Java Spring Security@PreAuthorize绕过特定角色
我正在使用Spring安全策略,需要一个全局角色SUPER的帮助,该角色必须绕过端点上的所有Java Spring Security@PreAuthorize绕过特定角色,java,spring,spring-security,authorization,Java,Spring,Spring Security,Authorization,我正在使用Spring安全策略,需要一个全局角色SUPER的帮助,该角色必须绕过端点上的所有@PreAuthorize,当令牌有它时。这是一个端点示例: @GetMapping @PreAuthorize("(hasAuthority('DOMAIN_FIND_ALL'))") public ResponseEntity<ResponseDTO<List<DomainDTO>>> findAll() { return Respons
@PreAuthorize
,当令牌有它时。这是一个端点示例:
@GetMapping
@PreAuthorize("(hasAuthority('DOMAIN_FIND_ALL'))")
public ResponseEntity<ResponseDTO<List<DomainDTO>>> findAll() {
return ResponseEntity.ok().body(domainService.findAll());
}
但它不起作用。有人对此有什么想法吗?有关更详细的解释,请参阅以下内容(主要是第6节)。作为我回答基础的代码是: 以下代码适用于我:
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.otherStuffs..
.antMatchers("/**").authenticated(); // hasRole("SUPER") isn't require
}
覆盖默认的MethodSecurityExpressionOperations
接口:
public class MySecurityExpressionRoot implements MethodSecurityExpressionOperations {
// Same properties than provided
// link for MySecurityExpressionRoot
...
public MySecurityExpressionRoot(Authentication authentication) {
if (authentication == null) {
throw new IllegalArgumentException("Authentication object cannot be null");
}
this.authentication = authentication;
}
// This is the ONLY change, as you can see the "SUPER" was added as allowed
@Override
public final boolean hasAuthority(String authority) {
return this.hasAnyAuthority(authority, "SUPER");
}
// Rest of the code is the same than provided
// link for MySecurityExpressionRoot
...
}
现在我们需要将上述类添加到Spring配置中:
@Configuration // Required although not include in "source CustomMethodSecurityExpressionHandler" class
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
final MySecurityExpressionRoot root = new MySecurityExpressionRoot(authentication);
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(this.trustResolver);
root.setRoleHierarchy(getRoleHierarchy());
return root;
}
}
现在,您可以使用以下虚拟GET
endpoint验证它:
@GetMapping("/add-new-user")
@PreAuthorize("hasAuthority('ADMIN')")
public ResponseEntity<String> addNewUser() {
return new ResponseEntity("[add-new-user] Testing purpose", OK);
}
@GetMapping(“/addnewuser”)
@预授权(“hasAuthority('ADMIN')”)
公共响应名称addNewUser(){
返回新的响应属性(“[添加新用户]测试目的”,确定);
}
任何具有:
ADMIN
或SUPER
角色的用户都可以访问它。有关更详细的说明,请参阅以下内容(主要是第6节)。作为我回答基础的代码是:
以下代码适用于我:
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.otherStuffs..
.antMatchers("/**").authenticated(); // hasRole("SUPER") isn't require
}
覆盖默认的MethodSecurityExpressionOperations
接口:
public class MySecurityExpressionRoot implements MethodSecurityExpressionOperations {
// Same properties than provided
// link for MySecurityExpressionRoot
...
public MySecurityExpressionRoot(Authentication authentication) {
if (authentication == null) {
throw new IllegalArgumentException("Authentication object cannot be null");
}
this.authentication = authentication;
}
// This is the ONLY change, as you can see the "SUPER" was added as allowed
@Override
public final boolean hasAuthority(String authority) {
return this.hasAnyAuthority(authority, "SUPER");
}
// Rest of the code is the same than provided
// link for MySecurityExpressionRoot
...
}
现在我们需要将上述类添加到Spring配置中:
@Configuration // Required although not include in "source CustomMethodSecurityExpressionHandler" class
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
final MySecurityExpressionRoot root = new MySecurityExpressionRoot(authentication);
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(this.trustResolver);
root.setRoleHierarchy(getRoleHierarchy());
return root;
}
}
现在,您可以使用以下虚拟GET
endpoint验证它:
@GetMapping("/add-new-user")
@PreAuthorize("hasAuthority('ADMIN')")
public ResponseEntity<String> addNewUser() {
return new ResponseEntity("[add-new-user] Testing purpose", OK);
}
@GetMapping(“/addnewuser”)
@预授权(“hasAuthority('ADMIN')”)
公共响应名称addNewUser(){
返回新的响应属性(“[添加新用户]测试目的”,确定);
}
任何具有:ADMIN
或SUPER
角色的用户都可以访问它