Spring @PostFilter 何时执行? [英] When does a Spring @PostFilter execute?

问题描述

我正在使用 spring 的 @Around 注释来提供 DAO 调用的缓存，并使用 spring 安全性的 @PostFilter 来限制某些记录的查看.但是我担心缓存可能会绕过 PostFilter 并带来安全问题.

I am using spring's @Around annotations to provide caching of DAO calls and also using spring security's @PostFilter to restrict the viewing of certain records. However I am concerned that the cache could bypass the PostFilter and present a security problem.

如何判断@PostFilter 和@Around 包裹目标对象的顺序?

How do I tell what order @PostFilter and @Around wrap the target object?

推荐答案

您可以通过设置 order 属性来指定 Spring Security 方面的顺序security>(我猜它默认为零).

You can specify an order of Spring Security's aspects by setting the order attribute of <security:global-method-security> (I guess it's zero by default).

您还可以指定您自己方面的顺序，如7.2.4.7 建议排序:

You can also specify an order of your own aspect as described in 7.2.4.7 Advice ordering:

最高优先级的通知在进入的路上"首先运行(所以给定两条before通知，优先级最高的先运行).从连接点出路"，最高优先级的通知最后运行(所以给定两条后通知，具有最高优先级的将第二运行).
...
您可以通过指定优先级来控制执行顺序.这是通过在方面类中实现 org.springframework.core.Ordered 接口或使用 Order 注释对其进行注释以普通 Spring 方式完成的.给定两个方面，从 Ordered.getValue() 返回较低值的方面(或注释值)具有更高的优先级.

The highest precedence advice runs first "on the way in" (so given two pieces of before advice, the one with highest precedence runs first). "On the way out" from a join point, the highest precedence advice runs last (so given two pieces of after advice, the one with the highest precedence will run second).
...
You can control the order of execution by specifying precedence. This is done in the normal Spring way by either implementing the org.springframework.core.Ordered interface in the aspect class or annotating it with the Order annotation. Given two aspects, the aspect returning the lower value from Ordered.getValue() (or the annotation value) has the higher precedence.

这篇关于Spring @PostFilter 何时执行?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！