1. 首页
  2. 问答
  3. 春季安全CustomPermissionEvaluator不工作

春季安全CustomPermissionEvaluator不工作

2015-10-05 76 views
0

MethodSecurityConfig.java春季安全CustomPermissionEvaluator不工作

@Configuration 
@EnableGlobalMethodSecurity(prePostEnabled=true) 
@ComponentScan(basePackageClasses={EventWritePermissionEvaluator.class}) 
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration{ 

    private EventWritePermissionEvaluator eventWritePermissionEvaluator; 

    @Autowired 
    public void setEventWritePermissionEvaluator(
      EventWritePermissionEvaluator eventWritePermissionEvaluator) { 
     this.eventWritePermissionEvaluator = eventWritePermissionEvaluator; 
    } 

    @Override 
    protected MethodSecurityExpressionHandler createExpressionHandler() { 
     DefaultMethodSecurityExpressionHandler expressionHandler=new DefaultMethodSecurityExpressionHandler(); 
     expressionHandler.setPermissionEvaluator(eventWritePermissionEvaluator); 
     return expressionHandler; 
    } 
}

CustomPermissionEvaluator

@Component 
public class EventWritePermissionEvaluator implements PermissionEvaluator{ 

    private ChecklistService checklistService; 
    private UserService userService; 

    @Autowired 
    public void setChecklistService(ChecklistService checklistService) { 
     this.checklistService = checklistService; 
    } 

    @Autowired 
    public void setUserService(UserService userService) { 
     this.userService = userService; 
    } 

    public CustomUser currentUser() 
    { 
     Authentication auth = SecurityContextHolder.getContext().getAuthentication(); 
     CustomUser customUser=(CustomUser) userService.loadUserByUsername(auth.getName()); 
     return customUser; 
    } 

    @Override 
    public boolean hasPermission(Authentication authentication, 
      Object targetDomainObject, Object permission) { 
     Checklist checklist=(Checklist) targetDomainObject; 
     Event event=checklistService.getChecklist(checklist.getId()).getEvent(); 
     String grp=event.getCreator().getGrp(); 
     System.out.println("event grp:"+grp); 
     System.out.println("user grp:"+currentUser().getGrp()); 
     if(currentUser().getGrp().equals(grp)) 
      return true; 
     else 
      return false; 
    } 

    @Override 
    public boolean hasPermission(Authentication authentication, 
      Serializable targetId, String targetType, Object permission) { 
     return true; 
    } 

}

ServiceMethod

@PreAuthorize("hasPermission(#ch,'write')") 
    public Map<String, Object> updateState(Checklist ch, HttpServletRequest request, HttpServletResponse response) throws MessagingException 
    { 

    }

我在permissionEvaluator类中编写的hasPermission()方法未针对传入服务层的请求进行调用。我写错了什么?我在hasPermission()方法中编写了一些控制台语句来查看它们的执行情况。但我在控制台中没有看到任何东西。

谢谢

来源

2015-10-05 Lokesh Cherukuri

+0

在Spring Boot项目中,我只需使用@EnableGlobalMethodSecurity(prePostEnabled = true)注释某个配置类,然后创建一个PermissionEvaluator组件类。不必像你的一样编写一个MethodSecurityConfig。它运作良好。 – Sanjay

回答

0

你想达到什么目的?看起来我可以通过使用最新的Spring Security的UserDetailsS​​ervice实现来实现完全相同的功能。

这是我的博客文章对此

实施的UserDetailsS​​ervice:

http://www.yjsblog.com/2015/10/05/how-to-implement-custom-spring-security-authentication-with-userdetailsservice/

对实体实现角色属性:

http://www.yjsblog.com/2015/10/05/userdetails-role-from-database-or-as-an-entity-property/

请看看上面链接。 欢呼声,

来源

2015-10-06 04:30:39

相关问题

 相关问题