如何向Spring MVC控制器方法添加自定义安全注释 [英] How to add a custom security annotation to Spring MVC controller method

问题描述

我正在将Java 8，Spring MVC 4，Spring Boot和Gradle用于我的REST应用程序.

I am using Java 8, Spring MVC 4, Spring Boot, and Gradle for my REST application.

我想通过某些Spring MVC 4控制器中的自定义方法注释为我的REST应用程序添加安全性.

I would like to add security to my REST application via custom method annotations within certain Spring MVC 4 controllers.

这是一个基本示例.

HomeController.java

package myapp;

import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.RequestMapping;

@RestController
@RequestMapping("/")
public class HomeController {

    @RequestMapping("/")
    public String index() {
        return "<h1>Hello, World!</h1><p>Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum</p>";
    }

    @CustomSecurityAnnotation
    @RequestMapping("/secure")
    public String secure() {
        return "<h1>Secured!</h1><p>Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum</p>";
    }
}

我希望CustomSecurityAnnotation运行一个自定义方法，该方法将检查传入的REST请求的标头，查看HTTP标头Authorization，提取提供的值(如果提供了此值)，并针对该值运行代码确认请求之前，以允许该方法继续进行.如果授权无效，则注释应具有覆盖响应并提供HTTP 401或403的能力，如果我确定注释自定义方法成功传递，则允许注释下的方法运行.

I would like CustomSecurityAnnotation to run a custom method that will check the headers of the incoming REST request, look at HTTP header Authorization, pull the value provided (if one was provided), and run code against that value to validate the request before allowing the method to proceed. The annotation should have the ability to override the response and provide a HTTP 401 or 403 if the authorization is invalid, and allow the method under the annotation to run if I decide the annotation custom method passed successfully.

我意识到我可以对PreAuthorize和其他MVC注释执行类似的操作，但是我正在考虑将自定义逻辑封装在单个注释内的方法中，以便在我选择的任何控制器上的任何方法上使用.

I realize there is something similar I could do with PreAuthorize and other MVC annotations but I'm looking at packaging up custom logic within a method inside a single annotation to be used on any method on any controller of my choosing.

谢谢！

推荐答案

我们还在项目中创建了一个自定义注释. 您需要完成一些面向方面的编程.

We also created a custom annotation in our project. What you need to accomplish this, is a bit of Aspect Oriented Programming.

首先，您需要创建自己的注释来标记您的方法，如下所示:

First you'll want to create your own annotation to tag your methods, as follows:

public @interface CustomSecurityAnnotation {
}

然后，您必须编写在执行方法时触发的逻辑. 为此，您要写一个方面.

Then you have to write the logic which is triggered when your method is executed. You write an aspect for that.

@Aspect
@Component
public class CustomSecurityAspect {
    @Pointcut("@annotation(my.package.CustomSecurityAnnotation)")
    private void customSecurityAnnotation() {
    }

    @Around("my.package.CustomSecurityAspect.customSecurityAnnotation()")
    public Object doSomething(ProceedingJoinPoint pjp) throws Throwable {
        HttpServletRequest req = getRequest();
        // Check header values
        // Throw Spring's AccessDeniedException if needed
        return pjp.proceed();
    }

    private HttpServletRequest getRequest() {
        ServletRequestAttributes sra = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        return sra.getRequest();
    }
}

如您所见，我已经包含了一种检索当前HTTP请求的方法，因此您可以轻松地检索要检查的标头.

As you can see, I've already included a method to retrieve the current HTTP request so you can easily retrieve the header you want to check.

对于AccessDeniedException，Spring会自动将响应状态代码设置为HTTP 403.

In case of an AccessDeniedException, Spring automatically sets the response status code to HTTP 403.

请不要忘记在@Configuration类上启用@EnableAspectJAutoProxy来启用方面.

Don't forget to enable @EnableAspectJAutoProxy on your @Configuration class to enable aspects.

这篇关于如何向Spring MVC控制器方法添加自定义安全注释的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！