java – 自定义权限评估程序Spring
内容导读
互联网集市收集整理的这篇技术教程文章主要介绍了java – 自定义权限评估程序Spring,小编现在分享给大家,供广大互联网技能从业者学习和参考。文章包含3427字,纯文字阅读大概需要5分钟。
内容图文
我想创建一个自定义权限评估程序,以便使用自定义方法@PreAuthorize REST端点.
我将Spring Boot 1.5.3与Web和安全启动器一起使用.
我的进一步用例是检查登录用户是否有权查看指定的id.
在调用REST端点时,我收到以下错误:
org.springframework.expression.spel.SpelEvaluationException: EL1004E: Method call: Method hasPermission(null) cannot be found on org.springframework.security.access.expression.method.MethodSecurityExpressionRoot type
我的自定义权限评估程序:
@Component
class CustomPermissionsEvaluator implements PermissionEvaluator {
public boolean hasPermission(String id) {
return id.equals("correct");
}
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
return false;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
return false;
}
}
我的安全配置:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
class SecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
public MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler = new DefaultMethodSecurityExpressionHandler();
methodSecurityExpressionHandler.setPermissionEvaluator(new CompanyPermissionsEvaluator());
return methodSecurityExpressionHandler;
}
}
我的休息控制器:
@RestController
class RestControllerToProtect {
@PreAuthorize("hasPermission(#id)")
@GetMapping
public String methodToProtect(String id) {
return "Authenticated";
}
}
堆栈跟踪:
org.springframework.expression.spel.SpelEvaluationException: EL1004E:
Method call: Method hasPermission(null) cannot be found on
org.springframework.security.access.expression.method.MethodSecurityExpressionRoot type
解决方法:
如果没有其他配置,则不能使用不是PermissionEvaluator成员的重载方法(如果要重新配置PermissionEvaluator模式,请参阅this answer).
默认情况下,hasPermission调用应匹配以下签名之一:
hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission);
例:
public class CustomPermissionEvaluator implements PermissionEvaluator {
private Logger log = LoggerFactory.getLogger(CustomPermissionEvaluator.class);
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
CustomUserDetails customUserDetails = (CustomUserDetails) authentication.getPrincipal();
AbstractEntity abstractEntity = (AbstractEntity) targetDomainObject;
log.debug("User {} trying to access {}-{} with permission {}",
customUserDetails.getUsername(),
abstractEntity.getClass().getSimpleName(),
abstractEntity.getId(),
permission.toString());
return false;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
CustomUserDetails customUserDetails = (CustomUserDetails) authentication.getPrincipal();
log.debug("User {} trying to access {}-{} with permission {}",
customUserDetails.getUsername(),
targetType,
targetId,
permission.toString());
return false;
}
}
控制器:
@RestController
public class RestControllerToProtect {
// passing targetDomainObject and permission, authentication is detected by SecurityExpressionRoot
@PreAuthorize("hasPermission(#abstractEntity, 'create')")
public String methodToProtect(@RequestBody AbstractEntity abstractEntity) {
return "Authenticated";
}
}
内容总结
以上是互联网集市为您收集整理的java – 自定义权限评估程序Spring全部内容,希望文章能够帮你解决java – 自定义权限评估程序Spring所遇到的程序开发问题。 如果觉得互联网集市技术教程内容还不错,欢迎将互联网集市网站推荐给程序员好友。
内容备注
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 gblab@vip.qq.com 举报,一经查实,本站将立刻删除。
内容手机端
扫描二维码推送至手机访问。