问题
I have the following classes
public abstract class BaseCotroller {
@RequestMapping("/m")
public String m() {
...
}
@RequestMapping("/n")
public String n() {
...
}
}
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping("/a")
public class ACotroller extends BaseController {
@PreAuthorize("hasRole('ROLE_ADMIN')")
@Override
public String m() {
return super.m();
}
}
@PreAuthorize gets applied for m, but not for n, though it should as @PreAuthorize is specified at the class level. Or do I missed sonething?
回答1:
If you think a bit more on this, @PreAuthorize not working on your parent overridden method makes a perfect sense. You have this annotation for the whole class and it is applied to all of its public methods and in this case ACotroller.m(). According to Spring your method has been validated. The same way you can call within m() not super.m(), but a method defined in some other bean. Having @PreAuthorize doesn't mean that calls from your method should be also validated. In order to understand how this works in detail you can see the PrePostAnnotationSecurityMetadataSource.getAttributes() method.
Now to answer your question - you must annotate the base controller class with @PreAuthorize to have its methods secured.
来源:https://stackoverflow.com/questions/21976897/preauthorize-on-child-class