Java 多方法的MethodSecurityInterceptor
我想使用Spring Security保护我的服务层。正如文档中所解释的,我需要使用一个Java 多方法的MethodSecurityInterceptor,java,spring-security,Java,Spring Security,我想使用Spring Security保护我的服务层。正如文档中所解释的,我需要使用一个MethodSecurityInterceptor,它将检查是否允许方法调用 要决定是否允许对给定用户进行服务方法调用,对调用的方法影响所需的角色(使用MethodSecurityMetadataSource)对我来说是不够的,因为它还取决于传递给方法的参数。正如文档中所建议的,我可以编写一个自定义的AccessDecisionVoter,并通过安全对象访问参数(在本例中为MethodInvocation)
MethodSecurityInterceptorMethodSecurityMetadataSourceAccessDecisionVoterMethodInvocation- 我可以在
中使用条件逻辑来确定调用的方法和要使用的授权逻辑,但这似乎是一个丑陋的解决方案AccessDecisionVoter - 我可以为每个要保护的方法定义一个
。根据Spring文档,一个MethodSecurityInterceptor
用于保护许多方法,因此我认为还有另一种方法MethodSecurityInterceptor
AfterInvocationProvider有哪些替代方案?我通过实现自己的
AccessDecisionManagerAccessDecisionStrategypublic interface AccessDecisionStrategy {
void decide(Authentication authentication, MethodInvocation methodInvocation, ConfigAttribute configAttribute);
}
AccessDecisionManagerpublic class MethodSecurityAccessDecisionManager implements AccessDecisionManager {
private Map<String, AccessDecisionStrategy> strategyMap;
public MethodSecurityAccessDecisionManager(Map<String, AccessDecisionStrategy> strategyMap) {
this.strategyMap = strategyMap;
}
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
ConfigAttribute configAttribute = getSingleConfigAttribute(configAttributes);
AccessDecisionStrategy accessDecisionStrategy = strategyMap.get(configAttribute.getAttribute());
if (accessDecisionStrategy == null) {
throw new IllegalStateException("AccessDecisionStrategy with name "
+ configAttribute.getAttribute() + " was not found!");
}
try {
accessDecisionStrategy.decide(authentication, (MethodInvocation) object, configAttribute);
} catch (ClassCastException e) {
throw new IllegalStateException();
}
}
private ConfigAttribute getSingleConfigAttribute(Collection<ConfigAttribute> configAttributes) {
if (configAttributes == null || configAttributes.size() != 1) {
throw new IllegalStateException("Invalid config attribute configuration");
}
return configAttributes.iterator().next();
}
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class<?> clazz) {
return clazz.equals(MethodInvocation.class);
}
}
<bean id="methodSecurityAccessDecisionManager"
class="some.package.MethodSecurityAccessDecisionManager">
<constructor-arg>
<map>
<entry key="GetByOwner">
<bean class="some.package.GetByOwnerStrategy"/>
</entry>
<entry key="SomeOther">
<bean class="some.package.SomeOtherStrategy"/>
</entry>
</map>
</constructor-arg>
</bean>
Long0MethodInvocationExtractor<Long> extractor = new MethodInvocationExtractor<>(methodInvocation);
Long id = extractor.getArg(0);
MethodInvocationExtractor=newmethodinvocationextractor(methodInvocation);
Long id=extractor.getArg(0);
@PreAuthorize(“”)@Service
public class MySecurityExpressionHandler extends
DefaultMethodSecurityExpressionHandler {
@Override
public StandardEvaluationContext createEvaluationContextInternal(
Authentication auth, MethodInvocation mi) {
StandardEvaluationContext evaluationContext = super
.createEvaluationContextInternal(auth, mi);
SomeMethodInfoData methodInfoData = mi.getMethod(). ...;
evaluationContext.setVariable("someData", <value computed based on method info data>);
}
return evaluationContext;
}
+1表示将对象强制转换为Decise()中的MethodInvocation的指针。Spring文档缺少这一重要信息……如果有人需要它,我添加了如何使用Java配置实现它(我的项目使用Spring引导)。请看我的答案。对于许多用例,不需要实现您自己的decisionmanager。相反,您可以直接编写一个方法并从
@Preauthorize<sec:global-method-security secured-annotations="enabled"
access-decision-manager-ref="methodSecurityAccessDecisionManager">
</sec:global-method-security>
import org.aopalliance.intercept.MethodInvocation;
public class MethodInvocationExtractor<ArgumentType> {
private MethodInvocation methodInvocation;
public MethodInvocationExtractor(MethodInvocation methodInvocation) {
this.methodInvocation = methodInvocation;
}
public ArgumentType getArg(int num) {
try {
Object[] arguments = methodInvocation.getArguments();
return (ArgumentType) arguments[num];
} catch (ClassCastException | ArrayIndexOutOfBoundsException e) {
throw new IllegalStateException();
}
}
}
MethodInvocationExtractor<Long> extractor = new MethodInvocationExtractor<>(methodInvocation);
Long id = extractor.getArg(0);
@Service
public class MySecurityExpressionHandler extends
DefaultMethodSecurityExpressionHandler {
@Override
public StandardEvaluationContext createEvaluationContextInternal(
Authentication auth, MethodInvocation mi) {
StandardEvaluationContext evaluationContext = super
.createEvaluationContextInternal(auth, mi);
SomeMethodInfoData methodInfoData = mi.getMethod(). ...;
evaluationContext.setVariable("someData", <value computed based on method info data>);
}
return evaluationContext;
}
<security:global-method-security
pre-post-annotations="enabled">
<security:expression-handler
ref="mySecurityExpressionHandler" />
</security:global-method-security>
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("#<someData>")
public @interface CustomSecurityAnnotation { ... }
@MyUserRoleCheck(MyAppRole.Admin)
public void someMethod()