我不清楚弹簧安全性的区别在于:
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact)
和
@Secured("ROLE_USER")
public void create(Contact contact)
我知道PreAuthorize可以与spring el合作,但在我的样本中,是否有真正的区别?
我有一个示例类来测试@PreAuthorize注释,它看起来或多或少像这样:
class BankService {
@PreAuthorize("hasCustomRole('ROLE_CUSTOM') or hasRole('ROLE_EXAMPLE')")
Double getAccountBalance(Integer accountNumber) {
return 1234;
}
@PreAuthorize("#accountNumber > 400")
int getValue(Integer accountNumber) {
return 1234;
}
}
您可以hasCustomRole(String expression)在@PreAuthorize注释中注意到,我正在添加:
public class CustomSecurityExpressionRoot extends SecurityExpressionRoot {
public CustomSecurityExpressionRoot(Authentication auth) {
super(auth);
}
public boolean hasCustomRole(String expression) {
return /* some magic */;
}
}
另外,我正在DefaultMethodSecurityExpressionHandler以下列方式进行扩展:
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
public CustomMethodSecurityExpressionHandler() {
super();
}
@Override
public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi) {
StandardEvaluationContext …