Java:Spring security 3角色层次结构
问题描述:
我正在使用Spring框架mvc 3 + spring security 3. 我想在我的spring安全中启用角色层次结构。 据http://static.springsource.org/spring-security/site/docs/3.1.x/reference/authz-arch.html我应该写Java:Spring security 3角色层次结构
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy"
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
ROLE_ADMIN > ROLE_STAFF
ROLE_STAFF > ROLE_USER
ROLE_USER > ROLE_GUEST
</property>
</bean>
但我应该在哪里放呢?我试图把它变成我的应用程序-security.xml文件:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http>
<intercept-url pattern="/entryPost/**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/entryDelete/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/commentDelete/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/login" access="ROLE_ANONYMOUS" requires-channel="https"/>
<form-login login-page="/login" default-target-url="/entryList/1" authentication-failure-url="/login?error=true" />
<logout logout-success-url="/login" />
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<access-denied-handler error-page="/accessDenied"/>
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT username,password,'true' as enabled FROM member WHERE username=?"
authorities-by-username-query="SELECT member.username,role FROM member,memberRole WHERE member.username=? AND member.id=memberRole.member_id"/>
</authentication-provider>
</authentication-manager>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
ROLE_ADMIN > ROLE_STAFF
ROLE_STAFF > ROLE_USER
ROLE_USER > ROLE_GUEST
</property>
</bean>
但它不工作:HTTP状态404
当我把它变成APP-servlet.xml中:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
<context:component-scan base-package="rus.web"/>
<bean id="entryValidator" class="rus.domain.EntryValidator"/>
<bean id="commentValidator" class="rus.domain.CommentValidator"/>
<mvc:annotation-driven/>
<mvc:resources mapping="/resources/**" location="/resources/"/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/"/>
<property name="suffix" value=".jsp"/>
</bean>
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages"/>
</bean>
<!--<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<property name="defaultErrorView" value="error"/>
</bean> -->
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
ROLE_ADMIN > ROLE_STAFF
ROLE_STAFF > ROLE_USER
ROLE_USER > ROLE_GUEST
</property>
</bean>
</beans>
它抛出异常:
org.springfram ework.beans.factory.xml.XmlBeanDefinitionStoreException:来自ServletContext资源的XML文档中的第35行[/WEB-INF/rus-servlet.xml]无效;嵌套的异常是org.xml.sax.SAXParseException:cvc-complex-type.2.3:元素的'属性'不能包含字符[子],因为该类型的内容类型仅为元素。
org.xml.sax.SAXParseException:cvc-complex-type.2.3:元素的'属性'不能包含character [children],因为该类型的内容类型是仅包含元素的。
我该怎么办才能解决这个问题?
答
的文件是错误的,这是无效的:
<property name="hierarchy">
ROLE_ADMIN > ROLE_STAFF
ROLE_STAFF > ROLE_USER
ROLE_USER > ROLE_GUEST
</property>
您需要包装内<value>内容:
<property name="hierarchy">
<value>
ROLE_ADMIN > ROLE_STAFF
ROLE_STAFF > ROLE_USER
ROLE_USER > ROLE_GUEST
</value>
</property>
我建议在SpringSource JIRA提交的问题,要求他们修复文档。
+2
好吧,它帮助,但不是那么多...当我尝试与ROLE_ADMIN去到页面条目邮政/(访问=“ROLE_USER”)它说:“访问被拒绝”。为什么这样? – Twisty
我有同样的问题。我按照这里的说明解决了问题:http://*.com/questions/7809313/accessdeniedexception-if-using-rolehierarchyimpl – 2012-08-14 06:13:01