我正在编写自己的Spring安全性PermissionEvaluator,而我要尝试做的一件事情就是弄清楚它所保护的方法的名称。
例如,如果没有图片中的方法名称,我将具有以下内容:
postAuthorize("hasPermission(returnObject,'read')")
Event getEvent(int evendId) {
...
}
和
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
if(targetDomainObject instanceof Event) {
return hasPermission(authentication, targetDomainObject, permission);
}
return targetDomainObject == null;
}
但是我还需要方法名称“ getEvent”可用于hasPermission。我可以通过在hasPermission调用中手动传递它来完成此操作,如下所示:
@PostAuthorize("hasPermission(new com.example.AuthZObject(returnObject,'getEvent'),'read')")
Event getEvent(int eventId);
但是有没有更自动化的方法来做到这一点?
@Ralph在这里非常正确的想法。第一步是创建MethodSecurityExpressionOperations的自定义实现,该实现可以在上面存储Method并将其用于评估表达式。例如:
public class MyMethodSecurityExpressionRoot extends SecurityExpressionRoot implements MethodSecurityExpressionOperations {
private Object filterObject;
private Object returnObject;
private Object target;
private Method method;
public MyMethodSecurityExpressionRoot(Authentication a) {
super(a);
}
// allow the method to be set
public void setMethod(Method m) {
this.method = m;
}
// optionally expose the method to be accessed in expressions
public Method getMethod() {
return method;
}
// create a method that will perform the check with
// the method name transparently for you
public boolean hasMethodPermission(Object target, Object permission) {
boolean result = false;
// do your calculations using the method member variable
// i.e. method.getName() and the arguments passed in
// of course you could delegate to another object if you want
// i.e.
// return hasPermission(new com.example.AuthZObject(target,method.getName()),permission));
// or you could do the logic right here
return result;
}
// implement the interface and provide setters
public void setFilterObject(Object filterObject) {
this.filterObject = filterObject;
}
public Object getFilterObject() {
return filterObject;
}
public void setReturnObject(Object returnObject) {
this.returnObject = returnObject;
}
public Object getReturnObject() {
return returnObject;
}
public void setThis(Object target) {
this.target = target;
}
public Object getThis() {
return target;
}
}
接下来,扩展DefaultMethodSecurityExpressionHandler并使用自定义表达式根。
public class MySecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler{
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation){
MyMethodSecurityExpressionRoot root = new MyMethodSecurityExpressionRoot(authentication);
root.setThis(invocation.getThis());
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(new AuthenticationTrustResolverImpl());
root.setRoleHierarchy(getRoleHierarchy());
root.setMethod(invocation.getMethod());
return root;
}
}
配置MySecurityExpressionHandler之后,您应该可以使用以下内容:
@PostAuthorize("hasMethodPermission(returnObject,'read')")
Event getEvent(int eventId);
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句