如何使用 Spring AOP 实现基于注解的安全性? [英] How to implement annotation based security using Spring AOP?

问题描述

我是 Spring AOP(以及一般的 AOP)的新手，需要实现以下内容:

I'm new to Spring AOP (and AOP in general), need to implement the following:

@HasPermission(operation=SecurityOperation.ACTIVITY_EDIT, object="#act")
public Activity updateActivity(Activity act)
{
   ...
}

@HasPermission 是我自定义的注解，用来标记所有需要预授权的方法.我正在使用基于 Apache Shiro 的自定义安全检查实现.一般来说，我想我需要定义切入点来匹配所有带注释的方法，并提供方面的实现(之前或周围).

@HasPermission is my custom annotation, which will be used to mark all methods requiring pre-authorization. I'm using my custom implementation of security checks based on Apache Shiro. Generally, I guess that I will need to define pointcut which matches all annotated methods and also provide implementation of the aspect (either before or around).

我的问题是重新.方面的实施.

Questions I have are re. aspect implementation.

• 如何从注释中提取操作和对象参数?
• 如何解析对象定义中的 SpEL 表达式并将对象作为act"参数传递?

推荐答案

我知道这是一个迟到的答案，但在我们将一些 JavaEE 项目迁移到 Spring 之后，我们基于 AspectJ 创建了一些基本的安全模型:

I know it's a late answer but after we were migrating some JavaEE project to Spring we made some basic security model based on AspectJ:

首先，我们使用自定义的 @OperationAuthorization 注释我们的服务方法:

Firstly we annotate our service methods with custom @OperationAuthorization :

@OperationAuthorization
public ListOfUserGroupsTo getUserGroupsByClientId(Integer clientId) throws GenericException {
    return userGroupRepository.getAllUserGroupsForClient(clientId);
}

然后我们有一个带有 @Aspect 的类 &@Component 使用特定注解拦截方法的注解:

Then we have a class with @Aspect & @Component annotations which intercepts methods with specific annotations:

@Aspect 
@Component
public class AuthorizationAspect {

@Autowired
AuthorizationService authorizationService;

@Before(value = "@annotation(ch.avelon.alcedo.authorization.annotations.OperationAuthorization)")
public void before(JoinPoint joinPoint) throws Throwable {
    Object[] args = joinPoint.getArgs();
    Method method = ((MethodSignature) joinPoint.getSignature()).getMethod();

    authorizationService.checkOperationAuthorization(method, args);
}

在AuthorizationService 中，传递了一个包含所有参数的方法.检查客户端是否有权限获取用户组.如果不是:抛出我们的异常并停止方法.

In AuthorizationService a method with all arguments are passed. Check whether the client is authorized to get user groups. If it's not: throw our Exception and method stops.

这篇关于如何使用 Spring AOP 实现基于注解的安全性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！