Spring安全基于RESTful路径的角色控制

Question

e.g。

Function DeployDB {

param( 
    [string]$SqlServerName = $( throw "Missing required parameter SqlServerName"), 
    [string]$SqlServerUserName = $( throw "Missing required parameter SqlServerUserName"), 
    [string]$SqlServerPassword = $( throw "Missing required parameter SqlServerPassword"), 
    [string]$dacpac = $( throw "Missing required parameter dacpac"), 
    [string]$dbname = $( throw "Missing required parameter dbname") 
    )

Write-Host "Deploying the DB with the following settings" 
Write-Host "Server Name: $SqlServerName" 
Write-Host "DACPAC: $dacpac" 
Write-Host "Name: $dbname"

# load in DAC DLL, This requires config file to support .NET 4.0.
# change file location for a 32-bit OS 
#make sure you
add-type -path "C:\Program Files (x86)\Microsoft SQL Server\110\DAC\bin\Microsoft.SqlServer.Dac.dll"

# Create a DacServices object, which needs a connection string 
$dacsvcs = new-object Microsoft.SqlServer.Dac.DacServices "server=$SqlServerName;User ID=$SqlServerUserName;Password=$SqlServerPassword;"

# register event. For info on this cmdlet, see http://technet.microsoft.com/en-us/library/hh849929.aspx 
register-objectevent -in $dacsvcs -eventname Message -source "msg" -action { out-host -in $Event.SourceArgs[1].Message.Message } | Out-Null

# Load dacpac from file & deploy database
$dp = [Microsoft.SqlServer.Dac.DacPackage]::Load($dacpac) 
$dacsvcs.Deploy($dp, $dbname, $true) 

# clean up event 
unregister-event -source "msg" 

}

当前解决方案，/user/{userId}/* # Only user with userId and admin can access /order/{orderId}/* # Only the order owner of orderId and admin can access 注释是一个自定义注入，它与传递给服务器的@Current相关。token来自Spring-Data的路径

@PathVariable("user-id") UserEntity user

我们有太多的注释，有没有简单的方法来配置它们？

尝试

1. 使用@PreAuthorize("#user.id == #u?.id") public UserDTO access(@P("user") @Current UserEntity requestUser, @P("u") @PathVariable("user-id") UserEntity user) @PreAuthorize("#user.id == #uid && (#order == null || #order?.user?.id == #uid)") public Message access(@Current @P("user") UserEntity user, @PathVariable("user-id") @P("uid") Long uid, @PathVariable("order-id") @P("order") OrderEntity order) 无法自定义用户检查。
2. AOP太复杂了，不能以网址为基础。

Answer 1

我建议您使用方法安全性来实现细粒度逻辑以实现资源访问。我认为基于URL的身份验证仅对简单的用例有效。

如果您的授权逻辑需要多行代码，我还建议使用带有自定义注释的AOP来实现您的方法安全性（而不是使用@PreAuthorize）...

例如，您可以拦截带注释的方法调用：

@Before("@annotation(your.annotations.AllowedToOwner) && @annotation(ann)")
public void checkOwner(JoinPoint joinPoint, AllowedToOwner ann) throws Throwable {

    // check owner, throws AccessDeniedException if check fails...
}