[英]Spring MVC custom authorization/security for controller methods
Looking to create a custom implementation to authorize requests. 寻找创建自定义实现以授权请求。
I am evaluating options to avoid using annotations on every method in the controller. 我正在评估选项,以避免在控制器的每个方法上使用注释。 Instead, I am exploring the possibility centralizing this feature via a filter that checks if the logged in user has the required permission for the URL 相反,我正在探索通过过滤器将该功能集中化的可能性,该过滤器检查登录用户是否具有所需的URL许可权
We are using Spring 3.2.5.RELEASE 我们正在使用Spring 3.2.5.RELEASE
I intend to create a database table that has a mapping between a permission and the relevant URL. 我打算创建一个数据库表,该表在许可权和相关URL之间建立映射。
I am looking for a way to get the request mapping information for the current URL. 我正在寻找一种获取当前URL的请求映射信息的方法。
For Eg : In my database, I have: 例如:在我的数据库中,我有:
URL=/view/{id} , permission=VIEW_USER
If the current URL is : 如果当前URL是:
/app/user/view/1
, a method annotated with ,用注释的方法
@RequestMapping(value = "/view/{id}", method = RequestMethod.GET)
will be invoked. 将被调用。 But before this happens, I need to verify if the logged in user has the permission to view user details. 但是在发生这种情况之前,我需要验证登录用户是否具有查看用户详细信息的权限。
In my filter, I can get the current URL ( /app/user/view/1
) , how do I get the corresponding mapping ( /view/{id}
) ? 在我的过滤器中,我可以获取当前URL( /app/user/view/1
),如何获取相应的映射( /view/{id}
)? Is there a mechanism to match a URL to its corresponding MVC request mapping ? 是否存在将URL与其对应的MVC请求映射相匹配的机制?
I have looked/am looking at related posts on SO and also looked at Spring code but am yet to find a way. 我看过/正在看SO上的相关文章,也看过Spring代码,但还没有找到方法。
If you want to do it that way, you could register MVC interceptor instead of servlet filter. 如果您想这样做,可以注册MVC拦截器而不是servlet过滤器。 Create a class that extends HandlerInterceptorAdapter
and in preHandle method you will have access to controller's method and it's annotation. 创建一个扩展HandlerInterceptorAdapter
的类,并在preHandle方法中可以访问控制器的方法及其注释。 Prehandle method of your interceptor could look something like this: 拦截器的prehandle方法可能如下所示:
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (handler instanceof HandlerMethod) {
HandlerMethod method = (HandlerMethod) handler;
if (method.getMethod().isAnnotationPresent(RequestMapping.class)) {
RequestMapping rqm = method.getMethodAnnotation(RequestMapping.class);
String[] urlMappings = rqm.value();
//do security logic
}
}
...
}
Then you need to register the interceptor. 然后,您需要注册拦截器。 If you use xml config it's done like this: 如果您使用xml config,它是这样完成的:
<mvc:interceptors>
<bean class="com.example.MySecurityInterceptor" />
...
</mvc:interceptors>
Please note that your approach will be difficult, you'll need to handle all the request mapping cases that spring supports. 请注意,您的方法将很困难,您将需要处理spring支持的所有请求映射案例。 For example, @RequestMapping
that's annotated on class level. 例如,在类级别上注释的@RequestMapping
。 Or @RequestMapping
annotated on parent class of the controller etc.. 或在控制器的父类上注释的@RequestMapping
等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.