问题
I want to use @PreAuthorize Spring annotation to controll access in my application.
The problem is, that I have a lot of conditions depends not on the request parameters, but on the database entities.
Overview:
I have an Route entity, that has User owner field. You can remove the Route only if you are an owner.
I have written my controller method:
@RequestMapping(value = "/route/remove/{id}", method = RequestMethod.GET)
@PreAuthorize("hasPermission(#id, 'RouteRemove')")
public String removeRoute(@PathVariable("id") Integer id, ModelMap model) {
Route route = routeBO.getById(id);
if(null == route)
return "forward:/errors/404";
// ... remove route here.
// routeBO.remove(id);
}
My RouteRemove permission is defined as:
@Component
public class RouteRemovePermission implements Permission {
@Autowired
private RouteBO routeBO;
@Override
public boolean isAllowed(Authentication authentication, Object targetDomainObject) {
if(!(targetDomainObject instanceof Integer))
return false;
Route route = routeBO.getById((Integer) targetDomainObject);
if(route == null)
return false;
User user = AthenticationUtil.getUser();
return null != user && user.equals(route.getOwner());
}
}
As you can see, I have to evaluate routeBO.getById() twice.
Question:
is it possible to evaluate this code only once?
Of course i have tried:
@RequestMapping(value = "/route/remove/{id}", method = RequestMethod.GET)
public String removeRoute(@PathVariable("id") Integer id, ModelMap model) {
Route route = routeBO.getById(id);
if(null == route)
return "forward:/errors/404";
return removeRoute(route, model);
}
@PreAuthorize("hasPermission(#id, 'RouteRemove')")
public String removeRoute(Route id, ModelMap model) {
return "route/display";
}
but there no invocation of permission method before removeRoute(Route id, ModelMap model). Maybe I have incorrect configuration?
mvc-dispatcher-servlet.xml
<sec:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>
security.xml
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>
<beans:bean id="permissionEvaluator" class="pl.wsiadamy.common.security.BasePermissionEvaluator">
<beans:constructor-arg index="0">
<beans:map key-type="java.lang.String"
value-type="pl.wsiadamy.common.security.Permission">
<beans:entry key="RouteView" value-ref="routeViewPermission" />
<beans:entry key="RouteRemove" value-ref="routeRemovePermission" />
</beans:map>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="routeViewPermission" class="pl.wsiadamy.common.security.permission.RouteViewPermission" />
<beans:bean id="routeRemovePermission" class="pl.wsiadamy.common.security.permission.RouteRemovePermission" />
回答1:
I suggest you break out your security-annotated removeRoute method to a separate service class, like:
@Service
public class RouteService {
@PreAuthorize("hasPermission(#route, 'RouteRemove')")
public void removeRoute(Route route) {
// remove route here
}
}
Then you use it in your web controller:
@Autowired RouteService routeService;
@RequestMapping(value = "/route/remove/{id}", method = RequestMethod.GET)
public String removeRoute(@PathVariable("id") Integer id, ModelMap model) {
Route route = routeBO.getById(id);
if(null == route)
return "forward:/errors/404";
routeService.removeRoute(route);
return "route/display";
}
来源:https://stackoverflow.com/questions/16164615/preauthorize-with-haspermission-executes-code-twice