我遇到了 @PreAuthorize 的问题,以及检查该身份验证用户是否可以访问搜索到的项目的服务。
获得该项目的一个服务 callDistributionRequest 正常运行 - @PreAuthorize 接收并传递正确的 distId 。另一个 updateDistributionRequestExportFileName 也获得正确的 distId 并将其传递给 distributionRequestService 。方法 userBelongsToRecipientOfTheDistributionRequest distId来自 null
具有两个Web服务的Spring RestController
@RestController
@RequestMapping(produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
public class DistributionRequestRESTController {
@Autowired
private @Getter @Setter DistributionRequestService distributionRequestService;
private final Logger log = LoggerFactory.getLogger(this.getClass());
private String logResponse = " - response: ";
@Autowired
public DistributionRequestRESTController(DistributionRequestService distributionRequestService) {
this.distributionRequestService = distributionRequestService;
}
@RequestMapping(value = Consts.URLDISTRIBUTIONREQUEST + Consts.URLDISTREQID)
public DistributionRequest callDistributionRequest(@PathVariable long distId) {
String loginfo = "get distribution with id: " + distId;
//log.info(loginfo);
DistributionRequest found = distributionRequestService.findOne(distId);
log.info(loginfo + logResponse + JSONParser.toJsonString(found));
return found;
}
@RequestMapping(method = RequestMethod.POST, value = Consts.URLDISTRIBUTIONREQUEST + Consts.URLDISTREQID + Consts.URLUPDATE + Consts.URLFILENAME)
public DistributionRequest updateDistributionRequestExportFileName(
@PathVariable long distId,
@RequestBody String fileName,
@AuthenticationPrincipal UserDetails user) {
String loginfo = user.getUsername() + " try to update filename with : " + fileName;
//log.info(loginfo);
DistributionRequest updated =
distributionRequestService.updateExportFilename(distId, fileName);
log.info(loginfo + logResponse + JSONParser.toJsonString(updated));
return updated;
}
}
服务界面:
public interface DistributionRequestService {
@PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
DistributionRequest findOne(Long distId);
@PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
DistributionRequest updateExportFilename(Long distId, String filename);
}
检查用户是否可以访问搜索项目的类
@Service(value = "distributionRequestOwnerService")
public class DistributionRequestOwnerServiceImpl implements DistributionRequestOwnerService {
@Autowired
private AccountService accountService;
@Autowired
private DistributionRequestsRepository distributionRequestsRepository;
@Override
public boolean userBelongsToRecipientOfTheDistributionRequest(Long distId) {
return userBelongsToRecipientOfTheDistributionRequest(distId, null);
}
@Override
public boolean userBelongsToRecipientOfTheDistributionRequest(Long distributionRequestId, String username) {
DistributionRequest distributionRequest = distributionRequestsRepository.findOne(distributionRequestId);
ServiceAccount currentUser;
if (username == null)
currentUser = accountService.getCurrentUser();
else
currentUser = accountService.findByUsername(username);
if (distributionRequest != null
&& distributionRequest.getRecipientId() == currentUser.getRecipientId())
return true;
throw new AercacheWSException(Consts.EXCEPTIONMISSINGELEMENTORPERMITION);
}
}
有什么想法吗?
提前致谢
答案 0 :(得分:2)
找到解决方案duplicate to
因为接口中的@teppic指向参数应该注释。
public interface DistributionRequestService {
@PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
DistributionRequest findOne(@Param("distId") Long distId);
@PreAuthorize(value = "hasAnyAuthority('USER', 'ADMIN') and @distributionRequestOwnerService.userBelongsToRecipientOfTheDistributionRequest(#distId)")
DistributionRequest updateExportFilename(@Param("distId") Long distId, String filename);
}