我想将Spring安全应用程序切换到注释,但我想确保每个请求都有自己的@PreAuthorize注释,然后才能在外部调用它。
是否可以使用针对此的策略设置Spring Security?
答案 0 :(得分:2)
据我所知,没有办法定义这种政策。
但您可以设置一个Spring MVC拦截器,它将在运行时检查相应处理程序方法上是否存在PreAuthorize注释:
public class PreAuthorizeChecker implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (handler instanceof HandlerMethod) {
HandlerMethod hm = (HandlerMethod) handler;
PreAuthorize annotation = AnnotationUtils.findAnnotation(hm.getMethod(), PreAuthorize.class);
if (annotation == null) {
// prevent access to method wihout security restrictions
throw new RuntimeException("Rights are not defined for this handler");
}
}
return true;
}
.....
}