Spring Security 对Service层方法调用的权限控制

本文以spring security自带的tutorial-xml demo讲解,本文由博主javacoder.cn原创,转载请注明出处!!

配置

为了实现spring security对service层方法调用的权限控制,需要在spring context添加如下配置

启用对方法上的@PreAuthorize,@PostAuthorize等注解的支持

然后在需要控制的方法上添加PreAuthorize注解

public interface BankService {
@PreAuthorize("hasRole('supervisor') or "
+ "hasRole('teller') and (#account.balance + #amount >= -#account.overdraft)")
public Account post(Account account, double amount);
}

本注解表示要么当前用户拥有supervisor权限,要么拥有teller权限且被操作账户的扣款额在透支额度范围内。PreAuthorize的权限控制表达式为spring的EL表达式。

权限控制的callstack如下:

和基于URL权限控制的流程类似,MethodSecurityInterceptor作为认证的入口,然后调用AccessDecisionManager(实现类为AffirmativeBased)进行是否有权限访问进行抉择,在AffirmativeBased中,依然使用基于投票器(PreInvocationAuthorizationAdviceVoter)的方式进行判定,真正的PreAuthorize注解对应的表达式计算逻辑由ExpressionBasedPreInvocationAdvice完成。

Posted in:Spring Security

您可能感兴趣的

spring security自定义指南 自定义UserDetailsService 自定义passwordEncoder 自定义filter 自定义AuthenticationProvider 自定义AccessDecisionManager 自定义securityMetadataSour...
Spring – Access Denied for Anonymous Authent... I don't have much expertise with Spring Security and I have a question that could be a bit silly. I've been trying to solve an issue for few days and ...
Spring Security(一) — 初识Spring Security 作者: 屈定 博客: http:// mrdear.cn/ Spring Security是什么? Spring Security是一套认证授权框架,支持认证模式如HTTP BASIC 认证头 (基于 IETF RFC-based 标准),HTTP Diges...
How Http Basic Authentication works in Spring Secu... In the last article, you have learned how to enable Http basic authentication in Spring security based Java application and now we'll go one step fur...
Securing Spring boot applications with JWT As soon as you write your first web application with Spring, you probably want to secure it. Spring has a project called Spring Security that does mo...
知行合一,止于至善责编内容来自:知行合一,止于至善 (源链) | 更多关于

阅读提示:酷辣虫无法对本内容的真实性提供任何保证,请自行验证并承担相关的风险与后果!
本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » Spring Security 对Service层方法调用的权限控制



专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录