I have the below code change .
- @PreAuthorize("isAuthenticated()")
+ @PreAuthorize("hasPermission(#dto.perusteId, 'peruste', 'LUKU')")
public void setStarted(DokumenttiDto dto);
As per the spring documentation, the authentication object should not be null. Here the developer removes the authentication check and puts a hasPermission check. So will the hasPermission method return false if the authentication object is null ? The authentication object will be supplied by the spring security framework automatically. Can this be considered as a refactoring change? two checks ( authentication + permission check) combined into one (permission check) ! I dont think the hasPermission method implementation is making any checks for authentication object.( https://github.com/Opetushallitus/eperusteet/blob/cd9eff86bdda5dd91072354392dedbe0783c9ddf/eperusteet/eperusteet-service/src/main/java/fi/vm/sade/eperusteet/service/security/PermissionEvaluator.java )
Here's the code change link : https://github.com/Opetushallitus/eperusteet/commit/e8459
Method Detail
hasPermission
public boolean hasPermission(Authentication authentication,
Object domainObject,
Object permission)
Determines whether the user has the given permission(s) on the domain object using the ACL configuration. If the domain object is null, returns false (this can always be overridden using a null check in the expression itself).
Specified by:
hasPermission in interface PermissionEvaluator
Parameters:
authentication - represents the user in question. Should not be null.
domainObject - the domain object for which permissions should be checked. May be null in which case implementations should return false, as the null condition can be checked explicitly in the expression.
permission - a representation of the permission object as supplied by the expression system. Not null.
I hope what it does is
It returns an object of permissions that is actually an Array/List of all the permissions that the user is having
If your user is not having any roles then an empty list is returned and it is added to the Authentication object
eg
Authentication object when
User with roles
permissions = ['admin, 'user', 'moderator'];
User with no roles
permissions = []
The hasPermission
function (if correctly wired into the security expression evaluator) actually just passes on the authentication
token to PermissionManager.hasPermission . If you look at the code, most of the convoluted if statements eventually call hasAnyRole
which returns false when the authentication
object is null.
However, this whole class is so messed up I cannot say it works better than a random number generator in reality.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.