MethodSecurityConfig.java春季安全CustomPermissionEvaluator不工作
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled=true)
@ComponentScan(basePackageClasses={EventWritePermissionEvaluator.class})
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration{
private EventWritePermissionEvaluator eventWritePermissionEvaluator;
@Autowired
public void setEventWritePermissionEvaluator(
EventWritePermissionEvaluator eventWritePermissionEvaluator) {
this.eventWritePermissionEvaluator = eventWritePermissionEvaluator;
}
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler=new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(eventWritePermissionEvaluator);
return expressionHandler;
}
}
CustomPermissionEvaluator
@Component
public class EventWritePermissionEvaluator implements PermissionEvaluator{
private ChecklistService checklistService;
private UserService userService;
@Autowired
public void setChecklistService(ChecklistService checklistService) {
this.checklistService = checklistService;
}
@Autowired
public void setUserService(UserService userService) {
this.userService = userService;
}
public CustomUser currentUser()
{
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
CustomUser customUser=(CustomUser) userService.loadUserByUsername(auth.getName());
return customUser;
}
@Override
public boolean hasPermission(Authentication authentication,
Object targetDomainObject, Object permission) {
Checklist checklist=(Checklist) targetDomainObject;
Event event=checklistService.getChecklist(checklist.getId()).getEvent();
String grp=event.getCreator().getGrp();
System.out.println("event grp:"+grp);
System.out.println("user grp:"+currentUser().getGrp());
if(currentUser().getGrp().equals(grp))
return true;
else
return false;
}
@Override
public boolean hasPermission(Authentication authentication,
Serializable targetId, String targetType, Object permission) {
return true;
}
}
ServiceMethod
@PreAuthorize("hasPermission(#ch,'write')")
public Map<String, Object> updateState(Checklist ch, HttpServletRequest request, HttpServletResponse response) throws MessagingException
{
}
我在permissionEvaluator类中编写的hasPermission()方法未针对传入服务层的请求进行调用。我写错了什么?我在hasPermission()方法中编写了一些控制台语句来查看它们的执行情况。但我在控制台中没有看到任何东西。
谢谢
在Spring Boot项目中,我只需使用@EnableGlobalMethodSecurity(prePostEnabled = true)注释某个配置类,然后创建一个PermissionEvaluator组件类。不必像你的一样编写一个MethodSecurityConfig。它运作良好。 – Sanjay