如何以编程方式解析spring安全表达式(例如在某些控制器中) [英] How to parse spring security expressions programmatically (e.g. in some controller)
问题描述
如何解析spring(web)安全表达式,如 hasRole('admin')以编程方式(不使用标签,注释或 ...) )? (参考文献)
How do you parse spring (web) security expressions like hasRole('admin') programmatically (without using tags, annotations or ...)? (reference doc)
我发现 Spring:用于解析安全表达式的解析器 - 但我不知道如何查找或构建 EvaluationContext eg
I've found Spring: What parser to use to parse security expressions - but I don't know how to find or build the EvaluationContext e.g. inside a spring controller.
不提供 EvaluationContext 给
org.springframework.expression.spel.SpelEvaluationException: EL1011E:(pos 0): Method call: Attempted to call method hasRole(java.lang.String) on null context object
推荐答案
你需要添加几个东西才能使这个工作。你必须插入Spring的安全API。这是我如何做,它与Spring 3.2正常工作。
首先,您必须在spring-context.xml中具有类似的配置之前说明:
you need to add several things in order to get this thing working. You have to plug into the Spring's security API. Here's how I did it and it is working fine with Spring 3.2. First as it was stated before you must have similar configuration in your spring-context.xml:
<security:http access-decision-manager-ref="customAccessDecisionManagerBean">
<security:http/>
<bean id="customWebSecurityExpressionHandler"
class="com.boyan.security.CustomWebSecurityExpressionHandler"/>
<bean id="customAccessDecisionManagerBean"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="customWebSecurityExpressionHandler" />
</bean>
</list>
</property>
</bean>
这定义了一个新的expressionHandler来覆盖WebExpressionVoter的默认值。然后我们将这个新的决策选民添加到决策经理。 CustomWebSecurityExpressionHandler的目的是控制SecurityExpressionRoot的创建。到现在为止还挺好。问题是为什么需要CustomWebSecurityExpressionRoot,答案很简单,您可以在此定义自定义的安全方法。考虑到这一点,我们可以编写以下类:
This defines a new expressionHandler to override the default one for the WebExpressionVoter. Then we add this new decision voter to the decision manager. CustomWebSecurityExpressionHandler's purpose it to control the creation of SecurityExpressionRoot. So far so good. The question is why do you need a CustomWebSecurityExpressionRoot and the answer is simple as that - you define your custom security methods there. Having this in mind we can write the following classes:
public class CustomWebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler {
@Override
protected SecurityExpressionOperations createSecurityExpressionRoot(
Authentication authentication, FilterInvocation fi) {
CustomWebSecurityExpressionRoot expressionRoot =
new CustomWebSecurityExpressionRoot(authentication, delegationEvaluator);
return expressionRoot;
}
}
}
public class CustomWebSecurityExpressionRoot extends WebSecurityExpressionRoot {
public CustomWebSecurityExpressionRoot(Authentication auth, FilterInvocation fi) {
super(auth, fi);
}
// in here you must define all of the methods you are going to invoke in @PreAuthorize
// for example if you have an expression with @PreAuthorize('isBoyan(John)')
// then you must have the following method defined here:
public boolean isBoyan(String value) {
//your logic goes in here
return "Boyan".equalsIgnoreCase(value);
}
}
如果要获取参考到ExpressionParser,你可以使用以下方法AbstractSecurityExpressionHandler.getExpressionParser()。它可以通过CustomWebSecurityExpressionHandler访问。另外你可以看看它的API,如果你想做一些更具体的事情。
我希望这回答你的问题。
If you want to get a reference to the ExpressionParser you can use the following method AbstractSecurityExpressionHandler.getExpressionParser(). It is accessible through CustomWebSecurityExpressionHandler. Also you can take a look at its API if you want to do something more specific. I hope this answers you question.
这篇关于如何以编程方式解析spring安全表达式(例如在某些控制器中)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
