为 Spring Method Security 启用编译时 AspecJ [英] Enabling compile-time AspecJ for Spring Method Security

问题描述

Spring AOP 通过代理运行一切，遗憾的是，代理无法无处不在.为此，Spring Security 的注解 @PreAuthorize、@PostAuthorize、@PreFilter 和 @PostFilter(还有 @Secured) 当调用不通过上述代理时不会被考虑在内.代理仅为单例(@Beans)创建，因此当我们想要保护非 bean 的特定对象(例如 JPA @Entities)上的方法时，我们受到很大限制.代理也不会在调用对象内调用(bean 在 self - this 的上下文中调用其方法).

Spring AOP runs everything through proxies which sadly can't be everywhere. For this reason Spring Security's annotations @PreAuthorize, @PostAuthorize, @PreFilter and @PostFilter (also @Secured) will not be taken into consideration when calls are not going through said proxies. Proxies are created only for singletons (@Beans) so We are greatly limited when We want to secure methods on specific objects (such as JPA @Entities) that are not beans. Proxies also won't be called within calling objects (bean calling its methods in context of self - this).

我知道 Spring 不仅支持 Spring AOP，还支持真正的 AOP - AspectJ.不仅如此，它还应该支持 AspectJ 开箱即用.对此的承诺是:

I know that Spring has suppot not only for Spring AOP but also real AOP - AspectJ. Not only that, but it SHOULD support AspectJ out of box. Testament to this is:

@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, securedEnabled = true, prePostEnabled = true)

启用后，Spring 将需要(否则会在启动时崩溃)aspectj 依赖项，该依赖项在以下内容中提供:

When enabled, Spring will require (crash on startup otherwise) aspectj dependency, which is provided within:

'org.springframework.security:spring-security-aspects'

添加此依赖项后，我们将在类路径中拥有 AspectJ 库，并将获得:

After adding this dependency we will have AspectJ libraries in classpath and will get:

org.springframework.security.access.intercept.aspectj.aspect

与:

public aspect AnnotationSecurityAspect implements InitializingBean

但这一切都结束了.我找不到可以说明如何进一步启用 aspectj 编织的文档.设置 @EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ) 肯定会起作用，因为我们失去了标准的 Spring AOP - 安全注释在任何地方(在 Beans 上)都停止工作，同时它们不是用 AspectJ 编织的.

But here it all ends. There is no documentation that I could find that would state how to further enable aspectj weaving. Setting @EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ) certainly DOES something as we lose standard Spring AOP - security annotations stop working anywhere (on Beans) and at the same time they are not weaved with AspectJ.

有没有人了解 Spring 对这种开箱即用(编译时编织)的支持以及需要哪些进一步的配置?也许我需要自己编织它?我需要一些特定的库来构建吗?

Does anyone have some knowledge on Spring's support for this out of box (compile-time weaving) and what further configuration is needed? Maybe I need to weave it myself? Do I need some specific libraries for building?

版本:Spring 5.2.1.RELEASE(所有包).

Version: Spring 5.2.1.RELEASE (all packages).

推荐答案

@DimaSan 评论帮助我找到了一些我在搜索时遗漏的主题/问题，虽然其中许多已经过时多年，但我设法设置了我的应用程序.

@DimaSan comment helped me find few threads/issues I missed while doing my search and while many of them are too years-outdated I managed to setup my app.

事实证明，我实际上非常接近，通过在 gradle 上进行少量更新和更改依赖项/插件，我拥有了一个工作环境.

Turns out I was actually very close and by making few updates and changing dependencies/plugins on gradle I have a working environment.

Gradle: 5.6.4

与:

plugins {
    id "io.freefair.aspectj.post-compile-weaving" version "4.1.6"
}
dependencies {
    aspect 'org.springframework.security:spring-security-aspects'
    runtime 'org.springframework.security:spring-security-aspects'
}

Spring 设置在 5.2.1.RELEASE 与

Spring setup at 5.2.1.RELEASE with

spring-boot-starter-
   web
   data-jpa
   security

有了上面的设置，这实际上是唯一需要的:

With above setup this is actually only thing needed:

@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, securedEnabled = true, prePostEnabled = true)

最后，如果您不使用 Gradle(例如，想使用 STS/Eclipse 运行配置)，您将添加:

Finally if You are not using Gradle (e.g. want to use STS/Eclipse Run Configuration), you will add:

-javaagent:C:\Users\USER\.gradle\caches\modules-2\files-2.1\org.aspectj\aspectjweaver\1.9.4\<cache-string>\aspectjweaver-1.9.4.jar

.gradle 和 1.9.4 是我当前设置/版本的情况.

.gradle and 1.9.4 being case for my current setup/version.

请注意，这尚未经过测试(但与 JPA/Hibernate 一起使用)，例如事务管理，一旦我开始使用编织会产生问题的复杂事务，我将对其进行评论.

Note that this is yet untested (but working with JPA/Hibernate) with e.g. Transaction management and I will comment on it once I start using complex transactions where weaving would create issues.

这篇关于为 Spring Method Security 启用编译时 AspecJ的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！