spring security@preauthorize绕过特定角色

vs3odd8k  于 2021-07-06  发布在  Java
关注(0)|答案(1)|浏览(606)

我正在使用spring安全策略,需要一个全球角色super的帮助,这个角色必须绕过所有 @PreAuthorize 当令牌拥有它时,在端点上。这是一个端点示例:

@GetMapping
@PreAuthorize("(hasAuthority('DOMAIN_FIND_ALL'))")
public ResponseEntity<ResponseDTO<List<DomainDTO>>> findAll() {
    return ResponseEntity.ok().body(domainService.findAll());
}

我发现我的全球角色是这样运作的

@GetMapping
@PreAuthorize("(hasAuthority('DOMAIN_FIND_ALL') or (hasAuthority('SUPER'))")
public ResponseEntity<ResponseDTO<List<DomainDTO>>> findAll() {
    return ResponseEntity.ok().body(domainService.findAll());
}

但是太长,无法实现应用程序的每个端点 (hasAuthority('SUPER') ,所以我正在寻找一种全局配置它的方法,这样,如果令牌具有该角色,那么所有端点都是允许的。
我试过的:

@Override
public void configure(HttpSecurity http) throws Exception {
   http.csrf().disable()
              .authorizeRequests()
              .otherStuffs..
              .antMatchers("/**").authenticated()
              .antMatchers("/**").hasRole("SUPER");
}

但它不起作用。有人知道吗?

yrefmtwq

yrefmtwq1#

有关更详细的说明,请参阅以下链接(主要是第6节)。作为我回答的基础的代码是:
mysecurityexpressionroot
custommethodsecurityexpressionhandler
以下代码适用于我:

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests()
            .otherStuffs..
            .antMatchers("/**").authenticated();  // hasRole("SUPER") isn't require
}

替代默认值 MethodSecurityExpressionOperations 接口:

public class MySecurityExpressionRoot implements MethodSecurityExpressionOperations {

  // Same properties than provided
  // link for MySecurityExpressionRoot
  ...

  public MySecurityExpressionRoot(Authentication authentication) {
    if (authentication == null) {
        throw new IllegalArgumentException("Authentication object cannot be null");
    }
    this.authentication = authentication;
  }

  // This is the ONLY change, as you can see the "SUPER" was added as allowed
  @Override
  public final boolean hasAuthority(String authority) {
    return this.hasAnyAuthority(authority, "SUPER");
  }

  // Rest of the code is the same than provided
  // link for MySecurityExpressionRoot
  ...
}

现在我们需要将上述类添加到spring配置中:

@Configuration  // Required although not include in "source CustomMethodSecurityExpressionHandler" class
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
  private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

  @Override
  protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
    final MySecurityExpressionRoot root = new MySecurityExpressionRoot(authentication);
    root.setPermissionEvaluator(getPermissionEvaluator());
    root.setTrustResolver(this.trustResolver);
    root.setRoleHierarchy(getRoleHierarchy());
    return root;
  }
}

现在您可以使用以下虚拟对象来验证它 GET 终结点:

@GetMapping("/add-new-user")
@PreAuthorize("hasAuthority('ADMIN')")
public ResponseEntity<String> addNewUser() {
    return new ResponseEntity("[add-new-user] Testing purpose", OK);
}

任何用户: ADMIN 或者 SUPER 角色将能够访问它。

相关问题