为 Spring Method Security 启用编译时 AspecJ [英] Enabling compile-time AspecJ for Spring Method Security
问题描述
Spring AOP 通过代理运行一切,遗憾的是,代理无法无处不在.为此,Spring Security 的注解 @PreAuthorize
、@PostAuthorize
、@PreFilter
和 @PostFilter
(还有 @Secured
) 当调用不通过上述代理时不会被考虑在内.代理仅为单例(@Bean
s)创建,因此当我们想要保护非 bean 的特定对象(例如 JPA @Entities
)上的方法时,我们受到很大限制.代理也不会在调用对象内调用(bean 在 self - this 的上下文中调用其方法).
Spring AOP runs everything through proxies which sadly can't be everywhere. For this reason Spring Security's annotations @PreAuthorize
, @PostAuthorize
, @PreFilter
and @PostFilter
(also @Secured
) will not be taken into consideration when calls are not going through said proxies. Proxies are created only for singletons (@Bean
s) so We are greatly limited when We want to secure methods on specific objects (such as JPA @Entities
) that are not beans. Proxies also won't be called within calling objects (bean calling its methods in context of self - this).
我知道 Spring 不仅支持 Spring AOP,还支持真正的 AOP - AspectJ.不仅如此,它还应该支持 AspectJ 开箱即用.对此的承诺是:
I know that Spring has suppot not only for Spring AOP but also real AOP - AspectJ. Not only that, but it SHOULD support AspectJ out of box. Testament to this is:
@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, securedEnabled = true, prePostEnabled = true)
启用后,Spring 将需要(否则会在启动时崩溃)aspectj 依赖项,该依赖项在以下内容中提供:
When enabled, Spring will require (crash on startup otherwise) aspectj dependency, which is provided within:
'org.springframework.security:spring-security-aspects'
添加此依赖项后,我们将在类路径中拥有 AspectJ 库,并将获得:
After adding this dependency we will have AspectJ libraries in classpath and will get:
org.springframework.security.access.intercept.aspectj.aspect
与:
public aspect AnnotationSecurityAspect implements InitializingBean
但这一切都结束了.我找不到可以说明如何进一步启用 aspectj 编织的文档.设置 @EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ)
肯定会起作用,因为我们失去了标准的 Spring AOP - 安全注释在任何地方(在 Beans 上)都停止工作,同时它们不是用 AspectJ 编织的.
But here it all ends. There is no documentation that I could find that would state how to further enable aspectj weaving. Setting @EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ)
certainly DOES something as we lose standard Spring AOP - security annotations stop working anywhere (on Beans) and at the same time they are not weaved with AspectJ.
有没有人了解 Spring 对这种开箱即用(编译时编织)的支持以及需要哪些进一步的配置?也许我需要自己编织它?我需要一些特定的库来构建吗?
Does anyone have some knowledge on Spring's support for this out of box (compile-time weaving) and what further configuration is needed? Maybe I need to weave it myself? Do I need some specific libraries for building?
版本:Spring 5.2.1.RELEASE(所有包).
Version: Spring 5.2.1.RELEASE (all packages).
推荐答案
@DimaSan 评论帮助我找到了一些我在搜索时遗漏的主题/问题,虽然其中许多已经过时多年,但我设法设置了我的应用程序.
@DimaSan comment helped me find few threads/issues I missed while doing my search and while many of them are too years-outdated I managed to setup my app.
事实证明,我实际上非常接近,通过在 gradle 上进行少量更新和更改依赖项/插件,我拥有了一个工作环境.
Turns out I was actually very close and by making few updates and changing dependencies/plugins on gradle I have a working environment.
Gradle: 5.6.4
与:
plugins {
id "io.freefair.aspectj.post-compile-weaving" version "4.1.6"
}
dependencies {
aspect 'org.springframework.security:spring-security-aspects'
runtime 'org.springframework.security:spring-security-aspects'
}
Spring 设置在 5.2.1.RELEASE
与
Spring setup at 5.2.1.RELEASE
with
spring-boot-starter-
web
data-jpa
security
有了上面的设置,这实际上是唯一需要的:
With above setup this is actually only thing needed:
@EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, securedEnabled = true, prePostEnabled = true)
最后,如果您不使用 Gradle(例如,想使用 STS/Eclipse 运行配置),您将添加:
Finally if You are not using Gradle (e.g. want to use STS/Eclipse Run Configuration), you will add:
-javaagent:C:\Users\USER\.gradle\caches\modules-2\files-2.1\org.aspectj\aspectjweaver\1.9.4\<cache-string>\aspectjweaver-1.9.4.jar
.gradle
和 1.9.4
是我当前设置/版本的情况.
.gradle
and 1.9.4
being case for my current setup/version.
请注意,这尚未经过测试(但与 JPA/Hibernate 一起使用),例如事务管理,一旦我开始使用编织会产生问题的复杂事务,我将对其进行评论.
Note that this is yet untested (but working with JPA/Hibernate) with e.g. Transaction management and I will comment on it once I start using complex transactions where weaving would create issues.
这篇关于为 Spring Method Security 启用编译时 AspecJ的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!