创建自定义方法安全表达式的最佳方法 [英] Best way to create custom method security expression
问题描述
我正在尝试创建自己的方法安全表达式,我想在 @PreFilter 和 @PostFilter 注释。
I'm trying to create my own method security expressions, that I want to use in @PreFilter and @PostFilter annotations.
搜索教程和类似问题我找到了两种方法。
Searching for tutorials and similar questions I've found two ways to proceed.
首先是扩展 DefaultMethodSecurityExpressionHandler 并覆盖 createSecurityExpressionRoot ,以便提供自定义 SecurityExpressionRoot 。
The first is to extend DefaultMethodSecurityExpressionHandler and override createSecurityExpressionRoot, in order to give a customized SecurityExpressionRoot.
@PreAuthorize('isOwner(#someEntity)')
第二种方法是简单地使用@Component类并在 @Pre / @Post 使用过滤器访问其方法@ bean.method()
The second way is to simply use a @Component class and in @Pre / @Post filter accessing its methods with @bean.method()
@PreAuthorize("@mySecurityService.isOwner('#someEntityl')")
我的问题是:哪种方式首选?如果两者都可以,为什么选择另一个?
My question is: Which is the preferred way? If both are ok, why choose one ore another?
谢谢
Marco
thank you Marco
推荐答案
的优点@PreAuthorize('isOwner(#someEntity)')方式超过 @ bean.method()方式:
- 从维护的角度来看:当您更改某些方法的签名时,例如
CustomSecurityExpressionRoot .isOwner()然后你很清楚(甚至对于熟悉Spring Security的新开发人员)你需要查看所有@Pre/@Post注释。如果您对所有@Pre/@Post案例进行JUnit测试,则此优势并不那么重要。 - 语法短(你可以尝试一些简短的别名来改进
@ bean.method()方式,例如@sec。 isOwner()) - 使用
SecurityExpressionRoot,您可以自动访问身份验证,trustResolver,roles,permissionEvaluatorojects。它不是那么重要,因为你也可以轻松地将它们放入你的自定义bean中。
- From maintenance point of view: when you change signature of some method like
CustomSecurityExpressionRoot.isOwner()then it is clear for you (and even for some new developer familiar with Spring Security) that you need to review all@Pre/@Postannotations. This advantage is not so important if you have JUnit tests for all@Pre/@Postcases. - Short syntax (you can try some short alias to improve
@bean.method()way, for example@sec.isOwner()) - With
SecurityExpressionRootyou automatically have access toauthentication,trustResolver,roles,permissionEvaluatorojects. It is not so important because you can easy get them in your custom bean too.
@bean的优点.method()超过 @PreAuthorize('isOwner(#someEntity)')方式:
- 简易设置
我就像你的 @ bean.method ()方式。恕我直言,所有的差异都不那么重要(对于我以前的项目)。但我非常喜欢简易设置选项!所以对于下一个项目,我会尝试你的 @ bean.method()方式与所有 @Pre / @Post 个案。
I am like your @bean.method() way. IMHO all differences are not so important (for my previous project). But I like "easy setup" option so much! So for next project I'll try your @bean.method() way in conjuction with JUnit tests for all @Pre / @Post cases.
这篇关于创建自定义方法安全表达式的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
