Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/spring/11.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/python-3.x/19.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
使用Spring安全注释保护考虑动态参数的Spring Webflux控制器_Spring_Spring Security_Spring Webflux - Fatal编程技术网
Fatal编程技术网
  • spring/
  • 使用Spring安全注释保护考虑动态参数的Spring Webflux控制器

使用Spring安全注释保护考虑动态参数的Spring Webflux控制器

spring spring-security

使用Spring安全注释保护考虑动态参数的Spring Webflux控制器,spring,spring-security,spring-webflux,Spring,Spring Security,Spring Webflux,我有一个带有一些控制器的应用程序,这些控制器需要根据请求的资源ID进行访问控制,并根据Spring Security用户身份验证角色进行检查。目前,我已经创建了一个函数,用于检查此条件,返回一个Mono是否正常(以便我可以对其进行平面映射)或一个空Mono(同时设置403状态代码),否则: @RestController @RequestMapping("/api/v1/clients/{clientId}/departments/{departmentId}/users") class Use

我有一个带有一些控制器的应用程序,这些控制器需要根据请求的资源ID进行访问控制,并根据Spring Security用户身份验证角色进行检查。目前,我已经创建了一个函数,用于检查此条件,返回一个
Mono
是否正常(以便我可以对其进行平面映射)或一个空Mono(同时设置403状态代码),否则:

@RestController
@RequestMapping("/api/v1/clients/{clientId}/departments/{departmentId}/users")
class UserRestController(private val userService: UserService) {

    @GetMapping
    fun getAll(principal: Principal, response: ServerHttpResponse,
               @PathVariable clientId: String, @PathVariable departmentId: String): Flux<Users> {
        return checkDepartmentViewPermissions(principal, response, clientId, departmentId)
                .flatMap {
                    userService.getAll(clientId, departmentId)
                }
    }

    ...
}

fun checkDepartmentViewPermissions(principal: Principal, response: ServerHttpResponse, 
         clientId: String, departmentId: String): Mono<Boolean> {
    val authentication = principal as MyAuthentication
    authentication.authorities.contains(SimpleGrantedAuthority("${clientId}:${departmentId}")).toMono()
            .filter {
                it == true
            }.switchIfEmpty {
                response.statusCode = HttpStatus.FORBIDDEN
                Mono.empty()
            }
}
SpringSecurity支持这样做吗?
如果没有,你能提出一些想法来实现它吗?

首先,感谢托马斯为我指明了正确的方向,我还没有意识到。这样,就不再需要注入主体,因为
身份验证
对象将被传递给bean

控制器

   @PreAuthorize("@permissionChecker.hasDepartmentViewPermissions(authentication, #clientId, #departmentId)")
    @GetMapping
    fun getAll(@PathVariable clientId: String, @PathVariable departmentId: String): Flux<Users> {
        return userService.getAll(clientId, departmentId)
    }
您可以在Spring EL中访问方法输入参数,方法是在它们的名称前面加上
#
,就像在
#departmentId
中一样,所以请尝试
{principal.roles.contains(#clientId,#departmentId)}
您可以编写自己的Spring bean,并在Spring EL中调用它
{accessUtil.contains(#clientId,#departmentId)}
很高兴我能提供帮助。 
   @PreAuthorize("@permissionChecker.hasDepartmentViewPermissions(authentication, #clientId, #departmentId)")
    @GetMapping
    fun getAll(@PathVariable clientId: String, @PathVariable departmentId: String): Flux<Users> {
        return userService.getAll(clientId, departmentId)
    }

class PermissionChecker {

    fun hasDepartmentViewPermissions(authentication: Authentication, clientId: String, projectId: String): Boolean {
        ...
    }