时间戳

首页 > 解决方案 > 您可以在 @PreAuthorize 中使用 SpEL 引用实例属性吗?

spring - 您可以在 @PreAuthorize 中使用 SpEL 引用实例属性吗?

问题描述

有没有办法在类中使用局部变量(下面的授权角色),该变量设置了所有角色以授予对 hasAnyRole 值的端点的访问权限?例如,我想要一个角色列表,在配置中定义,并像这样填充 @PreAuthorize 中的 hasAnyRole:

@Controller("myController")
public class MyController {
private String authorizedRoles;

@Autowired
public MyController(ObjectMapper objectMapper, @Value("#{'${security.authorized-roles}'.split(',')}") String authorizedRoles) {
    this.objectMapper = objectMapper;
    this.request = request;
    this.authorizedRoles = authorizedRoles;
}

@RequestMapping(value = "/id", produces = { "application/json" }, consumes = { "application/json" }, method = RequestMethod.POST)
@PreAuthorize("hasAnyRole('#myController.authorizedRoles')")
public ResponseEntity<IdResponse> idPost(@RequestBody IdRequest body) {
  ...
}

标签: springspring-securityspring-el

解决方案

您不能使用 SpEL 以这种方式访问​​私有字段;您需要添加public String getAuthorizedRoles(),当您引用该authorizedRoles属性时,SpEL 会调用它。SpEL 了解 JavaBean 约定。

编辑

hasAnyRole()需要一个String[].

@SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class So59419703Application extends GlobalAuthenticationConfigurerAdapter {

    public static void main(String[] args) {
        SpringApplication.run(So59419703Application.class, args);
    }

    @Autowired
    private Foo foo;

    @Bean
    public ApplicationRunner runner() {
        return args -> {
            SecurityContext ctx = SecurityContextHolder.createEmptyContext();
            ctx.setAuthentication(new UsernamePasswordAuthenticationToken("foo", "bar"));
            SecurityContextHolder.setContext(ctx);
            System.out.println(foo.bar());
        };
    }

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("foo").password("bar").roles("baz");
    }

    public interface Foo {

        String bar();

        String[] getRoles();

    }

    @Component("foo")
    public static class FooImpl implements Foo {

        private final String[] roles = StringUtils.commaDelimitedListToStringArray("admin,user,baz");

        @Override
        @PreAuthorize("hasAnyRole(@foo.roles)")
        public String bar() {
            return "authOk";
        }

        @Override
        public String[] getRoles() {
            return this.roles;
        }

    }

}

authOk

推荐阅读