@PostFilter和@PreFilter如何工作 [英] How @PostFilter and @PreFilter work
问题描述
作为Spring注释的新手,我需要对以下代码进行说明.
Being new to spring annotations, I need a clarification for the below code.
@PostFilter("hasPermission(filterObject, 'READ') or hasRole('ROLE_ADMIN')")
public List<User> getUsers(String orderByInsertionDate,
Integer numberDaysToLookBack) throws AppException
;
因此,这意味着getUsers返回的用户列表将仅包含对调用对象具有完全"READ"访问权限或调用对象的角色为"ROLE_ADMIN"的那些元素.谢谢.
So this means that the list of users returned by getUsers will only contain those elements which have full "READ" access to the calling object or the calling object has role as "ROLE_ADMIN". Thanks.
推荐答案
@PreFilter和@PostFilter被指定与Spring安全性一起使用,以便能够基于授权过滤集合或数组.
@PreFilter and @PostFilter are designated to use with Spring security to be able to filter collections or arrays based on the authorization.
要执行此操作,您需要在Spring Security中使用基于表达式的访问控制(如示例中所示)
To have this working, you need to use expression-based access control in spring security (as you have in your example)
@PreFilter -在执行方法之前过滤集合或数组.
@PreFilter - filters the collection or arrays before executing method.
@PostFilter -执行该方法后,过滤返回的集合或数组.
@PostFilter - filters the returned collection or arrays after executing the method.
因此,假设您的getUser()返回用户列表. Spring Security将遍历该列表并删除所有应用表达式为false的元素(例如,不是admin且没有读取权限)
So, let's say your getUser() returns List of Users. Spring Security will iterate through the list and remove any elements for which the applied expression is false (e.g. is not admin, and does not have read permission)
filterObject是执行过滤操作的内置对象,您可以将各种条件应用于该对象(基本上所有内置表达式都可以在此处使用,例如principal,authentication),例如,您可以执行
filterObject is built-in object on which filter operation is performed and you can apply various conditions to this object (basically all built-in expressions are available here, e.g. principal, authentication), for example you can do
@PostFilter ("filterObject.owner == authentication.name")
尽管这些过滤器很有用,但是对于大型数据集而言,它的效率实际上是低下的,基本上您无法控制结果,而是由Spring控制结果.
Though those filters are useful, it is really inefficient with large data sets, and basically you lose control over your result, instead Spring controls the result.
这篇关于@PostFilter和@PreFilter如何工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
