Spring Data Rest：基于安全性的投影 [英] Spring Data Rest: Security based projection

问题描述

我正在使用当前版本的 Spring Data Rest 和 Spring Data JPA 并拥有以下实体：

I am using the current version of Spring Data Rest and Spring Data JPA and have following entity:

public class User {
    @Id
    @GeneratedValue
    private Long id;
    private String name;
    private String password;
    private String email;
   ...getter/setter methods...
}

我是还使用 Spring Security 。

我的用户存储库：

   @RepositoryRestResource(
     collectionResourceRel = "user", 
     path = "user", 
    excerptProjection = UserSimpleProjection.class)
public interface UserRepository extends PagingAndSortingRepository<User, Long> {

}

例如：

• 用户1已登录


• 用户1请求 http：// localhost：8080 / user / 1 - 所有字段都可见


• 用户1请求 http：// localhost：8080 / user / 2 - 只需 id 和名称可见。

• User 1 is logged in
• User 1 requests http://localhost:8080/user/1 - all fields are visible
• User 1 requests http://localhost:8080/user/2 - just id and name are visible.

我和杰克逊尝试了不同的解决方案，没有一个能解决我的问题：

I tried different solutions with Jackson, none of them solved my problem:

• 使用 JsonView ：我发现无法更改 ObjectMapper <的视图/ code>取决于登录用户


• 按照描述这里有同样的问题，我发现没有办法改变不同请求的 ObjectMapper 配置。

• Use of JsonView: I found no way, to change the view for the ObjectMapper depending on the logged in User
• Implemented different Jackson Filters as described here with the same issue that I found no way to change the ObjectMapper config for the different requests.

然后我发现预测。

我创建了一个预测：

@Projection(name = "simple", types = User.class)
public interface UserSimpleProjection {

    public Long getId();

    public String getName();
}

以及另一个详细信息：

@Projection(name = "detailed", types = User.class)
public interface UserDetailProjection extends UserSimpleProjection{

    public String getEmail();
}

到目前为止，根据我的要求，我会得到不同的结果。

So far so good, I get different results depending on my request.

有没有办法根据Spring Security自动切换投影和/或限制不同角色的不同投影？

Is there a way to automatically switch the projection depending on Spring Security and/or limit different Projections for different roles?

推荐答案

您可以在投影中添加虚拟值属性，以便通过安全检查调用服务方法：

You can add a "virtual" value property into the projection that invoke a service method with security checks:

@Projection(name = "detailed", types = User.class)
public interface UserDetailProjection extends UserSimpleProjection{

    @Value("#{@userService.checkAccess(target)? target.email : null}")
    public String getEmail();
}

您的自定义 UserService 组件将返回 true 如果电子邮件应该公开，或者只是 @PreAuthorize checkAccess（ ..）抛出 AccessDeniedException 对你有好处。

Where your custom UserService component would return true if email should be exposed or simply has @PreAuthorize on checkAccess(..) to throw an AccessDeniedException whatever is better for you.

注意， SpEL中的目标属性保存原始对象 - 由Spring-DATA提供。

Note, the target property in the SpEL holds the original object - provided by Spring-DATA.

这篇关于Spring Data Rest：基于安全性的投影的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！