spring security 自定义标签

spring-security-create-new-custom-security-expression

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
class MethodSecurityConfig : GlobalMethodSecurityConfiguration() {
override fun createExpressionHandler(): MethodSecurityExpressionHandler? {
val expressionHandler = CustomMethodSecurityExpressionHandler()
// 自定义 PermissionEvaluator
expressionHandler.setPermissionEvaluator(CustomPermissionEvaluator())
return expressionHandler
}
}

class CustomMethodSecurityExpressionHandler : DefaultMethodSecurityExpressionHandler() {
override fun createSecurityExpressionRoot(authentication: Authentication, invocation: MethodInvocation?): MethodSecurityExpressionOperations? {
val root = MySecurityExpressionRoot(authentication)
root.setPermissionEvaluator(permissionEvaluator)
root.setTrustResolver(trustResolver)
root.setRoleHierarchy(roleHierarchy)
return root
}
}

class CustomPermissionEvaluator : PermissionEvaluator {
override fun hasPermission(authentication: Authentication?, targetDomainObject: Any?, permission: Any?): Boolean {
if (authentication == null || targetDomainObject == null || permission !is String) {
return false
}
val targetType: String = targetDomainObject::class.java.simpleName.toUpperCase()

return hasPrivilege(authentication, targetType, permission.toString())
}

override fun hasPermission(authentication: Authentication?, targetId: Serializable?, targetType: String?, permission: Any?): Boolean {
TODO("not implemented") //To change body of created functions use File | Settings | File Templates.
}

private fun hasPrivilege(auth: Authentication, targetType: String, permission: String): Boolean {
for (grantedAuth in auth.authorities) {
if (grantedAuth.authority.contains(permission)) {
return true
}
}
return false
}
}

class MySecurityExpressionRoot(private val authentication: Authentication) : MethodSecurityExpressionOperations {

private var permissionEvaluator: PermissionEvaluator? = null
...

fun setPermissionEvaluator(permissionEvaluator: PermissionEvaluator?) {
this.permissionEvaluator = permissionEvaluator
}

/** 自定义标签方法 **/
fun isMember(organizationId: Long): Boolean {
// val user: User = (getPrincipal() as MyUserPrincipal).getUser()
// return user.getOrganization().getId().longValue() === OrganizationId
println(organizationId)
return true
}
...
}

@RestController
@RequestMapping("/api")
class SysUserController(
val tokenProvider: TokenProvider,
val authenticationManagerBuilder: AuthenticationManagerBuilder
) {
private val log: Logger = LoggerFactory.getLogger(SysUserController::class.java)

@GetMapping("/users/authenticate")
// @PreAuthorize("hasPermission(#request.attributeNames,'role_admin')")
@PreAuthorize("isMember(#id)")
fun isAuthenticated(request: HttpServletRequest, id: Int = 1): String {
log.debug("REST request to check if the current user is authenticated")
return request.remoteUser
}

}