[英]@PreAuthorize not working when a secured method is called from another secured method in same class
@PreAuthorize
public void methodA() {
methodB();
}
@PreAuthorize
public void methodB() {
}
Here methodA() is interface method and methodB() is called by methodA(). 这里methodA()是接口方法,而methodB()由methodA()调用。
Spring method level security uses Spring AOP that is proxy-based. Spring方法级别的安全性使用基于代理的Spring AOP。 This means that method calls on an object reference will be calls on the proxy, and as such the proxy will be able to delegate to all of the interceptors (eg
@PreAuthorize
) that are relevant to that particular method call. 这意味着对对象引用的方法调用将是对代理的调用,因此代理将能够委派
@PreAuthorize
该特定方法调用相关的所有拦截器(例如@PreAuthorize
)。
However, once the call has finally reached the target object, any method calls that it may make on itself are going to be invoked against the this reference, and not the proxy. 但是,一旦调用最终到达目标对象,它将针对此引用而不是代理调用它可能对其自身进行的任何方法调用。 It means that self-invocation is not going to result in the advice associated with a method invocation getting a chance to execute.
这意味着自调用不会导致与方法调用相关的建议得到执行的机会。
Basically, It can work but this is not recommended. 基本上,它可以工作,但是不建议这样做。 Ideally, you should change your design logic.
理想情况下,您应该更改设计逻辑。 This is your code when JVM runs it.
这是JVM运行时的代码。
@PreAuthorize
public void methodA() {
this.methodB();
}
@PreAuthorize
public void methodB() {
}
First why it is not working: 首先,为什么它不起作用:
Spring method level security is using Spring AOP based proxies, which means whenever you are calling a method, It is being called on a Proxy object(Not on Actual Object) and this object holds the Spring context and enables you to preauthorize. Spring方法级别的安全性使用的是基于Spring AOP的代理,这意味着每当您调用一个方法时,都会在Proxy对象(不是在Actual Object上)上调用该方法,并且此对象保存Spring上下文并允许您进行预授权。
But when the control is reached to the method called from the proxy, any method called inside that is called on actual object(this) which doesn't hold Spring context. 但是,当控制权从代理调用的方法到达时,任何在内部对象中调用的方法都会在不包含Spring上下文的实际对象(this)上调用。 Hence It is not performing any preauthorization on method.
因此,它不对方法执行任何预授权。
Basically your code is calling methodB() as this.methodB() which is on actual object. 基本上,您的代码是将methodB()调用为this.methodB() ,它位于实际对象上。 If you somehow can get the same proxy (via reflection API or Application context), you can perform the operation desired via below code(not an actual implementation just an idea).
如果您能以某种方式(通过反射API或应用程序上下文)获得相同的代理,则可以通过以下代码执行所需的操作(不是实际的实现,而是一个想法)。
@PreAuthorize
public void methodA() {
proxyObject.methodB();
}
@PreAuthorize
public void methodB() {
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.