Spring security CustomPermissionEvaluator不工作
MethodSecurityConfig.javaSpring security CustomPermissionEvaluator不工作,spring,spring-mvc,spring-security,Spring,Spring Mvc,Spring Security,MethodSecurityConfig.java @Configuration @EnableGlobalMethodSecurity(prePostEnabled=true) @ComponentScan(basePackageClasses={EventWritePermissionEvaluator.class}) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration{ priva
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled=true)
@ComponentScan(basePackageClasses={EventWritePermissionEvaluator.class})
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration{
private EventWritePermissionEvaluator eventWritePermissionEvaluator;
@Autowired
public void setEventWritePermissionEvaluator(
EventWritePermissionEvaluator eventWritePermissionEvaluator) {
this.eventWritePermissionEvaluator = eventWritePermissionEvaluator;
}
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler=new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(eventWritePermissionEvaluator);
return expressionHandler;
}
}
CustomPermissionEvaluator
@Component
public class EventWritePermissionEvaluator implements PermissionEvaluator{
private ChecklistService checklistService;
private UserService userService;
@Autowired
public void setChecklistService(ChecklistService checklistService) {
this.checklistService = checklistService;
}
@Autowired
public void setUserService(UserService userService) {
this.userService = userService;
}
public CustomUser currentUser()
{
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
CustomUser customUser=(CustomUser) userService.loadUserByUsername(auth.getName());
return customUser;
}
@Override
public boolean hasPermission(Authentication authentication,
Object targetDomainObject, Object permission) {
Checklist checklist=(Checklist) targetDomainObject;
Event event=checklistService.getChecklist(checklist.getId()).getEvent();
String grp=event.getCreator().getGrp();
System.out.println("event grp:"+grp);
System.out.println("user grp:"+currentUser().getGrp());
if(currentUser().getGrp().equals(grp))
return true;
else
return false;
}
@Override
public boolean hasPermission(Authentication authentication,
Serializable targetId, String targetType, Object permission) {
return true;
}
}
服务方法
@PreAuthorize("hasPermission(#ch,'write')")
public Map<String, Object> updateState(Checklist ch, HttpServletRequest request, HttpServletResponse response) throws MessagingException
{
}
@PreAuthorize(“hasPermission(#ch,'write'))
公共映射更新属性(清单ch、HttpServletRequest请求、HttpServletResponse响应)抛出MessaginException
{
}
我在permissionEvaluator类中编写的hasPermission()方法不会被服务层的传入请求调用。我写错什么了吗?我在hasPermission()方法中编写了一些控制台语句来查看它们的执行情况。但我在控制台里什么也没看到
谢谢你想实现什么?似乎我可以通过使用最新的SpringSecurity中的UserDetailsService实现实现完全相同的功能 这是我的博客文章 实现UserDetailsService: 在实体上实现角色作为属性: 请看上面的链接。
干杯,在一个Spring Boot项目中,我只需要用@EnableGlobalMethodSecurity(prespenabled=true)注释一些配置类,然后创建一个PermissionEvaluator组件类。不必编写像您这样的MethodSecurityConfig。它工作得很好。