diff --git a/spring-security/ReadMe.md b/spring-security/ReadMe.md index 9fd503b..dafd586 100644 --- a/spring-security/ReadMe.md +++ b/spring-security/ReadMe.md @@ -1238,3 +1238,23 @@ public Result lowerUser(String name) { } ``` +## 使用自定义授权管理器 + +## 将方法与自定义切入点相匹配 + +由于是基于 Spring AOP 构建的,您可以声明与注解无关的模式,类似于请求级别的授权。 这具有将方法级别的授权规则集中化的潜在优势。 + +例如,可以发布自己的 `Advisor` 或使用 `` 将 AOP 表达式与服务层的授权规则相匹配,如下所示: + +```java +import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole + +@Bean +@Role(BeanDefinition.ROLE_INFRASTRUCTURE) +static Advisor protectServicePointcut() { + AspectJExpressionPointcut pattern = new AspectJExpressionPointcut() + pattern.setExpression("execution(* com.mycompany.*Service.*(..))") + return new AuthorizationManagerBeforeMethodInterceptor(pattern, hasRole("USER")) +} +``` + diff --git a/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java new file mode 100644 index 0000000..e7a0918 --- /dev/null +++ b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java @@ -0,0 +1,23 @@ +package com.spring.step2.security.manger; + +import org.aopalliance.intercept.MethodInvocation; +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.util.function.Supplier; + +/** + * 处理方法调用前的授权检查 + * check()方法接收的是MethodInvocation对象,包含即将执行的方法调用信息 + * 用于决定是否允许执行某个方法 + * 这是传统的"前置授权"模式 + */ +@Component +public class MyAuthorizationManager implements AuthorizationManager { + @Override + public AuthorizationDecision check(Supplier authentication, MethodInvocation invocation) { + return new AuthorizationDecision(true); + } +} \ No newline at end of file diff --git a/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java new file mode 100644 index 0000000..5f581f3 --- /dev/null +++ b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java @@ -0,0 +1,24 @@ +package com.spring.step2.security.manger; + +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.method.MethodInvocationResult; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.util.function.Supplier; + +/** + * 处理方法调用后的授权检查 + * check()方法接收的是MethodInvocationResult对象,包含已执行方法的结果 + * 用于决定是否允许返回某个方法的结果(后置过滤) + * 这是Spring Security较新的"后置授权"功能 + */ +@Component +public class PostAuthorizationManager implements AuthorizationManager { + + @Override + public AuthorizationDecision check(Supplier authentication, MethodInvocationResult invocation) { + return new AuthorizationDecision(true); + } +} \ No newline at end of file