#oauth2 方法级别的安全表达式 [英] #oauth2 security expressions on method level
问题描述
我应该怎么做才能像下面的示例那样在方法级别使用#oauth2 安全表达式?
What should I do to be able to use #oauth2 security expressions on method level like on the example below?
@RequestMapping(value = "email", method = RequestMethod.GET)
@ResponseBody
@PreAuthorize("#oauth2.hasScope('read')")
public String email() {
return "test@email.com";
}
如果我向该资源发出请求,我会收到
If I do a request to that resource I receive
[INFO] java.lang.IllegalArgumentException: Failed to evaluate expression '#oauth2.hasScope('read')'
[INFO] at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:14)
[INFO] at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:44)
[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:57)
[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:25)
[INFO] at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
[INFO] at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232)
[INFO] at org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor.invoke(AspectJMethodSecurityInterceptor.java:43)
[INFO] at org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect.ajc$around$org_springframework_security_access_intercept_aspectj_aspect_AnnotationSecurityAspect$1$c4d57a2b(AnnotationSecurityAspect.aj:63)
[INFO] at pl.insert.controllers.ResourceController.email(ResourceController.java:22)
如果我在我的 ResourceServerConfiguration 中指定访问而不是 @Controllers 的方法,同样的事情会很有效
The same thing works well if I specify the access in my ResourceServerConfiguration instead of @Controllers' methods
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/oauth/resources/**");
http.authorizeRequests().anyRequest().access("#oauth2.hasScope('read')");
}
}
像@PreAuthorize("permitAll") 或@PreAuthorize("denyAll") 这样的标准安全表达式按预期工作.所以,可能我必须以某种方式告诉我的 AspectJMethodSecurityInterceptor 使用 OAuth2WebSecurityExpressionHandler.有任何想法吗?
Standard security expressions like @PreAuthorize("permitAll") or @PreAuthorize("denyAll") work as expected. So, probably I have to tell somehow to my AspectJMethodSecurityInterceptor to use OAuth2WebSecurityExpressionHandler. Any ideas?
推荐答案
要启用#oAuth2 安全表达式,只需将默认表达式处理程序设置为 OAuth2MethodSecurityExpressionHandler 而不是 DefaultMethodSecurityExpressionHandler.因为 OAuth2MethodSecurityExpressionHandler 无论如何都会扩展它,所以之前的整个功能保持不变.我的配置同时使用 GlobalMethodSecurityConfiguration 和 WebSecurityConfigurerAdapter.
To enable #oAuth2 security expressions it is only needed to set default expression handler as OAuth2MethodSecurityExpressionHandler instead of DefaultMethodSecurityExpressionHandler. Because OAuth2MethodSecurityExpressionHandler extends it anyway then the whole previous functionality remains the same. I my configuration I use both GlobalMethodSecurityConfiguration and WebSecurityConfigurerAdapter.
@Configuration
@EnableGlobalMethodSecurity
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
...
}
@Configuration
@Import({ SecurityConfiguration.class, MethodSecurityConfiguration.class })
public class AppConfiguration {
...
}
这篇关于#oauth2 方法级别的安全表达式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!