带有hasPermission()的@PreAuthorize执行代码两次

时间:2013-04-23 08:33:51

标签: spring spring-security aop pre-authentication

我想使用@PreAuthorize Spring注释来控制我的应用程序中的访问。

问题是,我有很多条件取决于请求参数,而不是数据库实体。

概述:

我有一个Route实体,其中包含User owner字段。只有您是所有者时才能删除Route

我写了我的控制器方法:

@RequestMapping(value = "/route/remove/{id}", method = RequestMethod.GET)
@PreAuthorize("hasPermission(#id, 'RouteRemove')")
  public String removeRoute(@PathVariable("id") Integer id, ModelMap model) {

  Route route = routeBO.getById(id);

  if(null == route)
    return "forward:/errors/404";

  // ... remove route here.
  // routeBO.remove(id);
}

我的RouteRemove权限定义为:

@Component
public class RouteRemovePermission implements Permission {

    @Autowired
    private RouteBO routeBO;

    @Override
    public boolean isAllowed(Authentication authentication, Object targetDomainObject) {
        if(!(targetDomainObject instanceof Integer))
            return false;

        Route route = routeBO.getById((Integer) targetDomainObject);

        if(route == null)
            return false;

        User user = AthenticationUtil.getUser();

        return null != user && user.equals(route.getOwner());
    }

}

如您所见,我必须两次评估routeBO.getById()

问题:

是否可以仅评估此代码一次?

我当然尝试过: 

@RequestMapping(value = "/route/remove/{id}", method = RequestMethod.GET)
public String removeRoute(@PathVariable("id") Integer id, ModelMap model) {

Route route = routeBO.getById(id);

if(null == route)
  return "forward:/errors/404";

return removeRoute(route, model);
}

@PreAuthorize("hasPermission(#id, 'RouteRemove')")
public String removeRoute(Route id, ModelMap model) {

    return "route/display";
}

但在removeRoute(Route id, ModelMap model)之前没有调用权限方法。也许我的配置不正确?

MVC-调度-servlet.xml中

<sec:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
  <sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>

的security.xml 

<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator" class="pl.wsiadamy.common.security.BasePermissionEvaluator">
  <beans:constructor-arg index="0">
        <beans:map key-type="java.lang.String"
             value-type="pl.wsiadamy.common.security.Permission">
            <beans:entry key="RouteView" value-ref="routeViewPermission" />
            <beans:entry key="RouteRemove" value-ref="routeRemovePermission" />
        </beans:map>
    </beans:constructor-arg>
</beans:bean>
<beans:bean id="routeViewPermission" class="pl.wsiadamy.common.security.permission.RouteViewPermission" />
<beans:bean id="routeRemovePermission" class="pl.wsiadamy.common.security.permission.RouteRemovePermission" />

1 个答案:

答案 0 :(得分:2)

我建议你将安全注释的removeRoute方法分解为单独的服务类,例如:

@Service
public class RouteService {
    @PreAuthorize("hasPermission(#route, 'RouteRemove')")
    public void removeRoute(Route route) {
        // remove route here
    }
}

然后在Web控制器中使用它:

@Autowired RouteService routeService;

@RequestMapping(value = "/route/remove/{id}", method = RequestMethod.GET)
public String removeRoute(@PathVariable("id") Integer id, ModelMap model) {
    Route route = routeBO.getById(id);
    if(null == route)
        return "forward:/errors/404";
    routeService.removeRoute(route);
    return "route/display";
}
相关问题
最新问题