Spring MVC控制器继承Spring安全性 [英] Spring MVC controller inheritance with spring security
问题描述
我正在尝试使用spring mvc 3.2.3和spring security 3.1.3创建一个通用控制器。
我想要实现的是这样的:
I'm trying to create a generic controller using spring mvc 3.2.3 and spring security 3.1.3. What i'm trying to achieve is something like this:
public abstract class DataController<E extends PersistentEntity> {
protected abstract E getEntity(String id);
@RequestMapping(value="/view/{id}", method=RequestMethod.GET)
public String view(@PathVariable("id") String id, ModelMap map) {
E ent = getEntity(id);
map.put("entity", entity);
return "showEntity";
}
}
我的扩展类将具有特定的控制器映射类名,以便我可以使用控制器名称访问该URL:
My extended class will have a specific controller mapping in the class name so that i can access the url by using the controller name:
@Controller
@RequestMapping("/company**")
@Secured("ROLE_ADMIN")
public class CompaniesController extends DataController<Company> {
@Autowired
private AppService appService;
@Override
protected Company getEntity(String id) {
return appService.getCompany(id);
}
}
我的问题是url / company / view是由ROLE_ADMIN保护并且任何人都可以访问,(我认为),因为/ view未在使用@Secured的控制器中定义。
My problem is that the url /company/view is not secured by ROLE_ADMIN and can be accessed by anyone, (i think) because the /view is not defined in the controller where the @Secured is being used.
这可以通过覆盖view方法并在我的公司类中定义映射来修复:
This can be fixed by just overriding the view method and define the mapping in my company class:
. . .
@Override
@RequestMapping(value = "/view/{id}", method = RequestMethod.GET)
public String view(String id, ModelMap map) {
return super.view(id, map);
}
. . .
在这种情况下,安全性正常,但我想知道是否有其他方法。因为我的抽象类中有很多方法,所以这会产生一个问题,并且只是为了调用super来覆盖所有方法。
In this case the security works correctly, but i want to know if there is another method. Since i have a lot of methods in my abstract class, this will create a problem and a mess to override all methods just to call the super.
有没有办法解决这个问题?
Is there a way to fix this issue?
感谢大家的帮助:)
推荐答案
我知道这是一年之后,但我遇到了同样的问题,并为此找到了可能的解决方案。它不是基于100%注释,但有效并且有点优雅
I know it's a year later, but I had the same problem and figured out a possible solution for this. It is not 100% annotation based, but works and is somewhat elegant
抽象超类:
@PreAuthorize("hasAnyRole(this.roles)")
public abstract class DataController<E extends PersistentEntity>
{
protected abstract E getEntity(String id);
protected abstract String[] getRoles();
@RequestMapping(value="/view/{id}", method=RequestMethod.GET)
public String view(@PathVariable("id") String id, ModelMap map) {
E ent = getEntity(id);
map.put("entity", entity);
return "showEntity";
}
}
在子类上,您只需实现 getRoles()
返回访问此类所需的角色数组。
On the subclass you simply implement getRoles()
to return an array of roles that are required to access this class.
@PreAuthorize
是另一种检查身份验证的方法,它允许您使用SpEL表达式。 this.roles
指的是带注释对象的 getRoles()
属性。
@PreAuthorize
is another way to check authentication, that allows you to use SpEL expression. this.roles
refers to he getRoles()
property on the annotated object.
这篇关于Spring MVC控制器继承Spring安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!