{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 萌系小妹纸 的问题《How do I check method level spring security》','https://www.manongdao.com/q-658090.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have implemented spring security in controller method.
Below is my spring security.xml
-->
<!-- URL pattern based security -->
<security:http auto-config="false" entry-point-ref="authenticationEntryPoint"
use-expressions="true">
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
<security:intercept-url access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" pattern="/common/admin/**" />
<security:intercept-url pattern="/common/accounting/**" access="hasRole('ROLE_USER')" />
<security:logout logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login"/>
</security:http>
Below is my controller
@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.GET)
public String add(ModelMap map) {
map.addAttribute(new Administrator());
return "/common/admin/addAdmin";
}
@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.POST)
public String processadd(
@ModelAttribute("administrator") Administrator administrator) {
this.administratorManager.addAdmin(administrator);
return "/common/admin/success";
}
I allow the url /common/admin/** for both admin and user role. But i do some restriction in the admin controller. when user is go in to /common/admin/* as a user role, he can but he can also go in to method that is only for admin role only.
How can I solve it?
Thanks!
Check this FAQ. Make sure the
global-method-securityelement is in the web context file if you want to apply security to Spring MVC controllers.Also, you may need to enable class proxying, using
if your controller implements an interface and the method you are securing is not part of that interface (you'll also need cglib as an additional dependency in your app for this).
IF you want to use annotations, better put the following in servlet.xml. There is no point of enabling the annotations n spring-security-xml as it will not take any effect.
Putting above in servlet.xml will do the trick.
I believe you could have multiple roles defined with @Secured annotation . Is this what you need?
If this is the case , try @RolesAllowed
You already have added the
@Securedannotation.But you need to enable it:
@Securedcan take a single or several roles.@Secured("ROLE_USER")@Secured({"ROLE_USER", "ROLE_ADMIN"})//grand access if the user has one of this rolesBWT: From Spring Security 3 Book (http://www.springsecuritybook.com/):
(do not forgett to enable it
jsr250-annotations="enabled")