✨ 使用自定义授权管理器
This commit is contained in:
parent
24caac4b00
commit
b11ce877be
|
|
@ -1238,3 +1238,23 @@ public Result<String> lowerUser(String name) {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## 使用自定义授权管理器
|
||||||
|
|
||||||
|
## 将方法与自定义切入点相匹配
|
||||||
|
|
||||||
|
由于是基于 Spring AOP 构建的,您可以声明与注解无关的模式,类似于请求级别的授权。 这具有将方法级别的授权规则集中化的潜在优势。
|
||||||
|
|
||||||
|
例如,可以发布自己的 `Advisor` 或使用 `<protect-pointcut>` 将 AOP 表达式与服务层的授权规则相匹配,如下所示:
|
||||||
|
|
||||||
|
```java
|
||||||
|
import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
|
||||||
|
static Advisor protectServicePointcut() {
|
||||||
|
AspectJExpressionPointcut pattern = new AspectJExpressionPointcut()
|
||||||
|
pattern.setExpression("execution(* com.mycompany.*Service.*(..))")
|
||||||
|
return new AuthorizationManagerBeforeMethodInterceptor(pattern, hasRole("USER"))
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,23 @@
|
||||||
|
package com.spring.step2.security.manger;
|
||||||
|
|
||||||
|
import org.aopalliance.intercept.MethodInvocation;
|
||||||
|
import org.springframework.security.authorization.AuthorizationDecision;
|
||||||
|
import org.springframework.security.authorization.AuthorizationManager;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
import org.springframework.stereotype.Component;
|
||||||
|
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 处理方法调用前的授权检查
|
||||||
|
* check()方法接收的是MethodInvocation对象,包含即将执行的方法调用信息
|
||||||
|
* 用于决定是否允许执行某个方法
|
||||||
|
* 这是传统的"前置授权"模式
|
||||||
|
*/
|
||||||
|
@Component
|
||||||
|
public class MyAuthorizationManager implements AuthorizationManager<MethodInvocation> {
|
||||||
|
@Override
|
||||||
|
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation invocation) {
|
||||||
|
return new AuthorizationDecision(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,24 @@
|
||||||
|
package com.spring.step2.security.manger;
|
||||||
|
|
||||||
|
import org.springframework.security.authorization.AuthorizationDecision;
|
||||||
|
import org.springframework.security.authorization.AuthorizationManager;
|
||||||
|
import org.springframework.security.authorization.method.MethodInvocationResult;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
import org.springframework.stereotype.Component;
|
||||||
|
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 处理方法调用后的授权检查
|
||||||
|
* check()方法接收的是MethodInvocationResult对象,包含已执行方法的结果
|
||||||
|
* 用于决定是否允许返回某个方法的结果(后置过滤)
|
||||||
|
* 这是Spring Security较新的"后置授权"功能
|
||||||
|
*/
|
||||||
|
@Component
|
||||||
|
public class PostAuthorizationManager implements AuthorizationManager<MethodInvocationResult> {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocationResult invocation) {
|
||||||
|
return new AuthorizationDecision(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue