Spring security CustomPermissionEvaluator不工作_Spring_Spring Mvc_Spring Security

Spring security CustomPermissionEvaluator不工作

spring spring-mvc spring-security

Spring security CustomPermissionEvaluator不工作,spring,spring-mvc,spring-security,Spring,Spring Mvc,Spring Security,MethodSecurityConfig.java @Configuration @EnableGlobalMethodSecurity(prePostEnabled=true) @ComponentScan(basePackageClasses={EventWritePermissionEvaluator.class}) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration{ priva

MethodSecurityConfig.java

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled=true)
@ComponentScan(basePackageClasses={EventWritePermissionEvaluator.class})
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration{

    private EventWritePermissionEvaluator eventWritePermissionEvaluator;

    @Autowired
    public void setEventWritePermissionEvaluator(
            EventWritePermissionEvaluator eventWritePermissionEvaluator) {
        this.eventWritePermissionEvaluator = eventWritePermissionEvaluator;
    }  

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        DefaultMethodSecurityExpressionHandler expressionHandler=new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(eventWritePermissionEvaluator);
        return expressionHandler;
    }
}

CustomPermissionEvaluator

@Component
public class EventWritePermissionEvaluator implements PermissionEvaluator{

    private ChecklistService checklistService;
    private UserService userService;

    @Autowired
    public void setChecklistService(ChecklistService checklistService) {
        this.checklistService = checklistService;
    }

    @Autowired
    public void setUserService(UserService userService) {
        this.userService = userService;
    }

    public CustomUser currentUser()
    {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        CustomUser customUser=(CustomUser) userService.loadUserByUsername(auth.getName());
        return customUser;
    }

    @Override
    public boolean hasPermission(Authentication authentication,
            Object targetDomainObject, Object permission) {
        Checklist checklist=(Checklist) targetDomainObject;
        Event event=checklistService.getChecklist(checklist.getId()).getEvent();
        String grp=event.getCreator().getGrp();
        System.out.println("event grp:"+grp);
        System.out.println("user grp:"+currentUser().getGrp());
        if(currentUser().getGrp().equals(grp))
            return true;
        else
            return false;
    }

    @Override
    public boolean hasPermission(Authentication authentication,
            Serializable targetId, String targetType, Object permission) {
        return true;
    }

}

服务方法

    @PreAuthorize("hasPermission(#ch,'write')")
    public Map<String, Object> updateState(Checklist ch, HttpServletRequest request, HttpServletResponse response) throws MessagingException 
    {

    }

@PreAuthorize（“hasPermission（#ch，'write'））
公共映射更新属性（清单ch、HttpServletRequest请求、HttpServletResponse响应）抛出MessaginException
{
}

我在permissionEvaluator类中编写的hasPermission（）方法不会被服务层的传入请求调用。我写错什么了吗？我在hasPermission（）方法中编写了一些控制台语句来查看它们的执行情况。但我在控制台里什么也没看到

谢谢

你想实现什么？似乎我可以通过使用最新的SpringSecurity中的UserDetailsService实现实现完全相同的功能

这是我的博客文章

实现UserDetailsService：

在实体上实现角色作为属性：

请看上面的链接。

干杯，

在一个Spring Boot项目中，我只需要用@EnableGlobalMethodSecurity（prespenabled=true）注释一些配置类，然后创建一个PermissionEvaluator组件类。不必编写像您这样的MethodSecurityConfig。它工作得很好。