java spring security中如何解释hasPermission?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31033200/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to interpret hasPermission in spring security?
提问by Zack
I am new to spring security. How do I interpret this?
我是春季安全的新手。我该如何解释?
@PreAuthorize("hasPermission(null, 'opetussuunnitelma', 'LUONTI')")
OpetussuunnitelmaDto addOpetussuunnitelma(OpetussuunnitelmaDto opetussuunnitelmaDto);
Which method from the permission evaluator would get called? I think the one with three parameters would get called in this case. It is checking if the current user has the 'LUONTI' permission on the target of type - 'opetussuunnitelma' . Am I right? Can't we just not include "null" and pass only two parameters. I read that the first argument ( the Authentication object) is not supplied.
权限评估器中的哪个方法会被调用?我认为在这种情况下会调用具有三个参数的那个。它正在检查当前用户是否对类型为 'opetussuunnitelma' 的目标具有 'LUONTI' 权限。我对吗?我们不能不包含“null”并只传递两个参数。我读到没有提供第一个参数(身份验证对象)。
+public class PermissionEvaluator implements org.springframework.security.access.PermissionEvaluator {
+
+ @Override
+ public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
+ LOG.error(" *** ei toteutettu *** ");
+ return true;
+ }
+
+ @Override
+ public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
+ LOG.error(" *** ei toteutettu *** ");
+ return true;
+ }
+
+ private static final Logger LOG = LoggerFactory.getLogger(PermissionEvaluator.class);
+}
回答by ikumen
Which method from the permission evaluator would get called?
权限评估器中的哪个方法会被调用?
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission)
Would get called.
会被叫。
I read that the first argument ( the Authentication object) is not supplied.
我读到没有提供第一个参数(身份验证对象)。
It's not explicitly supplied in your annotation, but implicitly supplied by Spring. Your annotation should just read
它没有在您的注释中显式提供,而是由 Spring 隐式提供。您的注释应该只是阅读
@PreAuthorize("hasPermission(#opetussuunnitelmaDto, 'LUONTI')")
Ideally I would check if they're even authenticated before performing the authorization.
理想情况下,我会在执行授权之前检查它们是否经过身份验证。
@PreAuthorize("isAuthenticated() and hasPermission(#opetussuunnitelmaDto, 'LUONTI')")
Update to your comment
更新您的评论
Basically you can either call the PermissionEvaluator with either:
基本上,您可以使用以下任一方法调用 PermissionEvaluator:
hasPermission('#targetDomainObject', 'permission') // method1
hasPermission('targetId', 'targetType', 'permission') // method2
Authentication will always be supplied by Spring. In your case, you are calling hasPermission the following way
身份验证将始终由 Spring 提供。在您的情况下,您通过以下方式调用 hasPermission
hasPermission(null, 'opetussuunnitelma', 'LUONTI')")
hasPermission(null, 'opetussuunnitelma', 'LUONTI')")
which would match method2, but passing in a null id doesn't make sense, what entity are you going to target the permission check on? Based on your method that you're applying the @PreAuthorize on,
这将匹配method2,但传入空 ID 没有意义,您要针对哪个实体进行权限检查?根据您应用 @PreAuthorize 的方法,
OpetussuunnitelmaDto addOpetussuunnitelma(OpetussuunnitelmaDto opetussuunnitelmaDto);
OpetussuunnitelmaD添加Opetussuunnitelma(OpetussuunnitelmaDto opetussuunnitelmaDto);
it may make more sense to call method1since you seem to have something that resembles an target domain object.
调用method1可能更有意义,因为您似乎有一些类似于目标域对象的东西。
