在JpaRepository上@PreAuthorize [英] @PreAuthorize on JpaRepository

问题描述

我正在为我的REST服务实现基于角色的安全性.我正在使用spring-data-rest并已将JpaRepository配置为:

I am looking to implement role based security for my REST service. I am using spring-data-rest and have configured a JpaRepository as such:

@Repository
@RestResource(path = "changesets", rel = "changesets")
public interface ChangesetRepository extends JpaRepository<Changeset, Long> { }

我想在继承的Page<T> findAll(Pageable pageable)方法上附加@PreAuthorize批注，以便GET需要特定的角色.

I would like to attach a @PreAuthorize annotation to the inherited Page<T> findAll(Pageable pageable) method so that a GET requires a specific role.

有没有办法做到这一点?我需要提供自定义实现还是缺少明显的东西?

Is there a way to do that? Do I need to provide a custom implementation or am I missing something obvious?

推荐答案

您可以为所有存储库添加自己的父类(请参见

You can add your own parent class for all repositories (see how to do it in the documentation). Then just add all necessary annotations and your security restrictions will be applied for all child beans.

大多数情况下，从体系结构的角度来看，存储库不是应用安全性限制的正确位置.您的服务层更合适(因为安全限制取决于您的业务操作，而不取决于数据加载逻辑).考虑以下示例:您想在许多服务中重用相同的存储库，并且安全规则不相同(对于这些服务).该怎么办?

From the architecture point of view most of the time a Repository is not the right place to apply your security restrictions. Your service layer is much more appropriate place (because your security restrictions depend on your business actions and not on your data loading logic). Consider following example: you want to reuse the same Repository in many Services, and security rules are not the same (for these Services). What to do?

这篇关于在JpaRepository上@PreAuthorize的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！