Spring Data Rest:基于安全性的投影 [英] Spring Data Rest: Security based projection
问题描述
我正在使用当前版本的 Spring Data Rest 和 Spring Data JPA 并拥有以下实体:
I am using the current version of Spring Data Rest and Spring Data JPA and have following entity:
public class User {
@Id
@GeneratedValue
private Long id;
private String name;
private String password;
private String email;
...getter/setter methods...
}
我是还使用 Spring Security
。
我的用户存储库:
@RepositoryRestResource(
collectionResourceRel = "user",
path = "user",
excerptProjection = UserSimpleProjection.class)
public interface UserRepository extends PagingAndSortingRepository<User, Long> {
}
例如:
- 用户1已登录
- 用户1请求
http:// localhost:8080 / user / 1
- 所有字段都可见 - 用户1请求
http:// localhost:8080 / user / 2
- 只需id
和名称
可见。
- User 1 is logged in
- User 1 requests
http://localhost:8080/user/1
- all fields are visible - User 1 requests
http://localhost:8080/user/2
- justid
andname
are visible.
我和杰克逊尝试了不同的解决方案,没有一个能解决我的问题:
I tried different solutions with Jackson, none of them solved my problem:
- Use of JsonView: I found no way, to change the view for the
ObjectMapper
depending on the logged in User - Implemented different Jackson Filters as described here with the same issue that I found no way to change the
ObjectMapper
config for the different requests.
然后我发现预测。
我创建了一个预测:
@Projection(name = "simple", types = User.class)
public interface UserSimpleProjection {
public Long getId();
public String getName();
}
以及另一个详细信息:
@Projection(name = "detailed", types = User.class)
public interface UserDetailProjection extends UserSimpleProjection{
public String getEmail();
}
到目前为止,根据我的要求,我会得到不同的结果。
So far so good, I get different results depending on my request.
有没有办法根据Spring Security自动切换投影和/或限制不同角色的不同投影?
Is there a way to automatically switch the projection depending on Spring Security and/or limit different Projections for different roles?
推荐答案
您可以在投影中添加虚拟值属性,以便通过安全检查调用服务方法:
You can add a "virtual" value property into the projection that invoke a service method with security checks:
@Projection(name = "detailed", types = User.class)
public interface UserDetailProjection extends UserSimpleProjection{
@Value("#{@userService.checkAccess(target)? target.email : null}")
public String getEmail();
}
您的自定义 UserService
组件将返回 true
如果电子邮件应该公开,或者只是 @PreAuthorize
checkAccess( ..)
抛出 AccessDeniedException
对你有好处。
Where your custom UserService
component would return true
if email should be exposed or simply has @PreAuthorize
on checkAccess(..)
to throw an AccessDeniedException
whatever is better for you.
注意, SpEL中的目标
属性保存原始对象 - 由Spring-DATA提供。
Note, the target
property in the SpEL holds the original object - provided by Spring-DATA.
这篇关于Spring Data Rest:基于安全性的投影的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!