GlobalMethodSecurityConfiguration is deprecated in spring boot 3,如何在3中创建Custom Expresion handler?
[英]GlobalMethodSecurityConfiguration is deprecated in spring boot 3, how to create Custom Expresion handler in 3?
问题描述
Currently, I have created custom expression handler by overriding the createExpressionHandler function from GlobalMethodSecurityConfiguration .
目前,我已经通过覆盖GlobalMethodSecurityConfiguration的createExpressionHandler function 创建了自定义表达式处理程序。 The code is代码是
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
Logger logger = LoggerFactory.getLogger(this.getClass());
@Autowired
private ApplicationContext applicationContext;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
CustomMethodSecurityExpressionHandler expressionHandler = new CustomMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());
expressionHandler.setApplicationContext(applicationContext);
return expressionHandler;
}
}
-- CustomMethodSecurityExpressionHandler class -- 自定义方法安全表达式处理程序 class
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
private ApplicationContext applicationContext;
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
MethodInvocation invocation) {
CustomMethodSecurityExpressionRoot root = new CustomMethodSecurityExpressionRoot(authentication);
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(this.trustResolver);
root.setRoleHierarchy(getRoleHierarchy());
root.setG(this.applicationContext.getBean(CustomTraversalSource.class));
return root;
}
//This setter method will be called from the config class
@Override
public void setApplicationContext(ApplicationContext applicationContext) {
super.setApplicationContext(applicationContext);
this.applicationContext=applicationContext;
}
}
And CustomPermissionEvaluator和 CustomPermissionEvaluator
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
if ((authentication == null) || (targetDomainObject == null) || !(permission instanceof String)){
return false;
}
String targetType = targetDomainObject.getClass().getSimpleName().toUpperCase();
return hasPrivilege(authentication, targetType, permission.toString().toUpperCase());
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission) {
if ((authentication == null) || (targetType == null) || !(permission instanceof String)) {
return false;
}
return hasPrivilege(authentication, targetType.toUpperCase(),
permission.toString().toUpperCase());
}
private boolean hasPrivilege(Authentication authentication, String targetType, String permission) {
for (GrantedAuthority grantedAuth : authentication.getAuthorities()) {
if (grantedAuth.getAuthority().startsWith(targetType) &&
grantedAuth.getAuthority().contains(permission)) {
return true;
}
}
return false;
}
}
2 个解决方案
解决方案1
1 2022-12-27 07:38:19
@EnableMethodSecurity annotation is a recomended replacement for deprecated @EnableMethodSecurity注释是已弃用的推荐替代品@EnableGlobalMethodSecurity.
Its property prePostEnabled is by default set to true .它的属性prePostEnabled默认设置为true 。
So to enable usage of @PreAuthorize/@PostAuthorize and @PreFilter/@PostFilter which are the most widely used annotations for customizing access control on the method-level, you can apply @EnableMethodSecurity without providing any arguments.因此,要启用@PreAuthorize/@PostAuthorize和@PreFilter/@PostFilter (这是在方法级别自定义访问控制的最广泛使用的注解),您可以应用@EnableMethodSecurity而无需提供任何 arguments。
解决方案2
0 2022-12-28 21:01:39
Try this:试试这个:
@Configuration
@RequiredArgsConstructor
public class DenyMethodSecurityConfig {
private final ApplicationContext applicationContext;
@Bean
protected MethodSecurityExpressionHandler createExpressionHandler() {
CustomMethodSecurityExpressionHandler expressionHandler = new CustomMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());
expressionHandler.setApplicationContext(applicationContext);
return expressionHandler;
}
}
If you need an annotation @EnableGlobalMethodSecurity that to replace on @EnableMethodSecurity (note: prePostEnabled() default true).如果您需要注解 @EnableGlobalMethodSecurity 以替换 @EnableMethodSecurity(注意:prePostEnabled() 默认为 true)。
If you use an annotated approach, then set this annotation above the class where you use annotations: @Pre/Post***, since incorrect work is possible if you set annotation @EnableMethodSecurity above the class that only describes the configurations (marked as @Configuration), you may observe incorrect operation of the authorization mechanism.如果您使用带注释的方法,则将此注释设置在您使用注释的 class 上方:@Pre/Post***,因为如果您将注释@EnableMethodSecurity 设置在仅描述配置的 class 上方(标记为@配置),您可能会观察到授权机制的不正确操作。 However, I suggest you check it yourself.但是,我建议您自己检查一下。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.