@PreAuthorize Spring控制器中的嵌套方法 [英] @PreAuthorize on a nested method in Spring controller

问题描述

我有spring bean，其中有两种方法

I have spring bean in which I have two methods

@Secured({"ROLE_ADMIN"})
public void update(Person person) {  
   if(person.isActive())
      changeData(person);
}

@PreAuthorize("hasPermission(#person,CHANGE_PERSON_FULL)")
public void changeData(Person person) {
...
}

我添加了自定义 MethodSecurityExpressionHandler 。我已经设置 @EnableGlobalMethodSecurity（securedEnabled = true，prePostEnabled = true）。当注释 @PreAuthorize 高于更新（人员）时，一切正常。我需要在changeData上执行PreAuthorize。它与代理有关吗？我需要使用方法changeData创建单独的bean吗？是否可以强制spring检查嵌套方法的安全性？

I have added my custom MethodSecurityExpressionHandler. I have setup @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true). Everything works ok when annotation @PreAuthorize is above update(Person person). I need to perform PreAuthorize on changeData. Is it something related to proxy? Do I need to create seperate bean with method changeData? Is it possible to force spring to check security on nested method?

推荐答案

当你调用 changeData（）时直接来自 update（），您不会通过代理。只有使用带注释的行为增强了代理调用。

When you call changeData() directly from update(), you are not going through a proxy. Only proxy calls are enhanced with annotated behavior.

您可以将该方法移动到另一个bean，但您也可以在同一个bean中调用它，但是通过代理使用类似的东西这个：

You could move that method to another bean, but you could also call it in the same bean but through a proxy using something like this:

@Secured({"ROLE_ADMIN"})
public void update(Person person) {  
   if(person.isActive()) {
      context.getBean(MyBean.class).changeData(person);
   }
}

这篇关于@PreAuthorize Spring控制器中的嵌套方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！