如何使@PreAuthorize具有比@Valid或@Validated更高的优先级 [英] How to make @PreAuthorize having higher precedence than @Valid or @Validated

问题描述

我使用spring启动，并且已通过

启用了WebSecurityConfigurerAdapter中的全局方法安全性。

  @EnableGlobalMethodSecurity（prePostEnabled = true ，order = Ordered.HIGHEST_PRECEDENCE）
  

下面是我的控制器代码

  @PreAuthorize（hasAnyRole（'admin'）or principal.id == id）
 @RequestMapping（value =/ {id} ，method = RequestMethod.PUT）
 public User updateUser（@PathVariable（id）String id，@Valid @RequestBody UserDto userDto）
 {...} 
 例如，非管理员用户最终得到类似名字是必需的而不是访问被拒绝。 
 
 
 
有人知道如何在@Valid或@Validated之前强制执行@PreAuthorize get检查？ 
 
 
 
为了执行一些复杂的规则检查，我必须使用这种方法级别的授权而不是基于网址的授权。
解决方案
对于同样的情况，我发现了通过弹簧过滤器实现安全性的建议。
 
这是类似的职位：如何在验证之前检查安全访问（@Secured或@PreAuthorize） @Valid）？
 
 
 
另外，也许是一个不同的方法 - 尝试使用验证通过在@InitBinder注册自定义验证器（因此跳过@有效注释）。 
 
 
 
要在过滤器类中访问principal对象：
  SecurityContextImpl sci = （SecurityContextImpl）
 session（）。getAttribute（SPRING_SECURITY_CONTEXT）; 
 
 if（sci！= null）{
 UserDetails cud =（UserDetails）sci.getAuthentication（）。getPrincipal（）; 
 
} 
  
在这种情况下/ {id}网址。要访问过滤器或拦截器类中的路径参数：
  String [] requestMappingParams =（（HandlerMethod）handler）.getMethodAnnotation（RequestMapping。 class）.params（）
 
 for（String value：requestMappingParams）{。 
  
 
I am using spring boot, and I have enabled the global method security in WebSecurityConfigurerAdapter by 
@EnableGlobalMethodSecurity(prePostEnabled = true, order = Ordered.HIGHEST_PRECEDENCE) 
And Below is my controller code
@PreAuthorize("hasAnyRole('admin') or principal.id == id")
@RequestMapping(value = "/{id}", method = RequestMethod.PUT)
public User updateUser(@PathVariable("id") String id,  @Valid @RequestBody   UserDto userDto) 
{ ....}
However, when a non-admin user try to do a PUT request, the JSR303 validator will kick in before @PreAuthorize. 
For example, non-admin user ended up getting something like "first name is required" instead of "access denied". But after user supplied the first name variable to pass the validator, access denied was returned.

Does anyone know how to enforce the @PreAuthorize get checked before @Valid or @Validated? 

And I have to use this kind of method-level authorization instead of url-based authorization in order to perform some complex rule checking.
解决方案
For the same scenario, I have found reccomendations to implement security via spring filters.

Here is similar post : How to check security acess (@Secured or @PreAuthorize) before validation (@Valid) in my Controller?

Also, maybe a different approach - try using validation via registering a custom validator in an @InitBinder (thus skip the @valid annotation). 

To access principal object in filter class:
  SecurityContextImpl sci = (SecurityContextImpl)     
session().getAttribute("SPRING_SECURITY_CONTEXT");

if (sci != null) {
    UserDetails cud = (UserDetails) sci.getAuthentication().getPrincipal();

 }
In this case /{id} is a path param in the URL. To access path params in filter or interceptor class:
String[] requestMappingParams =    ((HandlerMethod)handler).getMethodAnnotation(RequestMapping.class).params()

        for (String value : requestMappingParams) {.


                        
这篇关于如何使@PreAuthorize具有比@Valid或@Validated更高的优先级的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！