- prefiltering 过滤参数
-
17.1 Applying prefiltering for method authorization
定义配置类:
@Configuration@EnableGlobalMethodSecurity(prePostEnabled = true)public class ProjectConfig {@Beanpublic UserDetailsService userDetailsService() {InMemoryUserDetailsManager uds = new InMemoryUserDetailsManager();UserDetails u1 = User.withUsername("nikolai").password("123345").authorities("read").build();UserDetails u2 = User.withUsername("julien").password("12345").authorities("write").build();uds.createUser(u1);uds.createUser(u2);return uds;}@Beanpublic PasswordEncoder passwordEncoder() {return NoOpPasswordEncoder.getInstance();}}
定义一个service@Servicepublic class ProductService {/*** 只允许当product owner是authenticated user时才允许卖product* @param products* @return*/@PreFilter("filterObject.owner == authentication.name")public List<Product> sellProducts(List<Product> products) {return products;}}
定义一个controller
@RestControllerpublic class ProductController {@Autowiredprivate ProductService productService;@GetMapping("/sell")public List<Product> sellProduct() {ArrayList<Product> products = new ArrayList<>();products.add(new Product("beer", "nikolai"));products.add(new Product("candy", "nikolai"));products.add(new Product("chocolate", "julien"));return productService.sellProducts(products);}}
项目启动并测试:
必须保证提供的集合不是不可改变的,不然在aspect进行处理的时候会报异常17.2 Applying postfiltering for method authorization
postfiltering只能用于返回值为arrays或collections
filterObject用来表示返回的集合中的元素,authentication表示的是存储在Security Context中的Authenticated Object
controller的逻辑:
测试的结果:
17.3 Using filtering in Spring Data repositories
添加依赖
配置文件:spring.datasource.url=jdbc:mysql://localhost:3306/spring?useUnicode=true&characterEncoding=UTF-8&serverTimezone=Asia/Shanghaispring.datasource.username=rootspring.datasource.password=rootspring.datasource.initialization-mode=always
实体类
repository
controller
启动并测试:
在repository中使用PostFilter不是最好的选择,我们应该确保我们不会从数据库中选择我们不需要的数据
- 我们添加SecurityEvaluationContextExtention到spring context中
- 我们调整查询条件
该类是spring-security-data依赖的下的类
启动并测试:结果与前一种方法一致
若有收获,就点个赞吧
0 人点赞
