spring security2中对method进行拦截的配置

最新推荐文章于 2025-04-16 09:50:16 发布

symgdwyh

最新推荐文章于 2025-04-16 09:50:16 发布

阅读量4.2k

点赞数

CC 4.0 BY-SA版权

分类专栏： springsecurity 文章标签： spring security access bean service encoding

本文链接：https://blog.youkuaiyun.com/symgdwyh/article/details/4386214

springsecurity 专栏收录该内容

3 篇文章

订阅专栏

本文介绍了Spring Security2中对方法进行拦截的三种配置方式：1) 使用@Secured注解配合<global-method-security secured-annotations="enabled"/>；2) 通过<protect-pointcut>指定拦截类和方法；3) 在bean定义中使用<intercept-methods>直接拦截。详细配置代码和示例给出。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

1、配置web.xml文件：

<context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/spring-security.xml</param-value> </context-param>  <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>  <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener>

2、配置spring-security.xml（该文件名字与web.xml中的<context-param />中的相对应）：

method拦截有三种配置方式：

第一种方式是在java代码添加注释@Secured({"ROLE_SUPER"})、在spring-security.xml中添加<global-method-security secured-annotations="enabled"></global-method-security>，具体配置如下：

spring-security.xml

@Secured({"ROLE_SUPER"})注释中Secured是注释的名称，括号中是可以访问该方法的角色，用大括号括起来，多个角色用分号分割。可以加在service中也可以加在dao中，可以加在接口中也可以加在接口的实现中，此处是加在service接口的实现中。

CategoryServiceImpl.java

package com.king.springsecurity.service.impl; import java.util.List; import org.springframework.security.annotation.Secured; import com.king.springsecurity.dao.ICategoryDao; import com.king.springsecurity.dao.impl.CategoryDaoImpl; import com.king.springsecurity.model.Category; import com.king.springsecurity.service.ICategoryService; public class CategoryServiceImpl implements ICategoryService { private ICategoryDao categoryDao = new CategoryDaoImpl(); @Override public void addCategory(Category category) { // TODO Auto-generated method stub categoryDao.saveCateogry(category); } @Override @Secured({"ROLE_SUPER"}) public void deleteCategoryById(long id) { // TODO Auto-generated method stub categoryDao.deleteCategoryById(id); } @Override public Category getCategoryById(long id) { // TODO Auto-generated method stub return categoryDao.getCategoryById(id); } @Override @Secured({"ROLE_ADMIN"}) public List<Category> listCategory() { // TODO Auto-generated method stub return categoryDao.getAllCategory(); } public void setCategoryDao(ICategoryDao categoryDao) { this.categoryDao = categoryDao; } }

第二种方法是不需要在代码中添加注释，只需在spring-security.xml中添加pointcut，利用表达式和通配符指定要拦截的类及方法：

spring-security.xml

第三种方法是直接在要拦截的bean定义中添加<intercept-methods />对指定方法进行拦截，可以使用通配符：

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <beans:property name="driverClassName"> <beans:value>com.mysql.jdbc.Driver</beans:value> </beans:property> <beans:property name="url"> <beans:value> jdbc:mysql://localhost:3306/springsecurity </beans:value> </beans:property> <beans:property name="username"> <beans:value>root</beans:value> </beans:property> <beans:property name="password"> <beans:value>root</beans:value> </beans:property> </beans:bean> <beans:bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean" destroy-method="destroy"> <beans:property name="dataSource"> <beans:ref bean="dataSource" /> </beans:property>    <beans:property name="mappingDirectoryLocations"> <beans:list> <beans:value> classpath:com/king/springsecurity/model </beans:value> </beans:list> </beans:property> <beans:property name="hibernateProperties"> <beans:props> <beans:prop key="hibernate.dialect"> org.hibernate.dialect.MySQLDialect </beans:prop> </beans:props> </beans:property> </beans:bean> <beans:bean id="categoryDao" class="com.king.springsecurity.dao.impl.CategoryDaoImpl"> <beans:property name="sessionFactory"> <beans:ref bean="sessionFactory" /> </beans:property> </beans:bean> <beans:bean id="categoryService" class="com.king.springsecurity.service.impl.CategoryServiceImpl"> <intercept-methods> <protect method="delete*" access="ROLE_USER" /> <protect method="list*" access="ROLE_ADMIN" /> </intercept-methods> <beans:property name="categoryDao"> <beans:ref bean="categoryDao" /> </beans:property> </beans:bean> <beans:bean name="/category" class="com.king.springsecurity.action.CategoryAction"> <beans:property name="categoryService"> <beans:ref bean="categoryService" /> </beans:property> </beans:bean> <http auto-config="true">  <intercept-url pattern="/login.jsp" filters="none" />   <intercept-url pattern="/a/*" access="ROLE_A" /> <intercept-url pattern="/a/aa/*" access="ROLE_AA" /> <intercept-url pattern="/b/*" access="ROLE_B" /> <intercept-url pattern="/b/bb/*" access="ROLE_BB" />  <form-login login-page="/login.jsp" />  <logout logout-success-url="/index.jsp"></logout>  <concurrent-session-control max-sessions="1" /> </http>  <authentication-provider> <password-encoder hash="plaintext"></password-encoder> <user-service> <user password="serviceimpl" name="serviceimpl" authorities="ROLE_SERVICEIMPL" /> <user password="service" name="service" authorities="ROLE_SERVICE" /> <user password="daoimpl" name="daoimpl" authorities="ROLE_DAOIMPL" /> <user password="dao" name="dao" authorities="ROLE_DAO" /> <user password="super" name="super" authorities="ROLE_SUPER,ROLE_ADMIN,ROLE_USER,ROLE_A,ROLE_B,ROLE_AA,ROLE_BB" /> <user password="admin" name="admin" authorities="ROLE_ADMIN,ROLE_USER,ROLE_A,ROLE_B,ROLE_AA,ROLE_BB" /> <user password="user" name="user" authorities="ROLE_USER,ROLE_A,ROLE_B,ROLE_AA,ROLE_BB" /> <user password="a" name="a" authorities="ROLE_A" /> <user password="b" name="b" authorities="ROLE_B" /> <user password="aa" name="aa" authorities="ROLE_AA" /> <user password="bb" name="bb" authorities="ROLE_BB" /> </user-service> </authentication-provider> </beans:beans>

注意：三种方法都需要在spring-security.xml中保留<http auto-config="true">...</http>，否则会出现找不到springSecurityFilterChain的错误。