采用 ?。主体 id 中的运算符检查安全性
Use ?. operator in principal id checks for security
我更改了以下代码。
- @PreAuthorize("isAuthenticated() and #employee.id == principal.id")
+ @PreAuthorize("#employee.id == principal?.id")
这里开发者做了如上图的改动。两次安检一样吗?那么如果我确定principal存在并且不为null,就等于确定用户是认证过的,用户不是匿名的?
我从 spring 安全文档中找到以下内容
Table 15.1。常用内置表达式
表达式描述
hasRole([role]) Returns true if the current principal has the specified role.
hasAnyRole([role1,role2]) Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
principal Allows direct access to the principal object representing the current user
authentication Allows direct access to the current Authentication object obtained from the SecurityContext
permitAll Always evaluates to true
denyAll Always evaluates to false
isAnonymous() Returns true if the current principal is an anonymous user
isRememberMe() Returns true if the current principal is a remember-me user
isAuthenticated() Returns true if the user is not anonymous
isFullyAuthenticated() Returns true if the user is not an anonymous or a remember-me user
是的,这将验证是否有可用的主体对象。根据文档 - 身份验证是主体。
public interface Authentication extends Principal, Serializable {}
我更改了以下代码。
- @PreAuthorize("isAuthenticated() and #employee.id == principal.id")
+ @PreAuthorize("#employee.id == principal?.id")
这里开发者做了如上图的改动。两次安检一样吗?那么如果我确定principal存在并且不为null,就等于确定用户是认证过的,用户不是匿名的?
我从 spring 安全文档中找到以下内容
Table 15.1。常用内置表达式
表达式描述
hasRole([role]) Returns true if the current principal has the specified role.
hasAnyRole([role1,role2]) Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
principal Allows direct access to the principal object representing the current user
authentication Allows direct access to the current Authentication object obtained from the SecurityContext
permitAll Always evaluates to true
denyAll Always evaluates to false
isAnonymous() Returns true if the current principal is an anonymous user
isRememberMe() Returns true if the current principal is a remember-me user
isAuthenticated() Returns true if the user is not anonymous
isFullyAuthenticated() Returns true if the user is not an anonymous or a remember-me user
是的,这将验证是否有可用的主体对象。根据文档 - 身份验证是主体。
public interface Authentication extends Principal, Serializable {}