我知道 Spring Security 有一个抽象类SecurityExpressionRoot
。在我们有类似的方法hasAuthority(String var1)
,hasRole(String var1)
等来实现。Spring 还提供了一个@PreAuthorize
在方法级别使用的注释,我们在该注释中传递单个值,如
@PreAuthorize("hasRole('ROLE_ABC')")
注释@interface
就像
package org.springframework.security.access.prepost;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
public @interface PreAuthorize {
String value();
}
我想知道此注释如何从SecurityExpressionRoot
.
Spring security 使用面向方面的编程 ( AOP ) 将安全代码编织/交织到您自己的代码库中。这在 Spring 中的工作方式是使用定义注入点的注解 (cfr. pointcuts
) 以允许在您自己的代码之前/之后/内执行额外的逻辑 (cfr. advice
)。
Interceptors
扫描您的代码库join points
(即对于 Spring,当标有特定注释时,这始终是方法执行)并将根据您使用的拦截点(即接口)执行附加的特定逻辑。
要启用此行为,可以添加配置:
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class ConfigGlobalMethodSecurity extends GlobalMethodSecurityConfiguration {
...
}
特别是对于PreAuthorize,PrePostAdviceReactiveMethodInterceptor负责查找用 注释的方法PreAutorize
。反过来,这将委托给PreInvocationAuthorizationAdvice
这里配置的ReactiveMethodSecurityConfiguration作为ExpressionBasedPreInvocationAdvice。
这在内部使用默认表达式处理程序DefaultMethodSecurityExpressionHandler创建一个SecurityExpressionRoot
. 这的实际实现SecurityExpressionRoot
将定义如何PreAuthorize
处理您的遗嘱中的表达式以及需要执行哪些逻辑。
该SecurityExpressionRoot定义哪些表达式是让你内PreAuthorize
,如hasRole
。
要添加额外的表达式或扩展默认权限逻辑,您需要提供一个自定义实现,SecurityExpressionRoot
可选地自定义PermissionEvaluator
. 例如,如果您想编写@PreAuthorize("hasKnowledgeOf('AOP')")
.
public class CustomMethodSecurityExpressionRoot
extends SecurityExpressionRoot
implements MethodSecurityExpressionOperations {
private final PermissionEvaluator permissionEvaluator;
private final Authentication authentication;
private Object filterObject;
private Object returnObject;
private Object target;
public CustomMethodSecurityExpressionRoot(
Authentication authentication,
PermissionEvaluator permissionEvaluator) {
super(authentication);
this.authentication = authentication;
this.permissionEvaluator = permissionEvaluator;
super.setPermissionEvaluator(permissionEvaluator);
}
// new expression to check if the requested knowledge is present
public boolean hasKnowledgeOf(String context) {
// provide logic that performs the check
}
@Override
public void setFilterObject(Object filterObject) {
this.filterObject = filterObject;
}
@Override
public Object getFilterObject() {
return filterObject;
}
@Override
public void setReturnObject(Object returnObject) {
this.returnObject = returnObject;
}
@Override
public Object getReturnObject() {
return returnObject;
}
@Override
public Object getThis() {
return target;
}
}
和
@Configuration
public class CustomPermissionEvaluator
implements PermissionEvaluator {
@Override
public boolean hasPermission(
Authentication authentication,
Object targetDomainObject,
Object permission) {
// define your custom permission logic here
}
@Override
public boolean hasPermission(
Authentication authentication,
Serializable targetId,
String targetType,
Object permission) {
// define your custom permission logic here
}
}
完成配置并将评估器传递给表达式根。
public class CustomMethodSecurityExpressionHandler
extends DefaultMethodSecurityExpressionHandler {
PermissionEvaluator permissionEvaluator;
public CustomMethodSecurityExpressionHandler(PermissionEvaluator permissionEvaluator) {
this.permissionEvaluator = permissionEvaluator;
super.setPermissionEvaluator(permissionEvaluator);
}
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(
Authentication authentication,
MethodInvocation invocation) {
CustomMethodSecurityExpressionRoot root = new CustomMethodSecurityExpressionRoot(
authentication,
permissionEvaluator);
root.setTrustResolver(new AuthenticationTrustResolverImpl());
root.setRoleHierarchy(getRoleHierarchy());
return root;
}
}
和
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class ConfigGlobalMethodSecurity extends GlobalMethodSecurityConfiguration {
@Autowired CustomPermissionEvaluator permissionEvaluator;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new CustomMethodSecurityExpressionHandler(permissionEvaluator);
}
}
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句