我正在尝试使用自己的permissionEvaluator,
但看起来spring无法识别我的设置。
到目前为止,我做了:
package com.brunorozendo.security;
import java.io.Serializable;
import java.util.Collection;
import javax.management.RuntimeErrorException;
import javax.persistence.EntityManager;
import javax.persistence.TypedQuery;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import com.brunorozendo.db.ConectaDatabase;
import com.brunorozendo.entity.Perfil;
import com.brunorozendo.entity.Permission;
import com.brunorozendo.entity.User;
@Component
public class BasePermissionEvaluator implements PermissionEvaluator {
public Collection<? extends GrantedAuthority> getAuthorities() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
return auth.getAuthorities();
}
//esse methodo nunca está sendo chamando
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
boolean hasPermission = false;
if (authentication != null && permission instanceof String) {
System.out.println(String.valueOf(targetDomainObject));
EntityManager em = ConectaDatabase.getConexao();
TypedQuery<User> query = em.createNamedQuery("User.findAll", User.class);
User user = query.getSingleResult();
int sizePerfil = user.getTbPerfils().size();
System.out.println("sizePerfil "+sizePerfil);
for(int i = 0 ; i < sizePerfil && !hasPermission ; i++) {
Perfil p = user.getTbPerfils().get(i);
int sizePermission = p.getTbPermissions().size();
System.out.println("sizePermissionsizePerfil "+sizePermission);
for(int j = 0 ; j < sizePermission && !hasPermission ; j++) {
Permission perm = p.getTbPermissions().get(j);
System.out.println(String.valueOf(targetDomainObject)+" "+perm.getTxPermission() +" "+permission);
if(perm.getTxPermission().equals(permission)) {
hasPermission = true;
}
}
}
} else {
hasPermission = false;
}
return hasPermission;
}
//esse methodo nunca está sendo chamando
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission){
throw new RuntimeErrorException (new Error("Id and Class permissions are not supperted by this application"));
}
}
web.xml
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<display-name>Meu crud gradle</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<resource-ref>
<res-ref-name>jdbc/h2db</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<filter>
<filter-name>DBFilter</filter-name>
<filter-class>com.brunorozendo.filter.ConectaDatabaseFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>DBFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--Spring MVC -->
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!--Fim Spring MVC -->
<!--Spring Security -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security-datasource.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--Fim Spring Security -->
</web-app>
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<context:component-scan base-package="com.brunorozendo" />
<mvc:annotation-driven />
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
</beans>
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<debug />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="isAnonymous() or isAuthenticated()" />
<form-login
login-page="/login"
always-use-default-target="true"
default-target-url="/"
authentication-failure-url="/login?login_error=1"
login-processing-url="/authenticate" />
<logout/>
<remember-me />
</http>
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security>
<b:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="customPermissionEvaluator" />
</b:bean>
<b:bean id="customPermissionEvaluator" class="com.brunorozendo.security.BasePermissionEvaluator"/>
<authentication-manager>
<authentication-provider>
<jdbc-user-service
data-source-ref="dataSourceName"
authorities-by-username-query=" select
u.tx_username,
p.tx_perfil
from
tb_user u
inner join
tb_user_tb_perfil up
ON
u.id_user = up.id_user
inner join
tb_perfil p
ON
up.id_perfil = p.id_perfil
where
u.tx_username = ?"
users-by-username-query="select
u.tx_username,
HEXTORAW(u.tx_pass) as tx_pass,
true
from tb_user u
WHERE
u.tx_username = ?"
group-authorities-by-username-query = " select
p.id_perfil,
p.tx_perfil,
pm.tx_permission
from
tb_permission pm
inner join
tb_permission_tb_perfil pb
ON pb.id_permission = pm.id_permission
inner join
tb_perfil p
ON p.id_perfil = pb.id_perfil
inner join
tb_user_tb_perfil up
ON up.id_perfil = p.id_perfil
inner join
tb_user u
ON u.id_user = up.id_user
where
u.tx_username = ?" />
</authentication-provider>
</authentication-manager>
</b:beans>
spring-security-datasource.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
<bean id="dataSourceName" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName">
<value>java:comp/env/jdbc/h2db</value>
</property>
</bean>
</beans>
答案 0 :(得分:0)
最后我明白了:
spring-security.xml
<http auto-config="true" use-expressions="true">
<expression-handler ref="expressionHandlerWeb" />
</http>
<b:bean id="permissionEvaluator" class="spring.security.BasePermissionEvaluator"/>
<b:bean id="expressionHandlerMethod" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>
<b:bean id="expressionHandlerWeb" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandlerMethod"/>
</global-method-security>