spring security : Why can't we access Hibernate entitiy parameters in @PreAuthorize?
I have the following interface method on which I am applying @PreAuthorize :
@PreAuthorize(\"doSomething(#user.id)\")
void something(User user,
-
I need to add something to this as the title indicates that we cannot access hibernate properties.
There are two editions of hasPermission, the loaded object and the serialized object. Here is some code from a test case:
@PreAuthorize("isAuthenticated() and hasPermission(#organization, 'edit')") public long protectedMethod(Organization organization) { return organization.getId(); }And for the latter here we see that we can infact access the id proprty of the organization (which is a hibernate entity):
@PreAuthorize("isAuthenticated() and hasPermission(#organization.getId(), 'organization', 'edit')") public long protectedMethodSerializableEdtion(Organization organization) { return organization.getId(); }讨论(0) -
You can check
LazyParamAwareEvaluationContext,insideloadArgsAsVariables()method, version 3.1.0.The same key for different Entity, because of implementing interface.
讨论(0) -
You can check with the debugger what's going on in MethodSecurityEvaluationContext, inside Object lookupVariable(String name) method:
@Override public Object lookupVariable(String name) { Object variable = super.lookupVariable(name); if (variable != null) { return variable; } if (!argumentsAdded) { addArgumentsAsVariables(); argumentsAdded = true; }and so you can see what's really going on in the addArgumentsAsVariables() method as the convertion of method arguments to SPEL variables is implemented very clearly in Spring.
讨论(0) -
Spring Security has a better answer for this problem now:
http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#access-control-using-preauthorize-and-postauthorize
Basically, you can use the @P annotation or @Param annotation if you are using < JDK 8.
讨论(0)
加载中...
- 热议问题