@PreAuthorize中的自定义类主体 [英] Custom class principal in @PreAuthorize
问题描述
UPDATE(17.04.2012):所以我得到了结果。
root-context.xml:
root-context.xml:
<context:annotation-config/>
<context:component-scan base-package="com.grsnet.qvs.controller.web"/>
<security:global-method-security pre-post-annotations="enabled" />
<bean id="permissionManager" class="com.grsnet.qvs.auth.PermissionManager"/>
PermissionManager.java
PermissionManager.java
package com.grsnet.qvs.auth;
import com.grsnet.qvs.model.Benutzer;
public class PermissionManager {
public PermissionManager() {}
public boolean hasPermissionU01(Object principal, Integer permissionLevel) {
return ((Benutzer)principal).getPermission().getU_01() >= permissionLevel;
}
}
控制器:
@PreAuthorize("@permissionManager.hasPermissionU01(principal, 1)")
@RequestMapping(value = "/u01", method = RequestMethod.GET)
public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {
setGridFilters(map);
return "u01panel";
}
我在PermissionManager.hasPermissionU01中设置了断点。似乎我的安全注释被忽略了。
I set break point in PermissionManager.hasPermissionU01. it seems my security annotation just ignored.
是什么原因?我的错误在哪里?
What is the reason? Where is my mistake?
谢谢。
END OF UPDATE
经过数小时的谷歌搜索,我不得不问这里。
我有
After hours of googling I have to ask here. I have
- Spring MVC app
- CustomUserDetailService
-
自定义UserDetails类
- Spring MVC app
- CustomUserDetailService
Custom UserDetails class
public class Benutzer extends User implements UserDetails {
...
private Permission permission = null;
...
}
权限类,不是很好实现了,但我必须使用它。
Permissions class, not very good realized, but I have to use it.
public class Permission {
...
private Integer u_01 = 0;
...
}
控制器
Controller
@Controller
public class U01Controller {
@RequestMapping(value = "/u01", method = RequestMethod.GET)
public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {
我的任务是整体保护控制器并确保内部方法的安全。
我想写一些这样的:
My task is to secure the controller at whole and to secure a methods inside. I would like to write some like this:
@PreAuthorize("principal.permission.u_01>0")
public class U01Controller {
和
@RequestMapping(value = "/u01", method = RequestMethod.GET)
@PreAuthorize("principal.permission.u_01=2")
public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {
似乎ACL使用UserDetails接口,用于访问主体。
是否可能在ACL中进行某些类型转换?
It seems ACL uses UserDetails interface to gain access to a principal. Is it probably to make some type cast inside ACL?
@PreAuthorize("(com.grsnet.qvs.model.Benutzer)principal.permission.u_01=2")
提前致谢。
推荐答案
虽然我认为你可以可能这样做(你刚试过吗?)在我看来,最好的方法是创建另一个知道如何进行权限决策的类。特别是,可以这样做:
While I think you can probably do that (did you just try it?) it seems to me that the best approach would be to create another class that knows how to do permissions decisions. In particular, it could be done like this:
public class Decision {
private Decision() {} // no instance, please
// Type is probably a bit too wide...
static boolean mayList(Object principal) {
return ((com.grsnet.qvs.model.Benutzer)principal).permission.u_01 == 2;
}
// etc...
}
然后您的 @PreAuthorize 可以这样写:
@PreAuthorize("Decision.mayList(principal)")
如果决策过程更复杂,那么你将开始使用bean来做决策。然后,因为这是Spring EL,你会写(假设你委托给 decider bean):
If the decision process was more complex, then you'd be getting into using a bean to do the decision making. Then, because this is Spring EL, you'd write (assuming you're delegating to to the decider bean):
@PreAuthorize("@decider.mayList(principal)")
(当然,上面我的小 Decider 类绝对不是bean ...)
(Of course, my little Decider class above definitely isn't a bean…)
这篇关于@PreAuthorize中的自定义类主体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
