Fatal编程技术网
  • spring/
  • Spring@PreAuthorize将null传递给服务

Spring@PreAuthorize将null传递给服务

spring spring-security

Spring@PreAuthorize将null传递给服务,spring,spring-security,Spring,Spring Security,我对@PreAuthorize和检查指定用户是否可以访问搜索项目的服务有问题 获取项目的一个服务调用DistributionRequest工作正常-@PreAuthorize接收并传递正确的distId。另一个updateDistributionRequestExportFileName也获取正确的distId并将其传递给distributionRequestService。在方法userbelongstorecipientofDistributionRequest中,distId为null 带

我对@PreAuthorize和检查指定用户是否可以访问搜索项目的服务有问题

获取项目的一个服务调用DistributionRequest工作正常-@PreAuthorize接收并传递正确的distId。另一个updateDistributionRequestExportFileName也获取正确的distId并将其传递给distributionRequestService。在方法userbelongstorecipientofDistributionRequest中,distId为null

带有两个web服务的SpringRestController

@RestController
@RequestMapping(produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
public class DistributionRequestRESTController {

    @Autowired
    private @Getter @Setter DistributionRequestService distributionRequestService;

    private final Logger log = LoggerFactory.getLogger(this.getClass());
    private String logResponse = " - response: ";

    @Autowired
    public DistributionRequestRESTController(DistributionRequestService distributionRequestService) {
        this.distributionRequestService = distributionRequestService;
    }

    @RequestMapping(value = Consts.URLDISTRIBUTIONREQUEST + Consts.URLDISTREQID)
    public DistributionRequest callDistributionRequest(@PathVariable long distId) {

        String loginfo = "get distribution with id: " + distId;
        //log.info(loginfo);

        DistributionRequest found = distributionRequestService.findOne(distId);

        log.info(loginfo + logResponse + JSONParser.toJsonString(found));

        return found;
    }

    @RequestMapping(method = RequestMethod.POST, value = Consts.URLDISTRIBUTIONREQUEST + Consts.URLDISTREQID + Consts.URLUPDATE + Consts.URLFILENAME)
    public DistributionRequest updateDistributionRequestExportFileName(
            @PathVariable long distId,
            @RequestBody String fileName,
            @AuthenticationPrincipal UserDetails user) {

        String loginfo = user.getUsername() + " try to update filename with : " + fileName;
        //log.info(loginfo);

        DistributionRequest updated =
                distributionRequestService.updateExportFilename(distId, fileName);

        log.info(loginfo + logResponse + JSONParser.toJsonString(updated));

        return updated;
    }

}
服务接口:

public interface DistributionRequestService {

    @PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
    DistributionRequest findOne(Long distId);

    @PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
    DistributionRequest updateExportFilename(Long distId, String filename);
}
以及检查用户是否可以访问搜索项的类

@Service(value = "distributionRequestOwnerService")
public class DistributionRequestOwnerServiceImpl implements DistributionRequestOwnerService {

    @Autowired
    private AccountService accountService;

    @Autowired
    private DistributionRequestsRepository distributionRequestsRepository;

    @Override
    public boolean userBelongsToRecipientOfTheDistributionRequest(Long distId) {
        return userBelongsToRecipientOfTheDistributionRequest(distId, null);
    }

    @Override
    public boolean userBelongsToRecipientOfTheDistributionRequest(Long distributionRequestId, String username) {
        DistributionRequest distributionRequest = distributionRequestsRepository.findOne(distributionRequestId);

        ServiceAccount currentUser;
        if (username == null)
            currentUser = accountService.getCurrentUser();
        else
            currentUser = accountService.findByUsername(username);

        if (distributionRequest != null
                && distributionRequest.getRecipientId() == currentUser.getRecipientId())
            return true;

        throw new AercacheWSException(Consts.EXCEPTIONMISSINGELEMENTORPERMITION);
    }

}
有什么想法吗

提前感谢

找到了解决方案

应注释接口中的as@teppic点参数

public interface DistributionRequestService {

    @PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
    DistributionRequest findOne(@Param("distId") Long distId);

    @PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
    DistributionRequest updateExportFilename(@Param("distId") Long distId, String filename);
}
找到了解决办法

应注释接口中的as@teppic点参数

public interface DistributionRequestService {

    @PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
    DistributionRequest findOne(@Param("distId") Long distId);

    @PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
    DistributionRequest updateExportFilename(@Param("distId") Long distId, String filename);
}