Spring - SpEL 在 @PreAuthorize("hasPermission") 中将实体参数评估为空引用
Spring - SpEL evaluates entity argument as null reference in @PreAuthorize("hasPermission")
我遇到了问题,SpEL 在此存储库的第二种方法中将实体参数评估为空引用。第一种方法效果很好,并且 id 被正确评估为 Long 应该是。
@NoRepositoryBean
public interface SecuredPagingAndSortingRepository<T extends AuditedEntity, ID extends Serializable>
extends PagingAndSortingRepository<T, ID> {
@Override
@RestResource(exported = false)
@PreAuthorize("hasPermission(#id, null, 'owner')")
void delete(ID id);
@Override
@PreAuthorize("hasPermission(#entity, 'owner')")
void delete(T entity);
}
这是我的自定义 PermissionEvaluator:
@Slf4j
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
private final PermissionResolverFactory permissionResolverFactory;
@Autowired
public CustomPermissionEvaluator(PermissionResolverFactory permissionResolverFactory) {
this.permissionResolverFactory = permissionResolverFactory;
}
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
Assert.notNull(userDetails, "User details cannot be null");
Assert.notNull(targetDomainObject, "Target object cannot be null");
log.debug("Permmission: " + permission + " check on: " + targetDomainObject + " for user: " + userDetails.getUsername());
PermissionType permissionType = PermissionType.valueOf(((String) permission).toUpperCase());
return permissionResolverFactory.getPermissionResolver(permissionType).resolve(targetDomainObject.getClass(), authentication, (AuditedEntity) targetDomainObject);
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
// TODO
return false;
}
}
此测试未通过,因为在 CustomPermissionEvaluator 中断言目标对象不能为 null。
@RunWith(SpringRunner.class)
@SpringBootTest
@Transactional
@ContextConfiguration(classes = SqapApiApplication.class)
public class PermissionsIT {
@Autowired
private TestGroupRepository testGroupRepository;
@Autowired
private UserRepository userRepository;
UserEntity user;
@Before
public void before() {
user = new UserEntity("user", "password1", true, Sets.newHashSet(RoleType.ROLE_USER));
user = userRepository.save(user);
}
@Test
@WithMockUser(username="user")
public void shouldDeleteWhenIsOwner() throws Exception {
TestGroupEntity testGroupEntity = new TestGroupEntity("testGroup", "testdesc", Sets.newHashSet(new AbxTestEntity(1, "abx", "desc", null)));
user.addTestGroup(testGroupEntity);
user = userRepository.save(user);
TestGroupEntity createdEntity = testGroupRepository.findAll().iterator().next();
testGroupRepository.delete(createdEntity);
}
}
在 interfaces 中引用来自 spel 的方法参数时,用 Spring 数据的 @Param 注释它们以明确命名它们是值得的:
@PreAuthorize("hasPermission(#entity, 'owner')")
void delete(@Param("entity") T entity);
如果参数没有注释 Spring 必须使用反射来发现参数名称。如果
这仅适用于接口方法
- 你是 运行 Spring 4+
- 你是 运行 Java 8
- 接口是用 JDK 8 编译的,并且指定了
-parameters 标志
对于 class 方法 Spring 还有另一种选择——它可以使用调试信息。这适用于 Spring 3 和 Java 的早期版本,但它再次依赖于编译时标志来工作(即 -g)。
为了可移植性,最好注释所有需要引用的参数。
我遇到了问题,SpEL 在此存储库的第二种方法中将实体参数评估为空引用。第一种方法效果很好,并且 id 被正确评估为 Long 应该是。
@NoRepositoryBean
public interface SecuredPagingAndSortingRepository<T extends AuditedEntity, ID extends Serializable>
extends PagingAndSortingRepository<T, ID> {
@Override
@RestResource(exported = false)
@PreAuthorize("hasPermission(#id, null, 'owner')")
void delete(ID id);
@Override
@PreAuthorize("hasPermission(#entity, 'owner')")
void delete(T entity);
}
这是我的自定义 PermissionEvaluator:
@Slf4j
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
private final PermissionResolverFactory permissionResolverFactory;
@Autowired
public CustomPermissionEvaluator(PermissionResolverFactory permissionResolverFactory) {
this.permissionResolverFactory = permissionResolverFactory;
}
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
Assert.notNull(userDetails, "User details cannot be null");
Assert.notNull(targetDomainObject, "Target object cannot be null");
log.debug("Permmission: " + permission + " check on: " + targetDomainObject + " for user: " + userDetails.getUsername());
PermissionType permissionType = PermissionType.valueOf(((String) permission).toUpperCase());
return permissionResolverFactory.getPermissionResolver(permissionType).resolve(targetDomainObject.getClass(), authentication, (AuditedEntity) targetDomainObject);
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
// TODO
return false;
}
}
此测试未通过,因为在 CustomPermissionEvaluator 中断言目标对象不能为 null。
@RunWith(SpringRunner.class)
@SpringBootTest
@Transactional
@ContextConfiguration(classes = SqapApiApplication.class)
public class PermissionsIT {
@Autowired
private TestGroupRepository testGroupRepository;
@Autowired
private UserRepository userRepository;
UserEntity user;
@Before
public void before() {
user = new UserEntity("user", "password1", true, Sets.newHashSet(RoleType.ROLE_USER));
user = userRepository.save(user);
}
@Test
@WithMockUser(username="user")
public void shouldDeleteWhenIsOwner() throws Exception {
TestGroupEntity testGroupEntity = new TestGroupEntity("testGroup", "testdesc", Sets.newHashSet(new AbxTestEntity(1, "abx", "desc", null)));
user.addTestGroup(testGroupEntity);
user = userRepository.save(user);
TestGroupEntity createdEntity = testGroupRepository.findAll().iterator().next();
testGroupRepository.delete(createdEntity);
}
}
在 interfaces 中引用来自 spel 的方法参数时,用 Spring 数据的 @Param 注释它们以明确命名它们是值得的:
@PreAuthorize("hasPermission(#entity, 'owner')")
void delete(@Param("entity") T entity);
如果参数没有注释 Spring 必须使用反射来发现参数名称。如果
这仅适用于接口方法- 你是 运行 Spring 4+
- 你是 运行 Java 8
- 接口是用 JDK 8 编译的,并且指定了
-parameters标志
对于 class 方法 Spring 还有另一种选择——它可以使用调试信息。这适用于 Spring 3 和 Java 的早期版本,但它再次依赖于编译时标志来工作(即 -g)。
为了可移植性,最好注释所有需要引用的参数。