatedVoter@75a06ec2,returned: 0 11:42:43,902 [http-apr-8080-exec-4] DEBUG AnnotationMethodHandlerExceptionResolver - Resolving exception from handler [com.test.webapp.spring.controller.SecureController@342d150f]: org.springframework.security.access.AccessDeniedException: Access is denied 11:42:43,905 [http-apr-8080-exec-4] DEBUG ResponseStatusExceptionResolver - Resolving exception from handler [com.test.webapp.spring.controller.SecureController@342d150f]: org.springframework.security.access.AccessDeniedException: Access is denied 11:42:43,906 [http-apr-8080-exec-4] DEBUG DefaultHandlerExceptionResolver - Resolving exception from handler [com.test.webapp.spring.controller.SecureController@342d150f]: org.springframework.security.access.AccessDeniedException: Access is denied 11:42:43,909 [http-apr-8080-exec-4] DEBUG dispatcherServlet - Could not complete request org.springframework.security.access.AccessDeniedException: Access is denied
思考?
提前致谢!
