Question

我有一个应用程序，用户可以在其中输入自定义角色的名称和特权。例如，用户可以创建一个名为“ Human Resources”的角色，该角色具有以下属性：

showDashboard = true;
showSuppliers = false;
showEmployees = true;

我想基于getSuppliers属性限制showSuppliers服务。

@PreAuthorize("WHEN showSuppliers IS TRUE")
public Page<Supplier> getSuppliers();

角色实体：

@Entity
public class Role {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO, generator = "native")
    @GenericGenerator(name = "native", strategy = "native")
    private Long id;

    private String name;

    private boolean showDashboard;
    private boolean showSuppliers;
    private boolean showEmployees;
}

Answer 1

您可以在PreAuthorize表达式中引用bean。首先，这个bean /组件：

@Component("authorityChecker")
public class AuthorityChecker {

    public boolean canShowSuppliers(Authentication authentication) {
        for (Authority authority : authentication.getAuthorites()) {
            Role role = (Role)authority; // may want to check type before to avoid ClassCastException
            if (role.isShowSuppliers()) {
                return true;
            }
        }
        return false;
    }

}

对此的注释将是：

@PreAuthorize("@authorityChecker.canShowSuppliers(authentication)")
public Page<Supplier> getSuppliers();

它将当前用户的Authentication对象传递给上面的bean /组件。

Spring Security @PreAuthorize基于自定义布尔属性值

1 个答案: