java Spring Security中PreAuthorize注解中使用permitAll()的目的
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31059528/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Purpose of using permitAll() in PreAuthorize annotation in Spring Security
提问by Zack
Being new to spring security framework, I wanted to know why do we use @PreAuthorize("permitAll()")with methods ? The documentation says that permitAll always evaluates to true. (http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html)
作为 Spring 安全框架的新手,我想知道我们为什么要使用@PreAuthorize("permitAll()")with 方法?文档说 permitAll 总是评估为真。(http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html)
Also, I have the below code change. The developer makes change from permitAll() to specific permission check.What is the implication here? Since I am not too sure about how permitAll() works, I am not able to judge the logic behind the code change. It seems to me that the developer adds specific permission checks and he passes null as the authentication object. Could someone explain what is the impact of explicitly passing null as the authentication object? Is it that users who are not authenticated will have access if they have this specific - 'LUONTI' permission on the target object - 'opetussuunnitelma' ?
另外,我有以下代码更改。开发人员从 permitAll() 更改为特定权限检查。这里的含义是什么?由于我不太确定 permitAll() 的工作原理,因此我无法判断代码更改背后的逻辑。在我看来,开发人员添加了特定的权限检查,并将 null 作为身份验证对象传递。有人能解释一下显式传递 null 作为身份验证对象的影响吗?如果未通过身份验证的用户在目标对象上具有此特定的“LUONTI”权限 - 'opetussuunnitelma',他们是否可以访问?
- @PreAuthorize("permitAll()")
+ @PreAuthorize("hasPermission(null, 'opetussuunnitelma', 'LUONTI')")
OpetussuunnitelmaDto addOpetussuunnitelma(OpetussuunnitelmaDto opetussuunnitelmaDto);
Thanks. Any help much appreciated!
谢谢。非常感谢任何帮助!
回答by Dave Lugg
permitAll()does exactly what it says. It allows (permits) any user's (all) session to be authorized to execute that method.
permitAll()完全按照它说的做。它允许(允许)任何用户的(所有)会话被授权执行该方法。
The way spring manages its authentication and authorization means that anyone accessing your site is provided with a session. This session can be anonymous, or authenticated (user's provided some kind of credential and the system has accepted it). Alternatives to permitAll(hasPermission()for example) will usually check the user's authentication to ensure they have some role or group assigned to them before allowing the annotated class/method to be invoked.
spring 管理其身份验证和授权的方式意味着任何访问您站点的人都被提供了一个会话。这个会话可以是匿名的,也可以是经过身份验证的(用户提供了某种凭证并且系统已经接受了它)。permitAll(hasPermission()例如)的替代方法通常会检查用户的身份验证,以确保在允许调用带注释的类/方法之前,为他们分配了一些角色或组。
If permitAll()is used, it means to explicitly allow any session, anonymous or authenticated, to access the annotated method.
如果permitAll()使用,则表示明确允许任何匿名或经过身份验证的会话访问带注释的方法。
The code change the other developer has made has restricted the given method to something custom. Take a look at this Spring - Expression-Based Access Control
其他开发人员所做的代码更改已将给定方法限制为自定义方法。看看这个Spring - Expression-Based Access Control
回答by Echox
I feel like nobody really gave you what you really wanted, which is a use case for "permitAll()".
我觉得没有人真正给你你真正想要的东西,这是“permitAll()”的一个用例。
It can be used when you restrict your whole class or application with a certain permission, for example :
@PreAuthorize("hasAuthority('USER')")
当您使用特定权限限制整个班级或应用程序时可以使用它,例如:
@PreAuthorize("hasAuthority('USER')")
Here, only the clients identified as what you defined to be a user can have access to the methods of your class.
在这里,只有标识为您定义为用户的客户端才能访问您的类的方法。
But at some point in your controller you want a certain method to be permissionless, so you'll add @PreAuthorize("permitAll()")to your method so that it override the global permission.
但是在您的控制器中的某个时刻,您希望某个方法是无权限的,因此您将添加@PreAuthorize("permitAll()")到您的方法中,以便它覆盖全局权限。
People will do this because it's safer to first secure everything with the highest permission lock and then poke holes in the net (e.g, the application/class is locked to ADMIN but most methods are then authorized to USER) than the other way around. Because if everything is unlocked by default, the day you forget to lock a controller you could have security problems.
人们会这样做,因为首先使用最高权限锁定保护所有内容,然后在网络中戳洞(例如,应用程序/类被锁定到 ADMIN,但大多数方法然后被授权给 USER)比其他方式更安全。因为如果默认情况下一切都是解锁的,那么在您忘记锁定控制器的那一天,您可能会遇到安全问题。
