All geek questions in one place

Java: Spring security 3 role hierarchy

I am using Spring framework mvc 3 + Spring security 3. I would like to include a role hierarchy in my Spring security. According to http://static.springsource.org/spring-security/site/docs/3.1.x/reference/authz-arch.html , I have to write

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter"> <constructor-arg ref="roleHierarchy" /> </bean> <bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <property name="hierarchy"> ROLE_ADMIN > ROLE_STAFF ROLE_STAFF > ROLE_USER ROLE_USER > ROLE_GUEST </property> </bean>

But where should I put it? I tried putting it in my app-security.xml:

 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http> <intercept-url pattern="/entryPost/**" access="ROLE_USER" requires-channel="https"/> <intercept-url pattern="/entryDelete/**" access="ROLE_ADMIN" requires-channel="https"/> <intercept-url pattern="/commentDelete/**" access="ROLE_ADMIN" requires-channel="https"/> <intercept-url pattern="/login" access="ROLE_ANONYMOUS" requires-channel="https"/> <form-login login-page="/login" default-target-url="/entryList/1" authentication-failure-url="/login?error=true" /> <logout logout-success-url="/login" /> <session-management> <concurrency-control max-sessions="1" /> </session-management> <access-denied-handler error-page="/accessDenied"/> </http> <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT username,password,'true' as enabled FROM member WHERE username=?" authorities-by-username-query="SELECT member.username,role FROM member,memberRole WHERE member.username=? AND member.id=memberRole.member_id"/> </authentication-provider> </authentication-manager> <bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter"> <constructor-arg ref="roleHierarchy" /> </bean> <bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <property name="hierarchy"> ROLE_ADMIN > ROLE_STAFF ROLE_STAFF > ROLE_USER ROLE_USER > ROLE_GUEST </property> </bean>

But this does not work: HTTP Status 404.

When I put it in app-servlet.xml:

 <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd"> <context:component-scan base-package="rus.web"/> <bean id="entryValidator" class="rus.domain.EntryValidator"/> <bean id="commentValidator" class="rus.domain.CommentValidator"/> <mvc:annotation-driven/> <mvc:resources mapping="/resources/**" location="/resources/"/> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/jsp/"/> <property name="suffix" value=".jsp"/> </bean> <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource"> <property name="basename" value="messages"/> </bean> <!--<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="defaultErrorView" value="error"/> </bean> --> <bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter"> <constructor-arg ref="roleHierarchy" /> </bean> <bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <property name="hierarchy"> ROLE_ADMIN > ROLE_STAFF ROLE_STAFF > ROLE_USER ROLE_USER > ROLE_GUEST </property> </bean> </beans>

It throws an exception:

org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: line 35 in the XML document from the ServletContext resource [/WEB-INF/rus-servlet.xml] is invalid; The nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'property' cannot have the [children] character, because the content type of the type is only an element.

org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'property' cannot have the [children] character, because the type content type is only an element.

What should I do to solve this problem?

+6
source share
1 answer

The documentation is wrong, this is wrong:

 <property name="hierarchy"> ROLE_ADMIN > ROLE_STAFF ROLE_STAFF > ROLE_USER ROLE_USER > ROLE_GUEST </property>

You need to wrap the contents inside the <value> :

 <property name="hierarchy"> <value> ROLE_ADMIN > ROLE_STAFF ROLE_STAFF > ROLE_USER ROLE_USER > ROLE_GUEST </value> </property>

I suggest writing a problem in JSRA SpringSource , asking them to fix the documents.

+6
source

Source: https://habr.com/ru/post/895891/

More articles:


All Articles