Spring Security - 我如何询问直接调用访问控制方法？

发布于 2024-12-15 15:32:23 字数 1063 浏览 3 评论 0原文

有很多关于如何使用 jsp 标签、aop、注释、应用程序上下文以及所有此类内容的文档...但是如何直接访问访问控制方法？如果有的话，我需要创建什么类？是否有我需要注意的隐藏 bean？看起来 SecurityContextHolder 不是正确的查找位置。

我想做的是这样的：

if(springSecurityObject.isAuthorized("hasAnyRole('DIRECTOR', 'ADMIN')")) {
    // ... do something
}

或者更好：

if(springSecurityObject.hasAnyRole('DIRECTOR', 'ADMIN')) {
    // ... do something
}

谢谢！

编辑：似乎Spring Security人员正在用户对象本身上使用授予的权限：

https://fisheye.springsource.org/browse/spring-security/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java?r=fc399af136492c6c37cdddca6d44e5fe57f69680

我认为如果他们抽象出一个可能会有所帮助大量的代码，并将其放入一组很好的类中 - 标签库和实际用户都可以使用的东西。毕竟它们是私有辅助方法......这是一种常见的味道，它们可能应该存在于某些类中。

由于他们是手动进行管道铺设，我想我必须假设我想要的东西不存在。

原文

There's a lot of documentation on how to use jsp tags, aop, annotations, the application context, and all of these sorts of things... but how do I access the access control methods directly? What class do I need to create, if any? Is there hidden bean I need to be aware of? It doesn't seem like SecurityContextHolder is the right place to look.

What I'd like to do is something like this:

if(springSecurityObject.isAuthorized("hasAnyRole('DIRECTOR', 'ADMIN')")) {
    // ... do something
}

Or even better:

if(springSecurityObject.hasAnyRole('DIRECTOR', 'ADMIN')) {
    // ... do something
}

Thanks!

EDIT: It seems like the spring security people are using the granted authorities on the user object itself:

https://fisheye.springsource.org/browse/spring-security/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java?r=fc399af136492c6c37cdddca6d44e5fe57f69680

I think it would probably have been helpful if they abstracted out a ton of this code and put it into a nice set of classes instead - something that both the tag libraries and actual users could use. They are private helper methods after all... a common smell that they should probably exist in some classes instead.

Since they are doing the plumbing manually, I guess I have to assume that what I want doesn't exist.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

记忆之渊 2024-12-22 15:32:23

我唯一能想到的就是手动调用您的 UserDetailsService ，在返回的 Authentication 上调用 getAuthorities() ，然后调用 contains( ) 或 containsAll() 返回的集合。

所以你会得到类似的东西：

final UserDetails jimmyDetails = myDetailsService.loadUserByUsername("Jimmy");
final Collection<GrantedAuthority> jimmyAuthorities = jimmyDetails.getAuthorities();

// make it a Collection<String> by iterating and calling .getAuthority()

plainAuthorities.contains("ROLE_YOU_NEED_TO_CHECK_FOR");

编写你自己的帮助器方法来执行此操作不会太难，尽管我同意将它们包含在 API 中会很好。

The only thing I can think of is invoking your UserDetailsService manually, calling getAuthorities() on the returned Authentication and then calling contains() or containsAll() on the returned collection.

So you'd have something like:

final UserDetails jimmyDetails = myDetailsService.loadUserByUsername("Jimmy");
final Collection<GrantedAuthority> jimmyAuthorities = jimmyDetails.getAuthorities();

// make it a Collection<String> by iterating and calling .getAuthority()

plainAuthorities.contains("ROLE_YOU_NEED_TO_CHECK_FOR");

Writing your own helper methods that do this would not be too hard, although I agree that having them in the API would be nice.

回复收藏 0 原文

~没有更多了~