Spring Security读书笔记--Security Annotation的使用

一直都是使用xml设置的方法进行method的权限控制。试着给manger的方法加@secured怎么试都不行。突然发现忘了设置annotation，记录一下。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

	<http auto-config="true" lowercase-comparisons="false">
		<!--
			<intercept-url pattern="/**/*.html*" access="ROLE_ADMIN,ROLE_USER"/>
		-->
		<intercept-url pattern="/**/*.htm" access="ROLE_USER,ROLE_ADMIN" />
		<intercept-url pattern="/WEB-INF/jsp/*.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<form-login login-page="/login.jsp"
			authentication-failure-url="/login.jsp?error=true"
			login-processing-url="/j_security_check" />
		<logout logout-url="/logout.jsp" invalidate-session="true" />
		<remember-me key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" />
	</http>
	<!--
		<authentication-provider> <password-encoder hash="sha" />
		<user-service> <user name="user"
		password="12dea96fec20593566ab75692c9949596833adc9"
		authorities="ROLE_USER" /> <user name="admin"
		password="d033e22ae348aeb5660fc2140aec35850c4da997"
		authorities="ROLE_ADMIN" /> </user-service> </authentication-provider>
	-->
	<authentication-provider user-service-ref="userDetailService">
		<password-encoder ref="passwordEncoder" />
	</authentication-provider>

	<!--Golbal method auto annotation is set -->
	<global-method-security secured-annotations="enabled"
		jsr250-annotations="enabled">
		<protect-pointcut
			expression="execution(*
		*..service.UserManager.removeUser(..))"
			access="ROLE_ADMIN" />
	</global-method-security>


</beans:beans>

 红色部分就是，气死我了。

使用用法

 一个权限 Secured ({"ROLE_USER"})

多个权限 ({"ROLE_USER", "ROLE_ADMIN"})

不知道能不能支持级联权限

 

@Secured({"ROLE_ADMIN"})
	public void saveUser(User user) throws Exception {

		if (user.getVersion() == null) {
			// if new user, lowercase userId
			user.setUsername(user.getUsername().toLowerCase());
		}