1. 首頁
  2. 問答
  3. Spring WebFlow + Spring Security:使用表達式而不是角色

Spring WebFlow + Spring Security:使用表達式而不是角色

2015-04-23 87 views
2

我創建了一個CustomWebSecurityExpressionHandler,通過搜索函數ID來檢查db表上的用戶。我想在每個函數上只改變一些數據庫更新並重新啓動上下文,而不用重新編譯和編輯一堆XML。Spring WebFlow + Spring Security:使用表達式而不是角色

我想在webflow中使用SpringSecurityExpression!就像我在春季其他任何地方都可以做的那樣...

<?xml version="1.0" encoding="UTF-8"?> 
<flow xmlns="http://www.springframework.org/schema/webflow" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/webflow 
          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd"> 

    <secured attributes="isFUUU('key')" /> 

    <view-state id="main" view="dashboard/main.html" > 
    </view-state> 

</flow>

我該如何讓isFUU(「key」)工作?這是一個自定義的CustomAccessDecisionManager需要?

來源

2015-04-23 ElPysCampeador

回答

1

我找到了一個解決辦法

我不得不調試20個班春季安全的Webflow的發現,在SecurityFlowExecutionListener你即使設置彈簧安全性表達工作,聽者將只有基於角色的。 我發現解析表達式需要一個特定的類型配置屬性,WebExpressionConfigAttribute是精確的。 但它不是公開課! https://jira.spring.io/browse/SEC-1727。 所以在這個老吉拉建議,我需要創造我CustomSecurityFlowExecutionListener在同一封裝(org.springframework.security.web.access.expression)

下面的例子

CustomSecurityFlowExecutionListener:

package org.springframework.security.web.access.expression; //First part of the trick! 

import foo.bar.example.services.security.CustomAccessDecisionManager; 

import java.util.ArrayList; 
import java.util.Collection; 
import java.util.List; 

import org.springframework.expression.ExpressionParser; 
import org.springframework.security.access.AccessDecisionManager; 
import org.springframework.security.access.ConfigAttribute; 
import org.springframework.security.access.SecurityConfig; 
import org.springframework.webflow.security.SecurityFlowExecutionListener; 
import org.springframework.webflow.security.SecurityRule; 

/** 
* Force Spring WebFlow Security listener to use expression! 
* 
* @author roberto.gabrieli 
*/ 
public class CustomSecurityFlowExecutionListener<T > extends SecurityFlowExecutionListener 
{ 

    /** 
    * Convert SecurityRule into a form understood by Spring Security Force the usage of WebExpressionConfigAttribute! 
    * 
    * @param rule 
    *   the rule to convert 
    * @return list of ConfigAttributes for Spring Security 
    */ 
    @Override 
    @SuppressWarnings("deprecation") 
    protected Collection<ConfigAttribute> getConfigAttributes(SecurityRule rule) 
    { 
     // Get Access Decision Manager to find if has my expression handler 
     AccessDecisionManager adm = getAccessDecisionManager(); 

     ExpressionParser ep = null; 
     // Check if is my CustomAccessDecisionManager so I can use my expressions 
     if (adm instanceof CustomAccessDecisionManager) 
     { 
      ep = ((CustomAccessDecisionManager) adm).getWebSecurityExpressionHandler().getExpressionParser(); 
     } 

     List<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>(); 
     for (String attribute : rule.getAttributes()) 
     { 
      if (ep != null) 
       // this will end the trick with fireworks! 
       configAttributes.add(new WebExpressionConfigAttribute(ep.parseExpression(attribute))); 
      else 
       configAttributes.add(new SecurityConfig(attribute)); 
     } 
     return configAttributes; 
    } 
}

Webflow的-config.xml中

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" 
    xmlns:context="http://www.springframework.org/schema/context" 
    xmlns:util="http://www.springframework.org/schema/util" xmlns:webflow="http://www.springframework.org/schema/webflow-config" 
    xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.1.xsd 
     http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.4.xsd 
     http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd 
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd 
     http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd 
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd"> 
... 

    <bean id="securityFlowExecutionListener" 
     class="org.springframework.security.web.access.expression.MamSecurityFlowExecutionListener"> 
     <property name="accessDecisionManager" ref="customAccessDecisionManager"/> 
    </bean> 

... 
</beans>

來源

2015-04-24 09:06:12 ElPysCampeador

0

我找到了另一種解決方案如何使用Spring表達郎在WebFlows中使用。它來自「Pro Spring Security」一書。簡而言之,他們定義了定製AccessDecisionManger定製AccessDecisionVoterimplements AccessDesisionVoter<org.springframework.webflow.engine.State)和定製SecurityExpressionRoot。所以不需要像你的解決方案那樣需要一個自己的監聽器。這些自定義類支持流狀態級別的表達式。你可以在github上找到完整的例子link

來源

2016-12-28 11:44:37 olivmir

相關問題

 相關問題