在我的春季项目中,我最近向我的jsp页面添加了这个标记:
<sec:authorize access="hasPermission(#user, 'altera_usuario')">
col.append('<button type="button" class="btn btn-sm btn-primary link" data-action="${alteracao}/'+item.id+'">Editar</button>');
</sec:authorize>
<sec:authorize access="hasPermission(#user, 'remove_usuario')">
col.append('<button type="button" class="btn btn-sm btn-primary link" data-action="${remocao}/'+item.id+'">Remover</button>');
</sec:authorize>
允许我控制显示给用户的内容。但是eclipse显示了一个与这个标签相关的错误(它们用红色下划线标记),这并不妨碍项目的构建。当我运行项目并打开页面时,标签内的元素没有显示,尽管用户有权限。
有人知道这里出了什么问题吗?
p。:本页的完整代码:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ include file="../../include/include.jsp" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Lista de usuários</title>
</head>
<body>
<c:url value="/usuario/cadastra" var="cadastro"/>
<c:url value="/usuario/altera" var="alteracao"/>
<c:url value="/usuario/remove" var="remocao"/>
<c:url value="/permissao/altera" var="permissao"/>
<p>
<sec:authorize access="hasPermission(#user, 'cadastra_usuario')">
<button type="button" class="btn btn-sm btn-link link" data-action="${cadastro}">
cadastrar novo usuário
</button>
</sec:authorize>
</p>
<table class="bordered">
<thead>
<tr>
<th>#</th>
<th>Login</th>
<th>Nome</th>
<th>Sobrenome</th>
<th>E-Mail</th>
<th>#</th>
</tr>
</thead>
<tbody class="content">
</tbody>
</table>
<c:url value="/usuario/listagem.json" var="lista"/>
<script>
$(document).ready(function(){
var url = "<c:out value="${lista}"/>";
$.get(url, function(data){
var json = jQuery.parseJSON( data );
$.each(json.usuario, function(index, item){
var row = $('<tr id=user'+item.id+'>');
row.append('<td>'+item.id+'</td>');
row.append('<td>'+item.login+'</td>');
row.append('<td>'+item.pnome+'</td>');
row.append('<td>'+item.unome+'</td>');
row.append('<td>'+item.email+'</td>');
var col = $('<td>');
<sec:authorize access="hasPermission(#user, 'altera_usuario')">
col.append('<button type="button" class="btn btn-sm btn-primary link" data-action="${alteracao}/'+item.id+'">Editar</button>');
</sec:authorize>
<sec:authorize access="hasPermission(#user, 'remove_usuario')">
col.append('<button type="button" class="btn btn-sm btn-primary link" data-action="${remocao}/'+item.id+'">Remover</button>');
</sec:authorize>
col.append('<button type="button" class="btn btn-sm btn-primary link" data-action="${permissao}/'+item.id+'">Permissões</button>');
row.append(col);
$('tbody.content').append(row);
});
});
});
</script>
</body>
</html>
根据错误消息使用<sec:authorize access="hasPermission(...)"> (DenyAllPermissionEvaluator是Spring Security的默认实现)时,您的PermissionEvaluator实现未被调用。
在Spring Security配置中尝试以下设置:
<http use-expressions="true" ...>
<expression-handler ref="webExpressionHandler"/>
...
</http>
<beans:bean id="webExpressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<beans:bean id="permissionEvaluator" class="your.PermissionEvaluator" />