Spring security SpringDataREST:基于安全性的投影
我正在使用和的当前版本,并拥有以下实体:Spring security SpringDataREST:基于安全性的投影,spring-security,jackson,spring-data-jpa,spring-data-rest,Spring Security,Jackson,Spring Data Jpa,Spring Data Rest,我正在使用和的当前版本,并拥有以下实体: public class User { @Id @GeneratedValue private Long id; private String name; private String password; private String email; ...getter/setter methods... } 我还使用了Spring-Security 我的用户存储库: @RepositoryRe
public class User {
@Id
@GeneratedValue
private Long id;
private String name;
private String password;
private String email;
...getter/setter methods...
}
Spring-Security @RepositoryRestResource(
collectionResourceRel = "user",
path = "user",
excerptProjection = UserSimpleProjection.class)
public interface UserRepository extends PagingAndSortingRepository<User, Long> {
}
@Projection(name = "detailed", types = User.class)
public interface UserDetailProjection extends UserSimpleProjection{
public String getEmail();
}
是否有办法根据Spring安全性自动切换投影和/或限制不同角色的不同投影?否,Spring Data REST投影不支持此功能。您可以在投影中添加一个“虚拟”值属性,通过安全检查调用服务方法:
@Projection(name = "detailed", types = User.class)
public interface UserDetailProjection extends UserSimpleProjection{
@Value("#{@userService.checkAccess(target)? target.email : null}")
public String getEmail();
}
UserServicecheckAccess(…)@PreAuthorizeAccessDeniedExceptiontrue注意,SpEL中的
target.regexMatchers(HttpMethod.GET,"/user/.*projection=simple.*").hasRole("ROLE_ADMIN")
你有没有根据角色进行预测?没有,对不起。我当时放弃了,做了自定义控制器。为什么这个@Value(#{principal.username.equalsIgnoreCase('admin')?target.password:null})不起作用,因为
principal@#myvar@mybean@PreAuthorizeMethodSecurityExpressionHandler@ValueSpelAwareProxyProjectionFactory.regexMatchers(HttpMethod.GET,"/user/.*projection=simple.*").hasRole("ROLE_ADMIN")