✨ 使用自定义授权管理器

2025-07-15 17:11:18 +08:00 · 2025-07-15 17:11:18 +08:00 · b11ce877be
parent 24caac4b00
commit b11ce877be
3 changed files with 67 additions and 0 deletions
--- a/spring-security/ReadMe.md
+++ b/spring-security/ReadMe.md
@ -1238,3 +1238,23 @@ public Result<String> lowerUser(String name) {
 }
 ```

+## 使用自定义授权管理器
+
+## 将方法与自定义切入点相匹配
+
+由于是基于 Spring AOP 构建的，您可以声明与注解无关的模式，类似于请求级别的授权。 这具有将方法级别的授权规则集中化的潜在优势。
+
+例如，可以发布自己的 `Advisor` 或使用 `<protect-pointcut>` 将 AOP 表达式与服务层的授权规则相匹配，如下所示：
+
+```java
+import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole
+
+@Bean
+@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+static Advisor protectServicePointcut() {
+    AspectJExpressionPointcut pattern = new AspectJExpressionPointcut()
+    pattern.setExpression("execution(* com.mycompany.*Service.*(..))")
+    return new AuthorizationManagerBeforeMethodInterceptor(pattern, hasRole("USER"))
+}
+```
+
--- a/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java
+++ b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java
@ -0,0 +1,23 @@
+package com.spring.step2.security.manger;
+
+import org.aopalliance.intercept.MethodInvocation;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+import java.util.function.Supplier;
+
+/**
+ * 处理方法调用前的授权检查
+ * check()方法接收的是MethodInvocation对象，包含即将执行的方法调用信息
+ * 用于决定是否允许执行某个方法
+ * 这是传统的"前置授权"模式
+ */
+@Component
+public class MyAuthorizationManager implements AuthorizationManager<MethodInvocation> {
+    @Override
+    public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation invocation) {
+        return new AuthorizationDecision(true);
+    }
+}
--- a/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java
+++ b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java
@ -0,0 +1,24 @@
+package com.spring.step2.security.manger;
+
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.method.MethodInvocationResult;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+import java.util.function.Supplier;
+
+/**
+ * 处理方法调用后的授权检查
+ * check()方法接收的是MethodInvocationResult对象，包含已执行方法的结果
+ * 用于决定是否允许返回某个方法的结果(后置过滤)
+ * 这是Spring Security较新的"后置授权"功能
+ */
+@Component
+public class PostAuthorizationManager implements AuthorizationManager<MethodInvocationResult> {
+
+    @Override
+    public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocationResult invocation) {
+        return new AuthorizationDecision(true);
+    }
+}