如何将参数从自定义注释传递到库中的 WebSecurityConfigurer

How to pass parameters from custom annotation to WebSecurityConfigurer in library

您好,我们正在构建自定义 spring 安全库

我们需要通过 @EnableMySpringSecurity(excludePaths = {"/v1","/v2"}) 将 {"/v1","/v2"} 路径传递到库网络安全,这样我们就可以从安全性中忽略这些端点

@EnableMySpringSecurity(excludePaths = {"/v1","/v2"})
@EnableWebMvc
public class WebAppConfiguration extends BaseWebAppConfiguration {

来自自定义 JAR 的网络安全配置

@EnableWebSecurity(debug = true)
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
public void configure(WebSecurity web){
 web.ignoring().antMatchers(excludePaths );

如何将从@EnableMYSpringSecurity 传递的值传递给 webSecuirty web.ignoring.antMatchers

我们的注解配置

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
public @interface EnableMySpringSecurity {
    String[] excludePaths() default {};
}

我试过 ApplicationStartupListener 但问题是,它在 websecuirty 配置后初始化

public class ApplicationStartupListener implements
        ApplicationListener<ContextRefreshedEvent> {

    private ApplicationContext context;

    private EnableMySSAnnotationProcessor processor;

    public ApplicationStartupListener(ApplicationContext context,
                                      EnableMySSAnnotationProcessor processor) {
        this.context = context;
        this.processor = processor;
    }

    @Override
    public void onApplicationEvent(ContextRefreshedEvent contextRefreshedEvent) {
        Optional<EnableMySpringSecurity> annotation =
                context.getBeansWithAnnotation(EnableMySpringSecurity.class).keySet().stream()
                        .map(key -> context.findAnnotationOnBean(key, EnableMySpringSecurity.class))
                        .findFirst();
        annotation.ifPresent(enableMySpringSecurity-> processor.process(enableMySpringSecurity));
    }
}

一种方法是使用 @Import 注释:

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@Import(MyWebSecurityConfiguration.class)
@EnableWebSecurity
public @interface EnableMyWebSecurity {
    String[] paths() default [];
}

然后是ImportAware界面:

@Configuration
public class MyWebSecurityConfiguration implements ImportAware {
    private String[] paths;

    @Bean
    WebSecurityCustomizer paths() {
        return (web) -> web.ignoring().antMatchers(paths);
    }

    @Override
    public void setImportMetadata(AnnotationMetadata importMetadata) {
        EnableMyWebSecurity annotation = importMetadata
            .getAnnotations().get(EnableMyWebSecurity.class).synthesize();
        this.paths = annotations.paths();
    }

}

请注意,顺便说一下,当您排除路径时,Spring 安全性无法将安全性 headers 添加为响应的一部分。如果您希望这些端点受到 Spring 安全保护,但 public,请考虑:

@Configuration
public class MyWebSecurityConfiguration implements ImportAware {
    private String[] paths;

    @Bean
    @Order(1)
    SecurityFilterChain paths(HttpSecurity http) {
        http
            .requestMatchers((requests) -> requests.antMatchers(paths))
            .authorizeRequests((authorize) -> authorize
                .anyRequest().permitAll()
            );
        return http.build();
    }

    @Override
    public void setImportMetadata(AnnotationMetadata importMetadata) {
        EnableMyWebSecurity annotation = importMetadata
            .getAnnotations().get(EnableMyWebSecurity.class).synthesize();
        this.paths = annotations.paths();
    }

}

第二种方法的好处是Spring安全不需要身份验证,但会添加安全响应headers。

@jzheaux 提供的解决方案有效

还有另一种解决方案 - 是使用应用程序上下文 getBeansWithAnnoation

@EnableWebSecurity(debug = true)
@Configuration
@Order(2147483640)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {


@Autowired
private ApplicationContext appContext;

 @Override
    public void configure(WebSecurity web){
        Map<String,Object> beanMap = this.appContext.getBeansWithAnnotation(EnableMYSpringSecurity.class);

        if(!beanMap.isEmpty()){
            EnableMYSpringSecurityanno = (EnableMYSpringSecurity) this.appContext.findAnnotationOnBean(beanMap.keySet()
                    .iterator()
                    .next(),EnableMYSpringSecurity.class);

            String[] permitPaths = anno.excludePaths();
            Arrays.stream(permitPaths).forEach(System.out::println);

        }