spring权限评估程序,只发送id

时间:2015-10-07 15:05:13

标签: spring spring-mvc spring-security

自定义权限评估程序

    @Component
    public class EventWritePermissionEvaluator implements PermissionEvaluator{

        @Override
        public boolean hasPermission(Authentication authentication,
                Object targetDomainObject, Object permission) {
            return true;
        }

        @Override
        public boolean hasPermission(Authentication authentication,
                Serializable targetId, String targetType, Object permission) {
            return true;
        }

    }



    @PreAuthorize("hasPermission(#event,'write')")
    @RequestMapping(value="/events/{id}/start")
    @ResponseBody
    public Map<String, Object> eventStart(@RequestBody Event event, @PathVariable("id") int id, HttpServletRequest request, HttpServletResponse response) throws MessagingException
    {
        event.setId(id);
        return eventService.eventStart(event, request, response);
    }

在上面的示例中,我将事件对象发送给权限评估者,在其前面放置一个“#”。为什么“#”?我如何发送id而不是object?

1 个答案:

答案 0 :(得分:0)

对你而言,它看起来像是:

@PreAuthorize("hasPermission(#id, 'com.company.product.Event', 'read')")
@RequestMapping(value="/events/{id}")
@ResponseBody
public Event getEvent(@PathVariable("id") int id)
{
    // get Event from dao
}

请注意hasPermission的额外参数,该参数应该是域模型类的名称(如果您自己实现PermissionEvaluator,则可以自定义)。