基于用户角色的反应性REST API响应过滤

时间:2018-08-09 09:39:36

标签: java spring-webflux jackson-databind

除了阻止一个以外,还有没有基于用户角色的反应性JSON响应过滤方式-在Pojos中使用具有@JsonFilter批注的j​​ackson-databind和重写的SimpleBeanPropertyFilter.serializeAsField?

阻止属性过滤的示例:

SecureFieldFilter.class:

public class SecureFieldFilter extends SimpleBeanPropertyFilter {

    @Override
    public void serializeAsField(Object pojo, JsonGenerator jgen, SerializerProvider provider, PropertyWriter writer) throws Exception {

        SecureField secureField = writer.findAnnotation(SecureField.class);

        //TODO: Get user authorities from ReactiveSpringSecurityContext
        //TODO: Filter properties which not mention particular roles in SecureField annotation
        }
    }
}

SecureField批注:

@Target(ElementType.FIELD)
@Retention(RetentionPolicy.RUNTIME)
public @interface SecureField {

    UserAuthority[] value();

}

SecureFieldFilterConfiguration:

@Configuration
public class SecureFieldFilterConfiguration {

    @Bean
    public Jackson2ObjectMapperBuilderCustomizer addFieldFilters() {
        return jacksonObjectMapperBuilder -> {
            jacksonObjectMapperBuilder.filters(new SimpleFilterProvider().addFilter("securityFilter", new SecureFieldFilter()));
        };
    }

}

Foo.class:

@JsonFilter("securityFilter")
public class Banner {

    private UUID id;

    @NotNull
    @SecureField(value={UserAuthority.ROLE_AGENT})
    private String field1;

    @NotNull
    @SecureField(value = {UserAuthority.ROLE_PLAYER, UserAuthority.ROLE_AGENT})
    private String field2;

...
}

如何以响应方式从REST API响应中基于用户角色过滤某些属性?

0 个答案:

没有答案