[Security]Method-Level Security(I)-@PreAuthorize的使用

DAY 26

無痛學習SpringMVC與Spring Security系列第 26 篇

鐵人賽 preauthorize

2014-10-25 07:35:33

5349 瀏覽

之前對於網頁的安全保護僅只於URL所對應的頁面，書中的術語稱作Page-Level Authorization，但URL Security Rule仍有漏洞，如在http.authorizeRequests()未考慮所有URL的存取權限或是使用者要求的資訊是data等web service，如JSON格式的資料，在之前的安全規則要存取"/DCN"必須通過驗證，但如果我們在網址列直接打入http://localhost:8080/SpringMVC/dcn.json，畫面如下，結果竟然不需驗證就可以得到JSON格式的資料

.antMatchers("/dcn/**") //對象為所有網址
.authenticated() //存取必須通過驗證

根本之道為在Service層加入Security Rules，也就是今天要分享的@PreAuthorize Annotation，@PreAuthorize是宣告於Method之上，參數為允許存取的條件，通常宣告於介面上，這樣相關的實作也會套用其規則，針對"/DCN"，追溯到DAO，其實是List<DCN> findAll()，故修改DCNRepository介面code如下。

public interface DCNRepository{
	void save(DCN dcn);
	
	@PreAuthorize("hasRole('ROLE_USER')")
	List<DCN> findAll();
	DCN findByNo(String dcnNo);
	DCN findByNoAndRev(String dcnNo, Integer rev);
}

接著我們需要Enable Method Security，在故要在SecurityConfig中加入@EnableGlobalMethodSecurity(prePostEnabled=true)並宣告DCNRepository bean，修改後的SecurityConfig如下

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
	
	......

	@Bean
	public DCNRepository dcnRepository(){
		return new DCNRepositoryImp();
	}
}

啟動Server，在網址列打入http://localhost:8080/SpringMVC/dcn.json，則會要求登入，因為產生MethodSecurityInterceptor丟出例外，Console log如下，顯示存取被拒:

07:32:00 [http-nio-8080-exec-7] DispatcherServlet - DispatcherServlet with name 'dispatcher' processing GET request for [/SpringMVC/dcn.json]
07:32:00 [http-nio-8080-exec-7] RequestMappingHandlerMapping - Looking up handler method for path /dcn.json
07:32:00 [http-nio-8080-exec-7] RequestMappingHandlerMapping - Returning handler method [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]
07:32:00 [http-nio-8080-exec-7] DispatcherServlet - Last-Modified value for [/SpringMVC/dcn.json] is: -1
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - Accessing URL Path:/SpringMVC/dcn.json
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - Request processing started on:10/25/2014 at 07:32:00
07:32:00 [http-nio-8080-exec-7] ExceptionHandlerExceptionResolver - Resolving exception from handler [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]: org.springframework.security.access.AccessDeniedException: Access is denied
07:32:00 [http-nio-8080-exec-7] ResponseStatusExceptionResolver - Resolving exception from handler [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]: org.springframework.security.access.AccessDeniedException: Access is denied
07:32:00 [http-nio-8080-exec-7] DefaultHandlerExceptionResolver - Resolving exception from handler [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]: org.springframework.security.access.AccessDeniedException: Access is denied
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - Total time taken for processing164 ms
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - ========================================
07:32:00 [http-nio-8080-exec-7] DispatcherServlet - Could not complete request
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:60)

明天繼續