<global-method-security pre-post-annotations="enabled"/> <http use-expressions="true">
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login />
<logout />
<remember-me />
</http> 上面是xml配置,访问网站,先要登录才能进去,
现在有2个用户用户
A ---- ROLE_USER
B ---- ROLE_TELLER
刚进网页时,我用A登录,点某个链接进入controller,然后在controller里面访问service 的 mm方法
@PreAuthorize("hasRole('ROLE_TELLER')")
public void mm(){
System.out.println(1111);
}在这个方法上面我加了 注解,按理说应该提示A不能访问啊,为什么现在的情况是A可以访问呢? @PreAuthorize("hasRole('ROLE_TELLER')")这个好像没有效啊,这是为什么呢?
<security:global-method-security pre-post-annotations="enabled" />
in ...-servlet.xml.
It also requires CGLIB proxies, so either your controllers shouldn't have interfaces, or you should use proxy-target-class = true.http://stackoverflow.com/questions/3087548/can-spring-security-use-preauthorize-on-spring-controllers-methods