我有一个Spring Data项目,它使用RepositoryRestResource和CrudRepository来通过REST公开实体。我需要能够在通过HTTP访问存储库时保护存储库,但在内部使用时(例如,在服务层中)不能保护存储库。
我已启动并运行spring security,但在CrudRepository方法上添加PreAuthorize等注释也会导致在我从服务层调用这些方法时执行安全表达式。
如果有人能指出我正确的方向,我会很高兴。
编辑1
我尝试从UserRepository中删除Rest Export和安全注释以供内部使用,然后将UserRepository子类化为UserRepositoryRestExported,导出并保护该注释。但是我看到运行之间的安全注释有一些不一致的实现,这让我想知道Spring是否有时会导出UserRepositoryRestExported,而其他时候是UserRepository ......?
编辑2
以下是编辑1
中描述的代码UserRepository.java
@Component("UserRepository")
public interface UserRepository extends CrudRepository<User, Long> {
// .. some extra methods
}
UserRepositoryRest.java
@Component("UserRepositoryRest")
@RepositoryRestResource(collectionResourceRel = "users", path = "users")
public interface UserRepositoryRest extends UserRepository {
@PostAuthorize("authentication.name == returnObject.getName() || hasRole('ROLE_ADMIN')")
@Override
User findOne(Long id);
@PostFilter("authentication.name == filterObject.getName() || hasRole('ROLE_ADMIN')")
@Override
Iterable<User> findAll();
@PreAuthorize("principal.getCell() == #user.getName() || hasRole('ROLE_ADMIN')")
@Override
void delete(@P("user") User user);
User save(User entity);
long count();
boolean exists(Long primaryKey);
}
答案 0 :(得分:4)
可以在这篇文章的标题中实现这个目标,但它有点复杂,因为Spring没有正式支持。
作为粗略概述,您必须创建两个存储库,一个用于内部使用,一个(安全)供外部使用。然后你必须修改弹簧,所以它只导出一个供外部使用。
大部分代码来自下面链接的帖子;非常感谢Will Faithful提出解决方案:
错误提示:https://jira.spring.io/browse/DATAREST-923
修复存储库:https://github.com/wfaithfull/spring-data-rest-multiple-repositories-workaround
第1步
创建不受保护的非导出存储库,仅供内部使用:
@RepositoryRestResource(exported = false)
@Component("UserRepository")
public interface UserRepository extends CrudRepository<User, Long> { }
请注意,没有安全注释(例如@PreAuthorized),@ RepositoryRestResource设置为exported = false。
第2步
创建安全的导出存储库,仅用于HTTP REST:
@Component("UserRepositoryRest")
@Primary
@RepositoryRestResource(collectionResourceRel = "users", path = "users", exported = true)
public interface UserRepositoryRest extends UserRepository {
@PostAuthorize(" principal.getUsername() == returnObject.getUsername() || hasRole('ROLE_ADMIN') ")
@Override
User findOne(Long id);
}
请注意,我们使用的是安全注释,我们使用exported = true显式导出存储库。
第3步
这是一个有点复杂的地方。如果你在这里停止,Spring有时会加载并尝试导出你的UserRepository类,有时加载并尝试导出你的UserRepositoryRest类。这可能导致单位测试偶尔失败(大约50%的时间),以及其他令人难以追踪的奇怪副作用。
我们将通过调整Spring选择导出存储库的方式来解决这个问题。创建包含以下内容的文件:
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.beans.factory.ListableBeanFactory;
import org.springframework.beans.factory.support.DefaultListableBeanFactory;
import org.springframework.data.mapping.PersistentEntity;
import org.springframework.data.repository.core.EntityInformation;
import org.springframework.data.repository.core.RepositoryInformation;
import org.springframework.data.repository.core.support.RepositoryFactoryInformation;
import org.springframework.data.repository.query.QueryMethod;
import org.springframework.data.repository.support.Repositories;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import java.io.Serializable;
import java.util.*;
/**
* @author Will Faithfull
*
* Warning: Ugly hack territory.
*
* Firstly, I can't just swap out this implementation, because Repositories is referenced everywhere directly without an
* interface.
*
* Unfortunately, the offending code is in a private method, {@link #cacheRepositoryFactory(String)}, and modifies private
* fields in the Repositories class. This means we can either use reflection, or replicate the functionality of the class.
*
* In this instance, I've chosen to do the latter because it's simpler, and most of this code is a simple copy/paste from
* Repositories. The superclass is given an empty bean factory to satisfy it's constructor demands, and ensure that
* it will keep as little redundant state as possible.
*/
public class ExportAwareRepositories extends Repositories {
static final Repositories NONE = new ExportAwareRepositories();
private static final RepositoryFactoryInformation<Object, Serializable> EMPTY_REPOSITORY_FACTORY_INFO = EmptyRepositoryFactoryInformation.INSTANCE;
private static final String DOMAIN_TYPE_MUST_NOT_BE_NULL = "Domain type must not be null!";
private final BeanFactory beanFactory;
private final Map<Class<?>, String> repositoryBeanNames;
private final Map<Class<?>, RepositoryFactoryInformation<Object, Serializable>> repositoryFactoryInfos;
/**
* Constructor to create the {@link #NONE} instance.
*/
private ExportAwareRepositories() {
/* Mug off the superclass with an empty beanfactory to placate the Assert.notNull */
super(new DefaultListableBeanFactory());
this.beanFactory = null;
this.repositoryBeanNames = Collections.<Class<?>, String> emptyMap();
this.repositoryFactoryInfos = Collections.<Class<?>, RepositoryFactoryInformation<Object, Serializable>> emptyMap();
}
/**
* Creates a new {@link Repositories} instance by looking up the repository instances and meta information from the
* given {@link ListableBeanFactory}.
*
* @param factory must not be {@literal null}.
*/
public ExportAwareRepositories(ListableBeanFactory factory) {
/* Mug off the superclass with an empty beanfactory to placate the Assert.notNull */
super(new DefaultListableBeanFactory());
Assert.notNull(factory, "Factory must not be null!");
this.beanFactory = factory;
this.repositoryFactoryInfos = new HashMap<Class<?>, RepositoryFactoryInformation<Object, Serializable>>();
this.repositoryBeanNames = new HashMap<Class<?>, String>();
populateRepositoryFactoryInformation(factory);
}
private void populateRepositoryFactoryInformation(ListableBeanFactory factory) {
for (String name : BeanFactoryUtils.beanNamesForTypeIncludingAncestors(factory, RepositoryFactoryInformation.class,
false, false)) {
cacheRepositoryFactory(name);
}
}
@SuppressWarnings({ "rawtypes", "unchecked" })
private synchronized void cacheRepositoryFactory(String name) {
RepositoryFactoryInformation repositoryFactoryInformation = beanFactory.getBean(name,
RepositoryFactoryInformation.class);
Class<?> domainType = ClassUtils
.getUserClass(repositoryFactoryInformation.getRepositoryInformation().getDomainType());
RepositoryInformation information = repositoryFactoryInformation.getRepositoryInformation();
Set<Class<?>> alternativeDomainTypes = information.getAlternativeDomainTypes();
String beanName = BeanFactoryUtils.transformedBeanName(name);
Set<Class<?>> typesToRegister = new HashSet<Class<?>>(alternativeDomainTypes.size() + 1);
typesToRegister.add(domainType);
typesToRegister.addAll(alternativeDomainTypes);
for (Class<?> type : typesToRegister) {
// I still want to add repositories if they don't have an exported counterpart, so we eagerly add repositories
// but then check whether to supercede them. If you have more than one repository with exported=true, clearly
// the last one that arrives here will be the registered one. I don't know why anyone would do this though.
if(this.repositoryFactoryInfos.containsKey(type)) {
Class<?> repoInterface = information.getRepositoryInterface();
if(repoInterface.isAnnotationPresent(RepositoryRestResource.class)) {
boolean exported = repoInterface.getAnnotation(RepositoryRestResource.class).exported();
if(exported) { // Then this has priority.
this.repositoryFactoryInfos.put(type, repositoryFactoryInformation);
this.repositoryBeanNames.put(type, beanName);
}
}
} else {
this.repositoryFactoryInfos.put(type, repositoryFactoryInformation);
this.repositoryBeanNames.put(type, beanName);
}
}
}
/**
* Returns whether we have a repository instance registered to manage instances of the given domain class.
*
* @param domainClass must not be {@literal null}.
* @return
*/
@Override
public boolean hasRepositoryFor(Class<?> domainClass) {
Assert.notNull(domainClass, DOMAIN_TYPE_MUST_NOT_BE_NULL);
return repositoryFactoryInfos.containsKey(domainClass);
}
/**
* Returns the repository managing the given domain class.
*
* @param domainClass must not be {@literal null}.
* @return
*/
@Override
public Object getRepositoryFor(Class<?> domainClass) {
Assert.notNull(domainClass, DOMAIN_TYPE_MUST_NOT_BE_NULL);
String repositoryBeanName = repositoryBeanNames.get(domainClass);
return repositoryBeanName == null || beanFactory == null ? null : beanFactory.getBean(repositoryBeanName);
}
/**
* Returns the {@link RepositoryFactoryInformation} for the given domain class. The given <code>code</code> is
* converted to the actual user class if necessary, @see ClassUtils#getUserClass.
*
* @param domainClass must not be {@literal null}.
* @return the {@link RepositoryFactoryInformation} for the given domain class or {@literal null} if no repository
* registered for this domain class.
*/
private RepositoryFactoryInformation<Object, Serializable> getRepositoryFactoryInfoFor(Class<?> domainClass) {
Assert.notNull(domainClass, DOMAIN_TYPE_MUST_NOT_BE_NULL);
Class<?> userType = ClassUtils.getUserClass(domainClass);
RepositoryFactoryInformation<Object, Serializable> repositoryInfo = repositoryFactoryInfos.get(userType);
if (repositoryInfo != null) {
return repositoryInfo;
}
if (!userType.equals(Object.class)) {
return getRepositoryFactoryInfoFor(userType.getSuperclass());
}
return EMPTY_REPOSITORY_FACTORY_INFO;
}
/**
* Returns the {@link EntityInformation} for the given domain class.
*
* @param domainClass must not be {@literal null}.
* @return
*/
@SuppressWarnings("unchecked")
@Override
public <T, S extends Serializable> EntityInformation<T, S> getEntityInformationFor(Class<?> domainClass) {
Assert.notNull(domainClass, DOMAIN_TYPE_MUST_NOT_BE_NULL);
return (EntityInformation<T, S>) getRepositoryFactoryInfoFor(domainClass).getEntityInformation();
}
/**
* Returns the {@link RepositoryInformation} for the given domain class.
*
* @param domainClass must not be {@literal null}.
* @return the {@link RepositoryInformation} for the given domain class or {@literal null} if no repository registered
* for this domain class.
*/
@Override
public RepositoryInformation getRepositoryInformationFor(Class<?> domainClass) {
Assert.notNull(domainClass, DOMAIN_TYPE_MUST_NOT_BE_NULL);
RepositoryFactoryInformation<Object, Serializable> information = getRepositoryFactoryInfoFor(domainClass);
return information == EMPTY_REPOSITORY_FACTORY_INFO ? null : information.getRepositoryInformation();
}
/**
* Returns the {@link RepositoryInformation} for the given repository interface.
*
* @param repositoryInterface must not be {@literal null}.
* @return the {@link RepositoryInformation} for the given repository interface or {@literal null} there's no
* repository instance registered for the given interface.
* @since 1.12
*/
@Override
public RepositoryInformation getRepositoryInformation(Class<?> repositoryInterface) {
for (RepositoryFactoryInformation<Object, Serializable> factoryInformation : repositoryFactoryInfos.values()) {
RepositoryInformation information = factoryInformation.getRepositoryInformation();
if (information.getRepositoryInterface().equals(repositoryInterface)) {
return information;
}
}
return null;
}
/**
* Returns the {@link PersistentEntity} for the given domain class. Might return {@literal null} in case the module
* storing the given domain class does not support the mapping subsystem.
*
* @param domainClass must not be {@literal null}.
* @return the {@link PersistentEntity} for the given domain class or {@literal null} if no repository is registered
* for the domain class or the repository is not backed by a {@link MappingContext} implementation.
*/
@Override
public PersistentEntity<?, ?> getPersistentEntity(Class<?> domainClass) {
Assert.notNull(domainClass, DOMAIN_TYPE_MUST_NOT_BE_NULL);
return getRepositoryFactoryInfoFor(domainClass).getPersistentEntity();
}
/**
* Returns the {@link QueryMethod}s contained in the repository managing the given domain class.
*
* @param domainClass must not be {@literal null}.
* @return
*/
@Override
public List<QueryMethod> getQueryMethodsFor(Class<?> domainClass) {
Assert.notNull(domainClass, DOMAIN_TYPE_MUST_NOT_BE_NULL);
return getRepositoryFactoryInfoFor(domainClass).getQueryMethods();
}
/*
* (non-Javadoc)
* @see java.lang.Iterable#iterator()
*/
@Override
public Iterator<Class<?>> iterator() {
return repositoryFactoryInfos.keySet().iterator();
}
/**
* Null-object to avoid nasty {@literal null} checks in cache lookups.
*
* @author Thomas Darimont
*/
private static enum EmptyRepositoryFactoryInformation implements RepositoryFactoryInformation<Object, Serializable> {
INSTANCE;
@Override
public EntityInformation<Object, Serializable> getEntityInformation() {
return null;
}
@Override
public RepositoryInformation getRepositoryInformation() {
return null;
}
@Override
public PersistentEntity<?, ?> getPersistentEntity() {
return null;
}
@Override
public List<QueryMethod> getQueryMethods() {
return Collections.<QueryMethod> emptyList();
}
}
}
第4步
使用以下内容创建另一个文件:
import me.faithfull.hack.ExportAwareRepositories;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.repository.support.Repositories;
import org.springframework.data.rest.webmvc.config.RepositoryRestMvcConfiguration;
/**
* @author Will Faithfull
*/
@Configuration
public class RepositoryRestConfiguration extends RepositoryRestMvcConfiguration {
@Autowired
ApplicationContext context;
/**
* We replace the stock repostiories with our modified subclass.
*/
@Override
public Repositories repositories() {
return new ExportAwareRepositories(context);
}
}
<强>利润
应该这样做 - Spring现在应该只正确地导出你的UserRepositoryRest类,同时忽略你的UserRepository类,让你在没有安全限制的情况下在内部使用。
答案 1 :(得分:0)
您可以尝试使用方法注释创建SecuredServiceInterface @PreAuthorize(&#34; hasRole(&#39; ROLE_REST_USER&#39;)&#34;)
SecuredServiceInterface将在REST控制器中使用,并从在应用程序内部使用的ServiceInterface扩展。
答案 2 :(得分:0)
您可以控制对Spring Data REST的访问 尝试将RepositoryDetectionStrategies更改为“ ANNOTATED”,并确保将要导出的存储库的导出标志设置为true,如:https://www.javabullets.com/4-ways-to-control-access-to-spring-data-rest/