使用@PreAuthorize注释防止无异常的方法调用
我们正在使用Spring Security3.我们有一个 PermissionEvaluator 的自定义实现,该实现具有此复杂算法,可以在应用程序的方法级别上授予或拒绝访问.为此,我们向显然要保护的方法添加了一个 @PreAuthorize 批注.一切都很好.但是,我们正在寻找的行为是,如果 hasPermission 调用被拒绝,则只需要跳过受保护的方法调用,相反,每次发生时,我们都会收到403错误.
We are using Spring Security 3. We have a custom implementation of PermissionEvaluator that has this complex algorithm to grant or deny access at method level on the application. To do that we add a @PreAuthorize annotation to the method we want to protect (obviously). Everything is fine on that. However the behavior that we are looking for is that if a hasPermission call is denied, the protected method call only needs to be skipped, instead we are getting a 403 error each time that happens.
任何想法如何防止这种情况发生?
Any ideas how to prevent that?
您可以在这里找到有关该问题的另一种解释; 在methodSecurityInterception期间进行AccessDeniedException处理
You can find a different explanation of the problem here; AccessDeniedException handling during methodSecurityInterception
解决方案是使用自定义MethodSecurityInterceptor,该自定义MethodSecurityInterceptor调用AccessDecisionManager(隐式地,bu调用super的方法),并确定是否继续执行方法.打电话.
The solution is to use custom MethodSecurityInterceptor, which calls the AccessDecisionManager (implicitly, bu calling super's method) and decides than whether to proceed with a method call.
package com.myapp;
public class MyMethodSecurityInterceptor extends MethodSecurityInterceptor {
@Override
public Object invoke(MethodInvocation mi) throws Throwable {
Object result = null;
try {
InterceptorStatusToken token = super.beforeInvocation(mi);
} catch (AccessDeniedException e) {
// access denied - do not invoke the method and return null
return null;
}
// access granted - proceed with the method invocation
try {
result = mi.proceed();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
}
设置应用程序上下文有些棘手:由于在这种情况下不能使用<sec:global-mathod-security>,因此需要定义一个显式的AOP配置(并创建默认情况下原始标签会执行的大多数对应bean结构) ):
Setting up the app context is a bit tricky: since you can not use <sec:global-mathod-security> in this case, there is a need to define an explicit AOP configuration (and create most of the corresponding bean structure the original tag does by default):
<aop:config>
<!-- Intercept all relevant methods -->
<aop:pointcut id="myMethods"
expression='execution(* com.myapp.myService+.*(..))'/>
<aop:advisor advice-ref="mySecurityInterceptor" pointcut-ref="myMethods"/>
</aop:config>
<!-- Configure custom security interceptor -->
<bean id="mySecurityInterceptor"
class="com.myapp.MyMethodSecurityInterceptor">
<property name="securityMetadataSource">
<bean class="org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource">
<constructor-arg>
<bean class="org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory">
<constructor-arg>
<bean class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"/>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</property>
<property name="validateConfigAttributes" value="false"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<!-- Configure AccessDecisionManager -->
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
<constructor-arg>
<bean class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice"/>
</constructor-arg>
</bean>
</list>
</property>
</bean>
<!-- Configure AuthenticationManager as you wish -->
<!-- ........................................... -->