我有一个 Spring Security 配置,我必须使用加密属性。我有实用的静态方法PasswordUtil.decode(),通过它我可以解码属性以供进一步使用。
以下解决方案有效,但特定的 SpEL 对我来说非常难看。所以,我的问题:是否有可能将 SpEL 表达式重构为更好/更短/惯用的内容?
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("#{T(my.package.PasswordUtil).decode('${signkey.password}')}")
private String signKeyPassword;
}
答案 0 :(得分:2)
您可以注册自定义SpEL解析器功能as you can see in the Reference Documentation。这意味着您可以创建一个自定义SpEL关键字,该关键字将在您的自定义代码中解析并支持输入。
换句话说,你可以写而不是:
@Value("#{T(my.package.PasswordUtil).decode('${signkey.password}')}")
private String signKeyPassword;
以下是您的自定义SpEL关键字 mydecode :
@Value("#{ #mydecode( '${signkey.password}' ) }")
String signKeyPassword;
此选项:1)显着减少SpEL字符串文字,2)使您有机会获取在您的域中有意义的名称和3)因为它本质上是一个方法调用,它可以在不同的输入中重用不同的@Value SpEL注射。
下面是一个工作示例。请注意,它不是特定于Spring Security(不使用它),也不是Spring Boot特定的(使用它):
POM文件
从Spring Initializr自动生成没有添加任何组件。
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.9.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
主要类 DemoApplication :
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SecurityConfiguration securityConfiguration = SpringApplication.run(DemoApplication.class, args).getBean(SecurityConfiguration.class);
System.out.println(securityConfiguration.getSignKeyPassword());
}
@Bean
MyCustomSpELFunctionRegister customSpelFunctionProvider() {
return new MyCustomSpELFunctionRegister();
}
}
安全配置:
如前所述Spring Security不可知。它使用自定义SpEL关键字解析器。
package com.example.demo;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
@Configuration
public class SecurityConfiguration {
@Value("#{ #mydecode( '${signkey.password}' ) }")
String signKeyPassword;
public String getSignKeyPassword() {
return signKeyPassword;
}
}
MyCustomSpELDecoderFunction
这是您将隐藏执行工作的Utils静态方法的类
package com.example.demo;
public abstract class MyCustomSpELDecoderFunction {
//needs to be public
//alternative use interface with defined static method
public static String mydecode(String encrypted) {
return "myutils decrypt";
}
}
MyCustomSpELFunctionRegister类
这是将您的自定义SpEL关键字连接到Utils类的粘合代码。它实现了BeanFactoryPostProcessor,以便在创建任何bean之前执行注册,从而停止@Value注入。
package com.example.demo;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.context.expression.StandardBeanExpressionResolver;
import org.springframework.expression.spel.support.StandardEvaluationContext;
public class MyCustomSpELFunctionRegister implements BeanFactoryPostProcessor {
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
beanFactory.setBeanExpressionResolver(new StandardBeanExpressionResolver() {
@Override
protected void customizeEvaluationContext(StandardEvaluationContext standardEvaluationContext) {
try {
//here we register all functions
standardEvaluationContext.registerFunction("mydecode", MyCustomSpELDecoderFunction.class.getMethod("mydecode", new Class[] { String.class }));
} catch (NoSuchMethodException e) {
e.printStackTrace();
}
}
});
}
}
答案 1 :(得分:1)
是的,可以将@Value用作元注释:
选项1:覆盖@Value值:
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.FIELD)
@Value("")
public @interface SignKeyPassword {
@AliasFor(annotation=Value.class, attribute="value")
String value() default "#{T(my.package.PasswordUtil).decode('${signkey.password}')}";
}
选项2:为每个属性分别注释:
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.FIELD)
@Value("#{T(my.package.PasswordUtil).decode('${signkey.password}')}")
public @interface SignKeyPassword {
}
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@SignKeyPassword
private String signKeyPassword;
}
选项3:实施InstantiationAwareBeanPostProcessor以定义自己的注入登录
答案 2 :(得分:0)
@dimitrisli的 SpEL 函数的替代方法可以是reference guide中描述的bean引用。这对我来说更容易理解,因为bean是在同一个@Configuration中定义的。 (另外,解密方法不一定是static。)
我只是想知道bean解析是否可以更简单的方式完成。
Bean解析
public class PassportUtilResolver implements BeanFactoryPostProcessor {
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
beanFactory.setBeanExpressionResolver(new StandardBeanExpressionResolver() {
@Override
protected void customizeEvaluationContext(StandardEvaluationContext evalContext) {
evalContext.setBeanResolver(new BeanResolver() {
@Override
public Object resolve(EvaluationContext context, String beanName) throws AccessException {
if ("passwordUtil".equals(beanName)) {
return new PasswordUtil();
}
return null;
}
});
}
});
}
}
<强>用法
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("#{@passwordUtil.decode('${regis.saml.signkey.password}')}")
private String signKeyPassword;
@Bean
public PasswordUtil passwordUtil() {
return new PasswordUtil();
}
}