Fatal编程技术网
  • java/
  • Java Spring Security@PreAuthorize绕过特定角色

Java Spring Security@PreAuthorize绕过特定角色

java spring spring-security

Java Spring Security@PreAuthorize绕过特定角色,java,spring,spring-security,authorization,Java,Spring,Spring Security,Authorization,我正在使用Spring安全策略,需要一个全局角色SUPER的帮助,该角色必须绕过端点上的所有@PreAuthorize,当令牌有它时。这是一个端点示例: @GetMapping @PreAuthorize("(hasAuthority('DOMAIN_FIND_ALL'))") public ResponseEntity<ResponseDTO<List<DomainDTO>>> findAll() { return Respons

我正在使用Spring安全策略,需要一个全局角色SUPER的帮助,该角色必须绕过端点上的所有
@PreAuthorize
,当令牌有它时。这是一个端点示例:

@GetMapping
@PreAuthorize("(hasAuthority('DOMAIN_FIND_ALL'))")
public ResponseEntity<ResponseDTO<List<DomainDTO>>> findAll() {
    return ResponseEntity.ok().body(domainService.findAll());
}
但它不起作用。有人对此有什么想法吗?

有关更详细的解释,请参阅以下内容(主要是第6节)。作为我回答基础的代码是:

以下代码适用于我:

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests()
            .otherStuffs..
            .antMatchers("/**").authenticated();  // hasRole("SUPER") isn't require
}
覆盖默认的
MethodSecurityExpressionOperations
接口:

public class MySecurityExpressionRoot implements MethodSecurityExpressionOperations {

  // Same properties than provided
  // link for MySecurityExpressionRoot
  ...

  public MySecurityExpressionRoot(Authentication authentication) {
    if (authentication == null) {
        throw new IllegalArgumentException("Authentication object cannot be null");
    }
    this.authentication = authentication;
  }

  // This is the ONLY change, as you can see the "SUPER" was added as allowed
  @Override
  public final boolean hasAuthority(String authority) {
    return this.hasAnyAuthority(authority, "SUPER");
  }

  // Rest of the code is the same than provided
  // link for MySecurityExpressionRoot
  ...
}
现在我们需要将上述类添加到Spring配置中:

@Configuration  // Required although not include in "source CustomMethodSecurityExpressionHandler" class
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
  private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

  @Override
  protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
    final MySecurityExpressionRoot root = new MySecurityExpressionRoot(authentication);
    root.setPermissionEvaluator(getPermissionEvaluator());
    root.setTrustResolver(this.trustResolver);
    root.setRoleHierarchy(getRoleHierarchy());
    return root;
  }
}
现在,您可以使用以下虚拟
GET
endpoint验证它:

@GetMapping("/add-new-user")
@PreAuthorize("hasAuthority('ADMIN')")
public ResponseEntity<String> addNewUser() {
    return new ResponseEntity("[add-new-user] Testing purpose", OK);
}

@GetMapping(“/addnewuser”)
@预授权(“hasAuthority('ADMIN')”)
公共响应名称addNewUser(){
返回新的响应属性(“[添加新用户]测试目的”,确定);
}
任何具有:
ADMIN
SUPER
角色的用户都可以访问它。

有关更详细的说明,请参阅以下内容(主要是第6节)。作为我回答基础的代码是:

以下代码适用于我:

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests()
            .otherStuffs..
            .antMatchers("/**").authenticated();  // hasRole("SUPER") isn't require
}
覆盖默认的
MethodSecurityExpressionOperations
接口:

public class MySecurityExpressionRoot implements MethodSecurityExpressionOperations {

  // Same properties than provided
  // link for MySecurityExpressionRoot
  ...

  public MySecurityExpressionRoot(Authentication authentication) {
    if (authentication == null) {
        throw new IllegalArgumentException("Authentication object cannot be null");
    }
    this.authentication = authentication;
  }

  // This is the ONLY change, as you can see the "SUPER" was added as allowed
  @Override
  public final boolean hasAuthority(String authority) {
    return this.hasAnyAuthority(authority, "SUPER");
  }

  // Rest of the code is the same than provided
  // link for MySecurityExpressionRoot
  ...
}
现在我们需要将上述类添加到Spring配置中:

@Configuration  // Required although not include in "source CustomMethodSecurityExpressionHandler" class
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
  private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

  @Override
  protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
    final MySecurityExpressionRoot root = new MySecurityExpressionRoot(authentication);
    root.setPermissionEvaluator(getPermissionEvaluator());
    root.setTrustResolver(this.trustResolver);
    root.setRoleHierarchy(getRoleHierarchy());
    return root;
  }
}
现在,您可以使用以下虚拟
GET
endpoint验证它:

@GetMapping("/add-new-user")
@PreAuthorize("hasAuthority('ADMIN')")
public ResponseEntity<String> addNewUser() {
    return new ResponseEntity("[add-new-user] Testing purpose", OK);
}

@GetMapping(“/addnewuser”)
@预授权(“hasAuthority('ADMIN')”)
公共响应名称addNewUser(){
返回新的响应属性(“[添加新用户]测试目的”,确定);
}
任何具有:
ADMIN
SUPER
角色的用户都可以访问它