Spring Security - @Secured는 mvc 컨트롤러에서만 작동합니다.

Question

Spring Security + MVC를 사용하고 있습니다.
주석 @Secured({ "ROLE_ADMIN" })은 컨트롤러 레이어에서만 올바르게 작동합니다.
더 깊은/다른 레이어에서 사용하려고하면 보안 오류가 발생합니다.
"none mvc mapped"메서드에서 사용하려고하면 보안 오류가 발생합니다.
의 web.xml :

<?xml version="1.0" encoding="UTF-8"?> 
<web-app id="WebApp_ID" version="2.4" 
    xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 
    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 
    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
     /WEB-INF/spring-security.xml 
     /WEB-INF/applicationContext.xml 
     </param-value> 
    </context-param> 
    <context-param> 
     <param-name>log4jConfigLocation</param-name> 
     <param-value>/WEB-INF/classes/log4j-myapp.properties</param-value> 
    </context-param> 
    <servlet> 
     <servlet-name>spring</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 
    <servlet-mapping> 
     <servlet-name>spring</servlet-name> 
     <url-pattern>/Management/*</url-pattern> 
    </servlet-mapping> 
    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 
</web-app> 

봄-servlet.xml에

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" 
    xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
     http://www.springframework.org/schema/context 
     http://www.springframework.org/schema/context/spring-context-3.0.xsd"> 

    <!-- Declare a view resolver --> 
    <bean id="viewResolver" 
    class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
    p:prefix="/WEB-INF/pages/" p:suffix=".jsp" /> 
    <context:component-scan base-package="com.affiliates" /> 

</beans> 

스프링 security.xml

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
      http://www.springframework.org/schema/security 

      http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
    <security:global-method-security secured-annotations="enabled" /> 
    <security:http auto-config="true" use-expressions="true" 
     access-denied-page="/Management/auth/denied"> 

     <security:intercept-url pattern="/Management/auth/login" 
      access="permitAll" /> 
     <security:intercept-url pattern="/Management/main/admin" 
      access="hasRole('ROLE_EMPLOYEE')" /> 
     <security:intercept-url pattern="/Management/api/affiliates/**" 
      access="hasRole('ROLE_EMPLOYEE')" /> 

     <security:form-login login-page="/Management/auth/login/" 
      authentication-failure-url="/Management/auth/login?error=true" 
      login-processing-url="/Management/auth/j_spring_security_check" 
      default-target-url="/Management/auth/login?error=false" /> 
     <security:logout invalidate-session="true" 
      logout-success-url="/Management/auth/login/" logout-url="/Management/auth/logout" /> 
    </security:http> 

    <security:authentication-manager> 
     <security:authentication-provider 
      user-service-ref="customUserDetailsService"> 
      <security:password-encoder ref="passwordEncoder" /> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <bean 
     class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" 
     id="passwordEncoder" /> 
    <bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService" /> 
</beans> 

,536,913,632 내 XML의 설정 파일 다음
10

MVC-dispacher-servlet.xml에

<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-2.5.xsd 
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context-2.5.xsd"> 

    <context:component-scan base-package="com.affiliates.controllers" /> 

    <bean id="viewResolver" 
     class="org.springframework.web.servlet.view.InternalResourceViewResolver"> 
     <property name="prefix"> 
      <value>/WEB-INF/pages/</value> 
     </property> 
     <property name="suffix"> 
      <value>.jsp</value> 
     </property> 
    </bean> 
</beans> 

applocationContext.xml 여기

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" 
    xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
      http://www.springframework.org/schema/context 
      http://www.springframework.org/schema/context/spring-context-3.0.xsd 
      http://www.springframework.org/schema/mvc 
      http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd"> 

    <!-- Activates various annotations to be detected in bean classes --> 
    <context:annotation-config /> 

    <!-- Scans the classpath for annotated components that will be auto-registered 
     as Spring beans. For example @Controller and @Service. Make sure to set the 
     correct base-package --> 
    <context:component-scan base-package="com.affiliates" /> 

    <!-- Configures the annotation-driven Spring MVC Controller programming 
     model. Note that, with Spring 3.0, this tag works in Servlet MVC only! --> 
    <mvc:annotation-driven /> 

</beans> 

이다 내가 사용 방법 보안되는 방법 :

@Component 
    public class BrandsApi{ 
    @Secured({ "ROLE_ADMIN" }) 
     public ResultContainer getAll() { 
      return brandDao.getAll(getSecurityFilter().getBrandSecurityFilter()); 
     } 
    } 
} 

발신자 :

안녕, 나는이 잘 작동됩니다 javaconfig 파일에 내 설정을 변환 한
:

@Controller 
@RequestMapping("/api/brands") 
public class BrandsController { 
@RequestMapping(value = "/get") 
    public ModelAndView get(){ 
     BrandsApi brandsApi = new BrandsApi(); 
     brandsApi.getAll(); 
} 
} 

그래서이 내 최신 업데이트입니다.
로딩 시간에 내 응용 프로그램을 디버깅하고 매개 변수가 전송 된 것을 확인합니다. 그것은

이 내가 메소드를 호출하는 방법이다 위에 나는 @Secured ({ "ROLE_ADMIN"})와 방법을 BrandsApi 내부

@Configuration 
public class SpringJavaConfig { 
    @Bean 
    public BrandsApi brandsApi(){ 
     return new BrandsApi(); 
    } 
} 

: 다음 brandsApi이
코드를 초기화되는 것을 의미
코드 :

ApplicationContext ctx = new AnnotationConfigApplicationContext(SpringJavaConfig.class); 
    BrandsApi brandsApi = (BrandsApi)ctx.getBean(BrandsApi.class); 
     brandsApi.getAll(); 

하지만 ROLE_EMPLOYEE
,691,363에 로그인 한 경우에도 몇 가지 이유로 내가 안으로 얻을 수 있습니다
코드 : (210)이 제 BrandsApi 클래스입니다

class BrandsApi extends BaseApi{ 
    @Secured({ "ROLE_ADMIN" }) 
    public void getAll() { 
     System.out.println("Hello"); 
    } 
} 

Answer 1

인스턴스가 스프링에 의해 생성 된 경우 주석에만 효과가있다. 이 클래스를 사용하려는 모든 클래스를 bean으로 변환하여 응용 프로그램 컨텍스트에 등록해야합니다.

이

Foo foo = context.getBean("foo", Foo.class); 
foo.foo(); // <-- annotatoon works here 

하지만 foo() 전화 this.foo2() 경우, 더 이상 아무 검사도 없다 : 당신이 내부 통화를 할 경우

또한 주석이 무시됩니다. 따라서 foo2()에 대한 모든 주석은 무시됩니다.