我的应用程序中有以下服务方法:
@Override
@Secured({Authority.ACCESS_FUNDING})
@PreAuthorize("hasPermission(principal, 'MODIFY')")
public FundingAllocation newFundingAllocation(FundingAllocationForm fundingAllocationForm) {
return newFundingAllocation(fundingAllocationForm, null);
}
但我注意到 @Secured 注释被忽略了,只执行了 @PreAuthorize 检查。
我有以下 spring 安全配置:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<security:expression-handler ref="securityExpressionHandler"/>
</security:global-method-security>
有人知道是否可以在一种方法上结合注释吗?
最佳答案
根据 DelegatingMethodSecurityMetadataSource 上的 Javadoc它将使用它找到的第一个元数据源。因此,不打算将两者混为一谈。 https://github.com/spring-projects/spring-security/issues/2116 中也解释了基本原理。
official docs还声明:
You can enable more than one type of annotation in the same application, but only one type should be used for any interface or class as the behaviour will not be well-defined otherwise. If two annotations are found which apply to a particular method, then only one of them will be applied.
所以不要这样做,在你的 @PreAuthorize 中写下正确的表达式:
@PreAuthorized("hasAuthority('ACCESS_FUNDING') and hasPermission(principal, 'MODIFY')")
作为 jmw5598 的 answer建议。
关于java - 在一种方法上结合@Secured 和@PreAuthorize 注释,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42964400/