为Spring方法安全性启用编译时AspecJ [英] Enabling compile-time AspecJ for Spring Method Security
问题描述
Spring AOP通过代理运行所有内容,但遗憾的是,无处不在.因此,当呼叫不通过代理时,不会考虑Spring Security的注释@PreAuthorize
,@PostAuthorize
,@PreFilter
和@PostFilter
(也是@Secured
).代理仅针对单例(@Bean
)创建,因此当我们要保护非bean的特定对象(例如JPA @Entities
)上的方法时,我们受到很大的限制.代理也不会在调用对象内被调用(bean在自身上下文中调用其方法).
Spring AOP runs everything through proxies which sadly can't be everywhere. For this reason Spring Security's annotations @PreAuthorize
, @PostAuthorize
, @PreFilter
and @PostFilter
(also @Secured
) will not be taken into consideration when calls are not going through said proxies. Proxies are created only for singletons (@Bean
s) so We are greatly limited when We want to secure methods on specific objects (such as JPA @Entities
) that are not beans. Proxies also won't be called within calling objects (bean calling its methods in context of self - this).
我知道Spring不仅为Spring AOP提供支持,而且为真正的AOP提供支持-AspectJ.不仅如此,它还应该支持AspectJ 开箱即用.对此的证明是:
I know that Spring has suppot not only for Spring AOP but also real AOP - AspectJ. Not only that, but it SHOULD support AspectJ out of box. Testament to this is:
@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, securedEnabled = true, prePostEnabled = true)
启用后,Spring将需要(在启动时崩溃)aspectj依赖关系,该依赖关系在以下位置提供:
When enabled, Spring will require (crash on startup otherwise) aspectj dependency, which is provided within:
'org.springframework.security:spring-security-aspects'
添加此依赖项后,我们将在类路径中具有AspectJ库,并将获得:
After adding this dependency we will have AspectJ libraries in classpath and will get:
org.springframework.security.access.intercept.aspectj.aspect
具有:
public aspect AnnotationSecurityAspect implements InitializingBean
但是这一切都结束了.我找不到能说明如何进一步启用Aspectj编织的文档.设置@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ)
肯定可以完成某些操作,因为我们丢失了标准的Spring AOP-安全注释在任何地方(在Beans上)都停止工作,并且同时不被AspectJ编织.
But here it all ends. There is no documentation that I could find that would state how to further enable aspectj weaving. Setting @EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ)
certainly DOES something as we lose standard Spring AOP - security annotations stop working anywhere (on Beans) and at the same time they are not weaved with AspectJ.
是否有人对Spring对这种即用型(编译时编织)的支持有一定的了解,还需要进一步的配置吗?也许我需要自己编织吗?我需要一些特定的库来构建吗?
Does anyone have some knowledge on Spring's support for this out of box (compile-time weaving) and what further configuration is needed? Maybe I need to weave it myself? Do I need some specific libraries for building?
版本:Spring 5.2.1.RELEASE(所有软件包).
Version: Spring 5.2.1.RELEASE (all packages).
推荐答案
@DimaSan注释帮助我查找了一些在执行搜索时遗漏的线程/问题,而其中许多都已经过时了,所以我设法设置了我的应用程序.
@DimaSan comment helped me find few threads/issues I missed while doing my search and while many of them are too years-outdated I managed to setup my app.
结果证明我实际上非常亲密,通过进行少量更新和更改gradle上的依赖项/插件,我有了一个工作环境.
Turns out I was actually very close and by making few updates and changing dependencies/plugins on gradle I have a working environment.
Gradle: 5.6.4
具有:
plugins {
id "io.freefair.aspectj.post-compile-weaving" version "4.1.6"
}
dependencies {
aspect 'org.springframework.security:spring-security-aspects'
runtime 'org.springframework.security:spring-security-aspects'
}
使用
在5.2.1.RELEASE
的弹簧设置
spring-boot-starter-
web
data-jpa
security
使用上面的设置,这实际上只是需要做的事情:
With above setup this is actually only thing needed:
@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, securedEnabled = true, prePostEnabled = true)
最后,如果您不使用Gradle(例如,想使用STS/Eclipse运行配置),则会添加:
Finally if You are not using Gradle (e.g. want to use STS/Eclipse Run Configuration), you will add:
-javaagent:C:\Users\USER\.gradle\caches\modules-2\files-2.1\org.aspectj\aspectjweaver\1.9.4\<cache-string>\aspectjweaver-1.9.4.jar
.gradle
和1.9.4
是我当前的设置/版本的大小写.
.gradle
and 1.9.4
being case for my current setup/version.
请注意,此功能尚未经过测试(但可以与JPA/Hibernate一起使用),例如交易管理,一旦开始使用复杂的交易(编织会产生问题),我将对此进行评论.
Note that this is yet untested (but working with JPA/Hibernate) with e.g. Transaction management and I will comment on it once I start using complex transactions where weaving would create issues.
这篇关于为Spring方法安全性启用编译时AspecJ的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!