我有以下代码更改。
- @PreAuthorize("isAuthenticated()")
+ @PreAuthorize("hasPermission(#dto.perusteId, 'peruste', 'LUKU')")
public void setStarted(DokumenttiDto dto);
根据spring文档,身份验证对象不应为null。在此处,开发人员会删除身份验证检查并进行 hasPermission 检查。如果身份验证对象为null,那么hasPermission方法是否会返回false?认证对象将由spring安全框架自动提供。这可以被视为重构变更吗?两个检查(认证+权限检查)合二为一(权限检查)!我不认为hasPermission方法实现正在对身份验证对象进行任何检查。(https://github.com/Opetushallitus/eperusteet/blob/cd9eff86bdda5dd91072354392dedbe0783c9ddf/eperusteet/eperusteet-service/src/main/java/fi/vm/sade/eperusteet/service/security/PermissionEvaluator.java)
以下是代码更改链接:https://github.com/Opetushallitus/eperusteet/commit/e8459
Method Detail
hasPermission
public boolean hasPermission(Authentication authentication,
Object domainObject,
Object permission)
Determines whether the user has the given permission(s) on the domain object using the ACL configuration. If the domain object is null, returns false (this can always be overridden using a null check in the expression itself).
Specified by:
hasPermission in interface PermissionEvaluator
Parameters:
authentication - represents the user in question. Should not be null.
domainObject - the domain object for which permissions should be checked. May be null in which case implementations should return false, as the null condition can be checked explicitly in the expression.
permission - a representation of the permission object as supplied by the expression system. Not null.
答案 0 :(得分:0)
我希望它的作用是
它返回一个权限对象,该对象实际上是用户拥有的所有权限的数组/列表
如果您的用户没有任何角色,则返回一个空列表,并将其添加到Authentication对象
e.g
Authentication object when
User with roles
permissions = ['admin, 'user', 'moderator'];
User with no roles
permissions = []
答案 1 :(得分:0)
hasPermission函数(如果正确连接到安全表达式求值程序中)实际上只是将authentication标记传递给PermissionManager.hasPermission。如果查看代码,大多数复杂的if语句最终会调用hasAnyRole,当authentication对象为空时,它返回false。
然而,这整个课程如此混乱我不能说它比现实中的随机数生成器更好。