@PostFilter 和 @PreFilter 如何在 Spring Security 中工作? [英] How do @PostFilter and @PreFilter work in Spring Security?

问题描述

作为 Spring 安全注释的新手，我需要对以下代码进行说明.

Being new to Spring's security annotations, I need a clarification for the below code.

@PostFilter("hasPermission(filterObject, 'READ') or hasRole('ROLE_ADMIN')")
public List<User> getUsers(String orderByInsertionDate,
            Integer numberDaysToLookBack) throws AppException

所以这意味着 getUsers 返回的用户列表将只包含那些对调用对象具有完全 READ" 访问权限或调用对象具有 " 角色的元素.ROLE_ADMIN".谢谢.

So this means that the list of users returned by getUsers will only contain those elements which have full "READ" access to the calling object or the calling object has role as "ROLE_ADMIN". Thanks.

推荐答案

@PreFilter 和 @PostFilter 被指定与 Spring 安全一起使用，以便能够过滤集合或基于授权的数组.

@PreFilter and @PostFilter are designated to use with Spring security to be able to filter collections or arrays based on the authorization.

要使此工作正常运行，您需要在 Spring Security 中使用基于表达式的访问控制(如您的示例中所示)

To have this working, you need to use expression-based access control in spring security (as you have in your example)

@PreFilter - 在执行方法之前过滤集合或数组.

@PreFilter - filters the collection or arrays before executing method.

@PostFilter - 在执行方法后过滤返回的集合或数组.

@PostFilter - filters the returned collection or arrays after executing the method.

所以，假设您的 getUser() 返回用户列表.Spring Security 将遍历列表并删除任何应用表达式为 false 的元素(例如，不是管理员，并且没有读取权限)

So, let's say your getUser() returns List of Users. Spring Security will iterate through the list and remove any elements for which the applied expression is false (e.g. is not admin, and does not have read permission)

filterObject 是执行过滤操作的内置对象，您可以对这个对象应用各种条件(基本上所有内置表达式都在这里可用，例如 principal、authentication)，例如你可以做

filterObject is built-in object on which filter operation is performed and you can apply various conditions to this object (basically all built-in expressions are available here, e.g. principal, authentication), for example you can do

@PostFilter ("filterObject.owner == authentication.name")

虽然这些过滤器很有用，但对于大数据集来说确实效率低下，基本上你失去了对结果的控制，取而代之的是 Spring 控制结果.

Though those filters are useful, it is really inefficient with large data sets, and basically you lose control over your result, instead Spring controls the result.

这篇关于@PostFilter 和 @PreFilter 如何在 Spring Security 中工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！