From b11ce877be396bf8d36f8efdf573bcf0028b26b8 Mon Sep 17 00:00:00 2001 From: Bunny <1319900154@qq.com> Date: Tue, 15 Jul 2025 17:11:18 +0800 Subject: [PATCH] =?UTF-8?q?:sparkles:=20=E4=BD=BF=E7=94=A8=E8=87=AA?= =?UTF-8?q?=E5=AE=9A=E4=B9=89=E6=8E=88=E6=9D=83=E7=AE=A1=E7=90=86=E5=99=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- spring-security/ReadMe.md | 20 ++++++++++++++++ .../manger/MyAuthorizationManager.java | 23 ++++++++++++++++++ .../manger/PostAuthorizationManager.java | 24 +++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java create mode 100644 spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java diff --git a/spring-security/ReadMe.md b/spring-security/ReadMe.md index 9fd503b..dafd586 100644 --- a/spring-security/ReadMe.md +++ b/spring-security/ReadMe.md @@ -1238,3 +1238,23 @@ public Result lowerUser(String name) { } ``` +## 使用自定义授权管理器 + +## 将方法与自定义切入点相匹配 + +由于是基于 Spring AOP 构建的,您可以声明与注解无关的模式,类似于请求级别的授权。 这具有将方法级别的授权规则集中化的潜在优势。 + +例如,可以发布自己的 `Advisor` 或使用 `` 将 AOP 表达式与服务层的授权规则相匹配,如下所示: + +```java +import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole + +@Bean +@Role(BeanDefinition.ROLE_INFRASTRUCTURE) +static Advisor protectServicePointcut() { + AspectJExpressionPointcut pattern = new AspectJExpressionPointcut() + pattern.setExpression("execution(* com.mycompany.*Service.*(..))") + return new AuthorizationManagerBeforeMethodInterceptor(pattern, hasRole("USER")) +} +``` + diff --git a/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java new file mode 100644 index 0000000..e7a0918 --- /dev/null +++ b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/MyAuthorizationManager.java @@ -0,0 +1,23 @@ +package com.spring.step2.security.manger; + +import org.aopalliance.intercept.MethodInvocation; +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.util.function.Supplier; + +/** + * 处理方法调用前的授权检查 + * check()方法接收的是MethodInvocation对象,包含即将执行的方法调用信息 + * 用于决定是否允许执行某个方法 + * 这是传统的"前置授权"模式 + */ +@Component +public class MyAuthorizationManager implements AuthorizationManager { + @Override + public AuthorizationDecision check(Supplier authentication, MethodInvocation invocation) { + return new AuthorizationDecision(true); + } +} \ No newline at end of file diff --git a/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java new file mode 100644 index 0000000..5f581f3 --- /dev/null +++ b/spring-security/step-2/src/main/java/com/spring/step2/security/manger/PostAuthorizationManager.java @@ -0,0 +1,24 @@ +package com.spring.step2.security.manger; + +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.method.MethodInvocationResult; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.util.function.Supplier; + +/** + * 处理方法调用后的授权检查 + * check()方法接收的是MethodInvocationResult对象,包含已执行方法的结果 + * 用于决定是否允许返回某个方法的结果(后置过滤) + * 这是Spring Security较新的"后置授权"功能 + */ +@Component +public class PostAuthorizationManager implements AuthorizationManager { + + @Override + public AuthorizationDecision check(Supplier authentication, MethodInvocationResult invocation) { + return new AuthorizationDecision(true); + } +} \ No newline at end of file