是否可以在Spring SecurityMetadataSource上使用表达式?

时间:2016-08-28 06:43:40

标签: spring spring-security

我想通过数据库管理网址授权。所以,我实现了Security MetadataSource。这是完美的,除了不能使用表达。

下面是我的代码和xml设置。

XML

<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
    <beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean class="org.springframework.security.access.vote.RoleVoter">
                <beans:property name="rolePrefix" value="" />
            </beans:bean>
        </beans:list>
    </beans:constructor-arg>
    <beans:property name="allowIfAllAbstainDecisions" value="false" />
</beans:bean>

<beans:bean id="securityMetadataSource" class="my.package.CustomSecurityMetadataSource">
</beans:bean>

的java

public class CustomSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        FilterInvocation fi = (FilterInvocation) object;

        String url = fi.getRequestUrl();
        HttpServletRequest request = fi.getHttpRequest();

        // TODO get url authorization from db and caching
        String[] roles = new String[] { "ROLE_ANONYMOUS", "ROLE_USER"};
        return SecurityConfig.createList(roles);
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }
}

我想使用像hasAnyRole("ROLE_ADMIN", "ROLE_USER")这样的表达式。

我如何使用表达式?

0 个答案:

没有答案