如何使用Spring AOP实现基于注释的安全性? [英] How to implement annotation based security using Spring AOP?
问题描述
我是Spring AOP(和一般的AOP)的新手,需要实现以下内容:
I'm new to Spring AOP (and AOP in general), need to implement the following:
@HasPermission(operation=SecurityOperation.ACTIVITY_EDIT, object="#act")
public Activity updateActivity(Activity act)
{
...
}
@HasPermission是我的自定义注释,将用于标记所有需要预授权的方法.我正在使用基于Apache Shiro的安全检查的自定义实现.通常,我想我将需要定义与所有带注释的方法匹配的切入点,并且还需要提供方面的实现(在此之前或前后).
@HasPermission is my custom annotation, which will be used to mark all methods requiring pre-authorization. I'm using my custom implementation of security checks based on Apache Shiro. Generally, I guess that I will need to define pointcut which matches all annotated methods and also provide implementation of the aspect (either before or around).
我的问题是关于.方面的实现.
Questions I have are re. aspect implementation.
- 如何从注释中提取 operation 和 object 参数?
- 如何在对象定义中解析SpEL表达式并使对象作为"act"参数传递?
- How do I extract operation and object parameters from the annotation?
- How can I resolve SpEL expression in object definition and get object passed as 'act' parameter?
推荐答案
我知道这是一个很晚的答案,但是在我们将一些JavaEE项目迁移到Spring之后,我们基于 AspectJ 建立了一些基本的安全模型:
I know it's a late answer but after we were migrating some JavaEE project to Spring we made some basic security model based on AspectJ:
首先,我们使用自定义 @OperationAuthorization 注释我们的服务方法:
Firstly we annotate our service methods with custom @OperationAuthorization :
@OperationAuthorization
public ListOfUserGroupsTo getUserGroupsByClientId(Integer clientId) throws GenericException {
return userGroupRepository.getAllUserGroupsForClient(clientId);
}
然后我们有一个 @Aspect &的课程. @Component 批注会拦截具有特定批注的方法:
Then we have a class with @Aspect & @Component annotations which intercepts methods with specific annotations:
@Aspect
@Component
public class AuthorizationAspect {
@Autowired
AuthorizationService authorizationService;
@Before(value = "@annotation(ch.avelon.alcedo.authorization.annotations.OperationAuthorization)")
public void before(JoinPoint joinPoint) throws Throwable {
Object[] args = joinPoint.getArgs();
Method method = ((MethodSignature) joinPoint.getSignature()).getMethod();
authorizationService.checkOperationAuthorization(method, args);
}
在 AuthorizationService 中,将传递带有所有参数的方法.检查客户端是否具有获取用户组的权限.如果不是,则抛出异常,方法停止.
In AuthorizationService a method with all arguments are passed. Check whether the client is authorized to get user groups. If it's not: throw our Exception and method stops.
这篇关于如何使用Spring AOP实现基于注释的安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!