请引用为什么我的 @PreAuthorize("hasPermission(#user,'write')") 不起作用的真正问题
基本上我正在尝试检查普通用户
我的 Controller 类
package com.***.appconfig.controller;
import com.***.appconfig.dao.UserDaoImplementation;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import com.***.appconfig.model.User;
import com.***.appconfig.security.CustomPermissionEvaluator;
@Controller
public class CheckPermissionController {
public static User user = new User();
UserDaoImplementation userDao = new UserDaoImplementation();
Boolean directPermission = false;
CustomPermissionEvaluator customPermissionEvaluator = new CustomPermissionEvaluator();
@RequestMapping("/checkPermission")
protected ModelAndView direct() throws Exception {
System.out.println("in direct");
user.setUserName("andrew");
userDao.addListValues(user);
System.out.println("before assign");
directPermission = userDao.assignUser(user);
System.out.print("after assign");
if (directPermission) {
return new ModelAndView("checkPermission");
} else {
return new ModelAndView("login");
}
}
}
这是我的道
import com.***.appconfig.model.User;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
import java.util.HashMap;
@Component
public class UserDaoImplementation implements UserDao {
@Override
public User addListValues(User user) {
HashMap < String, String > permissionList = new HashMap < String, String > ();
permissionList.put("server", "write");
user.setPermissionList(permissionList);
return null;
}
@PreAuthorize("hasPermission(#user,'write')")
public Boolean assignUser(User user) {
System.out.println("in assign");
return true;
}
}
这是我的 CustomPermissionEvaluator
package com.***.appconfig.security;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import com.***.appconfig.controller.CheckPermissionController;
import com.***.appconfig.model.User;
import com.***.appconfig.dao.UserDaoImplementation;
import java.io.Serializable;
import java.util.HashMap;
public class CustomPermissionEvaluator implements PermissionEvaluator {
public static User user;
public UserDaoImplementation userDao;
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
setPermissions();
String targetType = targetDomainObject.getClass().getSimpleName().toUpperCase();
HashMap < String, String > permissionList = user.getPermissionList();
System.out.print("before check");
if (permissionList.containsValue("write")) {
System.out.print("success check");
hasPermission = true;
}
return hasPermission;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
Boolean hasPermission = false;
return hasPermission;
}
public void setPermissions() {
user.setUserName("andrew");
userDao.addListValues(user);
}
}
我创建了一个重复的用户对象,以便动态填充 PermissionEvaluator。hasPermission() 覆盖未被调用。
这是我的 spring-security.xml
<http auto-config="true">
<access-denied-handler error-page="/403page" />
<intercept-url pattern="/user" access="ROLE_USER" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<form-login login-page='/login' username-parameter="username" password-parameter="password" default-target-url="/user" authentication-failure-url="/login?authfailed" />
<logout logout-success-url="/login?logout" />
</http>
<global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from users where username=?" authorities-by-username-query="select username, role from user_roles where username =? " />
</authentication-provider>
</authentication-manager>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<beans:bean name="permissionEvaluator" class="com.coolminds.appconfig.security.CustomPermissionEvaluator" />undefined</beans:beans>
最佳答案
您的 Controller 类应该注入(inject)所有依赖项,以确保 Spring 可以创建适当的代理对象:
package com.***.appconfig.controller;
import com.***.appconfig.dao.UserDaoImplementation;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import com.***.appconfig.model.User;
@Inject
UserDao userDao;
@Controller
public class CheckPermissionController {
@RequestMapping("/checkPermission")
protected ModelAndView direct() throws Exception {
User user = new User();
boolean directPermission = false;
System.out.println("in direct");
user.setUserName("andrew");
userDao.addListValues(user);
System.out.println("before assign");
directPermission = userDao.assignUser(user);
System.out.print("after assign");
if (directPermission) {
return new ModelAndView("checkPermission");
} else {
return new ModelAndView("login");
}
}
}
关于java - Spring Security 中的 hasPermission() 不会调用自定义 PermissionEvaluator,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41998789/