Spring安全方法HTTP应用程序中的安全级别
问题描述:
我已经使用Spring Security在CAS应用程序中使用HTTP安全性工作在我的Web应用程序中。但是,我试图将它与某些服务方法(特别是GWT RPC)的方法级别安全性混合使用,但它似乎不起作用。它达到了执行@PostAuthorize注释的地步。但是,它似乎没有注意到我的配置,并执行了一些拒绝访问返回对象的其他方式。Spring安全方法HTTP应用程序中的安全级别
减少deployerConfigContext.xml通过org.springframework.web.context.ContextLoaderListener listener读取。
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="schemaURLs here">
<security:http use-expressions="true"
entry-point-ref="casProcessingFilterEntryPoint">
<security:intercept-url pattern="/casfailed.jsp"
requires-channel="any" access="permitAll" />
<security:intercept-url pattern="/cas-logout.jsp"
requires-channel="any" access="permitAll" />
<security:intercept-url pattern="/**"
access="isAuthenticated()" requires-channel="https" />
<security:logout logout-success-url="/cas-logout.jsp" />
<security:custom-filter ref="casAuthenticationFilter"
after="CAS_FILTER" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="casAuthenticationProvider" />
</security:authentication-manager>
<!-- setup method level security using annotations -->
<security:global-method-security
jsr250-annotations="disabled" secured-annotations="enabled"
pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler" />
</security:global-method-security>
<bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator" />
</bean>
<bean id="permissionEvaluator"
class="org.springframework.security.acls.AclPermissionEvaluator">
<constructor-arg ref="aclService" />
</bean>
<bean id="aclService"
class="my.custom.AclService">
<constructor-arg>
<bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" />
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<constructor-arg>
<list>
<bean
class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMINISTRATOR" />
</bean>
<bean
class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMINISTRATOR" />
</bean>
<bean
class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMINISTRATOR" />
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
<bean
class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor" />
<tx:annotation-driven transaction-manager="transactionManager" />
<bean id="systemEMF"
class="org.springframework.orm.jpa.LocalEntityManagerFactoryBean">
<property name="persistenceUnitName" value="_persistenceunit_" />
</bean>
<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory" ref="systemEMF" />
</bean>
</beans>
我的AclService的bean被创建,但是之后没有执行它(我登录了每个方法)。我甚至不确定expressionHandler bean是否被使用。我需要移动一些东西到安全:http部分?
这里就是它得到执行的调试日志的部分:
2010-07-23 17:39:17,885 [org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource] DEBUG: @org.springframework.security.access.prepost.PostAuthorize(value=hasPermission(filterObject,'read')) found on specific method: public ReturnType my.rpc.RPCClass.getObject(java.lang.Long)
2010-07-23 17:39:17,885 [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] DEBUG: Adding security method [CacheKey[my.rpc.RPCClass; public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long)]] with attributes [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']]
2010-07-23 17:39:17,885 [org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] DEBUG: Adding transactional method 'getObject' with attribute: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable
2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Secure object: ReflectiveMethodInvocation: public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long); target is of class [my.rpc.RPCClass]; Attributes: [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']]
2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Previously Authenticated: org.spr[email protected]eeb49577: Principal: [email protected]: Username: kevin.jordan; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]0: RemoteIpAddress: 192.168.0.16; SessionId: HZFBB0B9768A164833B6C659177874FC9C; Granted Authorities: ROLE_USER Assertion: [email protected] Credentials (Service/Proxy Ticket): ST-27-lUehDttiUOLU041sBEio-cas
2010-07-23 17:39:17,890 [org.springframework.security.access.vote.AffirmativeBased] DEBUG: Voter: org.springframewor[email protected]52691fcf, returned: 1
2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Authorization successful
2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: RunAsManager did not change Authentication object
2010-07-23 17:39:17,890 [org.springframework.beans.factory.support.DefaultListableBeanFactory] DEBUG: Returning cached instance of singleton bean 'transactionManager'
2010-07-23 17:39:17,890 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Creating new transaction with name [my.rpc.RPCClass.getObject]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable
2010-07-23 17:39:17,891 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Opened new EntityManager [[email protected]] for JPA transaction
2010-07-23 17:39:18,333 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Initiating transaction commit
2010-07-23 17:39:18,339 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Committing JPA transaction on EntityManager [[email protected]]
2010-07-23 17:39:18,342 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Closing JPA EntityManager [[email protected]] after transaction
2010-07-23 17:39:18,342 [org.springframework.orm.jpa.EntityManagerFactoryUtils] DEBUG: Closing JPA EntityManager
2010-07-23 17:39:18,343 [org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice] DEBUG: PostAuthorize expression rejected access
如果有人从它启动时需要的信息或任何东西让我知道。谢谢你的帮助!
答
可能您的呼叫不会被AOP代理拦截,因为方法是直接调用的(请参阅7.6.1 Understanding AOP proxies)。如果你注解了RemoteServiceServlet本身的方法,那肯定是如此。
您应该注释从RemoteServiceServlet称为服务bean的方法或使用spring4gwt。
答
显然这是因为我在使用filterObject时应该是returnObject。
我没有调用服务bean。我试图确保实际的GWT RPC方法。在这种情况下,使用@PostAuthorize(“hasPermission(filterObject,'read')”)。问题是它似乎没有使用我的任何ACL服务对象。它只是自动否认。 – kjordan 2010-07-25 18:13:49