如何在Spring Security @ PreAuthorize/@ PostAuthorize注释中使用自定义表达式

Question

有没有办法在@Preauthorize块中创建更具表现力的语句？这是我发现自己重复的一个例子,因为@Preauthorize不是非常聪明的开箱即用.

@RequestMapping(value = "{id}", method = RequestMethod.DELETE)
public void deleteGame(@PathVariable int id, @ModelAttribute User authenticatingUser) {
    Game currentGame = gameService.findById(id);
    if(authenticatingUser.isAdmin() || currentGame.getOwner().equals(authenticatingUser)) {
        gameService.delete(gameService.findById(id));
    } else {
        throw new SecurityException("Only an admin, or an owner can delete a game.");
    }
}

我更喜欢的是类似的东西.

@RequestMapping(value = "{id}", method = RequestMethod.DELETE)
@Preauthorize(isAdmin(authenicatingUser) OR isOwner(authenicatingUser, id)
public void deleteGame(@PathVariable int id, @ModelAttribute User authenticatingUser, @ModelAttribute currentGame ) { //I'm not sure how to add this either :(
   gameService.delete(gameService.findById(id));
}

部分问题是我需要对数据库进行查询以获取一些这些东西以验证权限,例如查询数据库以获取游戏副本,然后将游戏所有者与制作人员进行比较请求.我不确定所有这些是如何在@Preauthorize注释处理器的上下文中运行的,或者我如何将事物添加到@Preauthorize("")值属性中可用的对象集合中.

Answer 1

从@PreAuthorize评估SpEl -expressions开始,最简单的方法就是指向bean:

    @PreAuthorize("@mySecurityService.someFunction()")

MySecurityService.someFunction应该有返回类型boolean.

authentication如果要传递Authentication-object,Spring-security将自动提供一个名为的变量.您还可以使用任何有效的SpEl表达式来访问传递给安全方法的任何参数,评估正则表达式,调用静态方法等.例如:

    @PreAuthorize("@mySecurityService.someFunction(authentication, #someParam)")

Answer 2

1)首先,您必须重新实现MethodSecurityExpressionRoot,其中包含额外的特定于方法的功能.最初的Spring Security实现是包私有的,因此不可能只扩展它.我建议检查给定类的源代码.

public class CustomMethodSecurityExpressionRoot extends SecurityExpressionRoot implements MethodSecurityExpressionOperations {

    // copy everything from the original Spring Security MethodSecurityExpressionRoot

    // add your custom methods

    public boolean isAdmin() {
        // do whatever you need to do, e.g. delegate to other components

        // hint: you can here directly access Authentication object 
        // via inherited authentication field
    }

    public boolean isOwner(Long id) {
        // do whatever you need to do, e.g. delegate to other components
    }
}

2)接下来,您必须实现MethodSecurityExpressionHandler将使用上面定义的自定义CustomMethodSecurityExpressionRoot.

public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {

    private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

    @Override
    public void setReturnObject(Object returnObject, EvaluationContext ctx) {
        ((MethodSecurityExpressionRoot) ctx.getRootObject().getValue()).setReturnObject(returnObject);
    }

    @Override
    protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
        MethodInvocation invocation) {
        final CustomMethodSecurityExpressionRoot root = new CustomMethodSecurityExpressionRoot(authentication);
        root.setThis(invocation.getThis());
        root.setPermissionEvaluator(getPermissionEvaluator());
        root.setTrustResolver(this.trustResolver);
        root.setRoleHierarchy(getRoleHierarchy());

        return root;
    }
}

3)在您的上下文中定义表达式处理程序bean,例如,通过XML,您可以按如下方式执行

<bean id="methodSecurityExpressionHandler"
    class="my.package.CustomMethodSecurityExpressionHandler">
    <property name="roleHierarchy" ref="roleHierarchy" />
    <property name="permissionEvaluator" ref="permissionEvaluator" />
</bean>

4)注册上面定义的处理程序

<security:global-method-security pre-post-annotations="enabled">
    <security:expression-handler ref="methodSecurityExpressionHandler"/>
</security:global-method-security>

5)然后只需在您@PreAuthorize和/或@PostAuthorize注释中使用已定义的表达式

@PreAuthorize("isAdmin() or isOwner(#id)")
public void deleteGame(@PathVariable int id, @ModelAttribute currentGame) {
    // do whatever needed
}

还有一件事.使用方法级安全性来保护控制器方法并且使用业务逻辑(也称为服务层方法)来保护方法并不常见.然后你可以使用类似下面的东西.

public interface GameService {

    // rest omitted

    @PreAuthorize("principal.admin or #game.owner = principal.username")
    public void delete(@P("game") Game game);
}

但请记住,这只是一个例子.它期望实际主体具有isAdmin()方法并且游戏具有getOwner()返回所有者的用户名的方法.

Answer 3

你可以写下你的注释:

@PreAuthorize("hasRole('ROLE_ADMIN') and hasPermission(#id, 'Game', 'DELETE')")

要使hasPermission部分正常工作,您需要实现PermissionEvaluator接口.

然后定义表达式处理程序bean:

@Autowired
private PermissionEvaluator permissionEvaluator;

@Bean
public DefaultMethodSecurityExpressionHandler expressionHandler()
{
    DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
    handler.setPermissionEvaluator(permissionEvaluator);
    return handler;
}

并注入您的安全配置:

<global-method-security pre-post-annotations="enabled">
  <expression-handler ref="expressionHandler" />
</global-method-security>