java - Spring - SpEL 将实体参数评估为@PreAuthorize ("hasPermission"中的空引用)

Question

我遇到了一个问题，SpEL 在这个存储库的第二种方法中将实体参数评估为空引用。第一种方法效果很好，并且 id 被正确评估为 Long 应该是。

@NoRepositoryBean
public interface SecuredPagingAndSortingRepository<T extends AuditedEntity, ID extends Serializable>
        extends PagingAndSortingRepository<T, ID> {

    @Override
    @RestResource(exported = false)
    @PreAuthorize("hasPermission(#id, null, 'owner')")
    void delete(ID id);

    @Override
    @PreAuthorize("hasPermission(#entity, 'owner')")
    void delete(T entity);
}

这是我的自定义 PermissionEvaluator:

@Slf4j
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {

    private final PermissionResolverFactory permissionResolverFactory;

    @Autowired
    public CustomPermissionEvaluator(PermissionResolverFactory permissionResolverFactory) {
        this.permissionResolverFactory = permissionResolverFactory;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        UserDetails userDetails = (UserDetails) authentication.getPrincipal();
        Assert.notNull(userDetails, "User details cannot be null");
        Assert.notNull(targetDomainObject, "Target object cannot be null");
        log.debug("Permmission: " + permission + " check on: " + targetDomainObject + " for user: " + userDetails.getUsername());

        PermissionType permissionType = PermissionType.valueOf(((String) permission).toUpperCase());
        return permissionResolverFactory.getPermissionResolver(permissionType).resolve(targetDomainObject.getClass(), authentication, (AuditedEntity) targetDomainObject);
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        // TODO
        return false;
    }
}

此测试未通过，因为在 CustomPermissionEvaluator 中断言目标对象不能为 null。

@RunWith(SpringRunner.class)
@SpringBootTest
@Transactional
@ContextConfiguration(classes = SqapApiApplication.class)
public class PermissionsIT {
    @Autowired
    private TestGroupRepository testGroupRepository;

    @Autowired
    private UserRepository userRepository;

    UserEntity user;

    @Before
    public void before() {
        user = new UserEntity("user", "password1", true, Sets.newHashSet(RoleType.ROLE_USER));
        user = userRepository.save(user);
    }

    @Test
    @WithMockUser(username="user")
    public void shouldDeleteWhenIsOwner() throws Exception {
        TestGroupEntity testGroupEntity = new TestGroupEntity("testGroup", "testdesc", Sets.newHashSet(new AbxTestEntity(1, "abx", "desc", null)));
        user.addTestGroup(testGroupEntity);
        user = userRepository.save(user);
        TestGroupEntity createdEntity = testGroupRepository.findAll().iterator().next();
        testGroupRepository.delete(createdEntity);
    }
}

Answer 1

当在 interfaces 中引用来自 spel 的方法参数时，使用 Spring Data 的 @Param 注释它们以显式命名它们是值得的:

@PreAuthorize("hasPermission(#entity, 'owner')")
void delete(@Param("entity") T entity);

如果参数没有注释，Spring 必须使用反射来发现参数名称。这仅适用于接口(interface)方法，如果

• 您正在运行 Spring 4+
• 您运行的是 Java 8
• 接口(interface)是用 JDK 8 编译的，并且指定了 -parameters 标志

对于类方法，Spring 有另一种选择——它可以使用调试信息。这适用于 Spring 3 和更早版本的 Java，但它再次依赖编译时标志来工作(即 -g)。

为了可移植性，最好注释所有需要引用的参数。

引用:Access Control using @PreAuthorize and @PostAuthorize .