Hy。我想要做的是將Spring安全與Jsf + Spring IOC + Hibernate應用程序集成在一起。我設法設置了登錄頁面並過濾了其他一些頁面。到目前爲止,還是很棒的,但是當我試圖將@Secured或@PreAuthorize對managedBean內部的方法進行註釋(在Dao的註解工作中),我意識到他們什麼都不做。我讀過,我需要FORCE類代理。 Spring使用基於代理的aop,託管bean實現一個接口,因此使用jdk動態代理而不是類代理。所以,我在配置文件中這樣做:Spring安全3.1 + JSF 2.0。 ManagedBeans中註釋方法的問題?
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"**
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<aop:aspectj-autoproxy proxy-target-class="true"/>
//the rest of the beans
</beans>
ApplicationContext的安全XML看起來是這樣的:
<?xml version="1.0" encoding="UTF-8"?>
<!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml
3019 2008-05-01 17:51:48Z luke_t $ -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<http pattern="/css/**" security="none" />
<http pattern="/pages/login.xhtml" security="none" />
<http auto-config='false'>
<intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/**"
access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />
<form-login login-page="/pages/login.xhtml"
default-target-url='/pages/reports.xhtml' always-use-default-target='true'
authentication-failure-handler-ref="userLoginService" />
<logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref='userLoginService'>
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">
<beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />
<beans:property name="userDao" ref="userDao" />
<beans:property name="loginReportDao" ref="loginReportDao" />
</beans:bean>
</beans:beans>
誰能告訴我,爲什麼標註不託管bean內工作,以及如何解決問題?例如:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
THX