自定义权限评估程序
@Component
public class EventWritePermissionEvaluator implements PermissionEvaluator{
@Override
public boolean hasPermission(Authentication authentication,
Object targetDomainObject, Object permission) {
return true;
}
@Override
public boolean hasPermission(Authentication authentication,
Serializable targetId, String targetType, Object permission) {
return true;
}
}
@PreAuthorize("hasPermission(#event,'write')")
@RequestMapping(value="/events/{id}/start")
@ResponseBody
public Map<String, Object> eventStart(@RequestBody Event event, @PathVariable("id") int id, HttpServletRequest request, HttpServletResponse response) throws MessagingException
{
event.setId(id);
return eventService.eventStart(event, request, response);
}
在上面的示例中,我将事件对象发送给权限评估者,在其前面放置一个“#”。为什么“#”?我如何发送id而不是object?
答案 0 :(得分:0)
对你而言,它看起来像是:
@PreAuthorize("hasPermission(#id, 'com.company.product.Event', 'read')")
@RequestMapping(value="/events/{id}")
@ResponseBody
public Event getEvent(@PathVariable("id") int id)
{
// get Event from dao
}
请注意hasPermission的额外参数,该参数应该是域模型类的名称(如果您自己实现PermissionEvaluator,则可以自定义)。