使用Spring安全注释保护考虑动态参数的Spring Webflux控制器
我有一个带有一些控制器的应用程序,这些控制器需要根据请求的资源ID进行访问控制,并根据Spring Security用户身份验证角色进行检查。目前,我已经创建了一个函数,用于检查此条件,返回一个使用Spring安全注释保护考虑动态参数的Spring Webflux控制器,spring,spring-security,spring-webflux,Spring,Spring Security,Spring Webflux,我有一个带有一些控制器的应用程序,这些控制器需要根据请求的资源ID进行访问控制,并根据Spring Security用户身份验证角色进行检查。目前,我已经创建了一个函数,用于检查此条件,返回一个Mono是否正常(以便我可以对其进行平面映射)或一个空Mono(同时设置403状态代码),否则: @RestController @RequestMapping("/api/v1/clients/{clientId}/departments/{departmentId}/users") class Use
Mono
是否正常(以便我可以对其进行平面映射)或一个空Mono(同时设置403状态代码),否则:
@RestController
@RequestMapping("/api/v1/clients/{clientId}/departments/{departmentId}/users")
class UserRestController(private val userService: UserService) {
@GetMapping
fun getAll(principal: Principal, response: ServerHttpResponse,
@PathVariable clientId: String, @PathVariable departmentId: String): Flux<Users> {
return checkDepartmentViewPermissions(principal, response, clientId, departmentId)
.flatMap {
userService.getAll(clientId, departmentId)
}
}
...
}
fun checkDepartmentViewPermissions(principal: Principal, response: ServerHttpResponse,
clientId: String, departmentId: String): Mono<Boolean> {
val authentication = principal as MyAuthentication
authentication.authorities.contains(SimpleGrantedAuthority("${clientId}:${departmentId}")).toMono()
.filter {
it == true
}.switchIfEmpty {
response.statusCode = HttpStatus.FORBIDDEN
Mono.empty()
}
}
SpringSecurity支持这样做吗?
如果没有,你能提出一些想法来实现它吗?首先,感谢托马斯为我指明了正确的方向,我还没有意识到。这样,就不再需要注入主体,因为
身份验证
对象将被传递给bean
控制器:
@PreAuthorize("@permissionChecker.hasDepartmentViewPermissions(authentication, #clientId, #departmentId)")
@GetMapping
fun getAll(@PathVariable clientId: String, @PathVariable departmentId: String): Flux<Users> {
return userService.getAll(clientId, departmentId)
}
您可以在Spring EL中访问方法输入参数,方法是在它们的名称前面加上
#
,就像在#departmentId
中一样,所以请尝试{principal.roles.contains(#clientId,#departmentId)}
您可以编写自己的Spring bean,并在Spring EL中调用它{accessUtil.contains(#clientId,#departmentId)}
很高兴我能提供帮助。
@PreAuthorize("@permissionChecker.hasDepartmentViewPermissions(authentication, #clientId, #departmentId)")
@GetMapping
fun getAll(@PathVariable clientId: String, @PathVariable departmentId: String): Flux<Users> {
return userService.getAll(clientId, departmentId)
}
class PermissionChecker {
fun hasDepartmentViewPermissions(authentication: Authentication, clientId: String, projectId: String): Boolean {
...
}