調用hasPermission（）Spring Security的犯規調用的CustomPermissionEvaluator

Question

請參閱爲什麼我的@PreAuthorize（「調用hasPermission（＃用戶，‘寫’）」）不工作

基本上我'嘗試檢查真正的問題普通用戶

我controllerClass

package com.***.appconfig.controller; 

import com.***.appconfig.dao.UserDaoImplementation; 
import org.springframework.security.access.prepost.PreAuthorize; 
import org.springframework.stereotype.Controller; 
import org.springframework.web.bind.annotation.RequestMapping; 
import org.springframework.web.servlet.ModelAndView; 
import com.***.appconfig.model.User; 
import com.***.appconfig.security.CustomPermissionEvaluator; 

@Controller 
public class CheckPermissionController { 
    public static User user = new User(); 
    UserDaoImplementation userDao = new UserDaoImplementation(); 
    Boolean directPermission = false; 
    CustomPermissionEvaluator customPermissionEvaluator = new CustomPermissionEvaluator(); 

    @RequestMapping("/checkPermission") 
    protected ModelAndView direct() throws Exception { 
     System.out.println("in direct"); 
     user.setUserName("andrew"); 
     userDao.addListValues(user); 
     System.out.println("before assign"); 
     directPermission = userDao.assignUser(user); 
     System.out.print("after assign"); 
     if (directPermission) { 
      return new ModelAndView("checkPermission"); 
     } else { 
      return new ModelAndView("login"); 
     } 
    } 
} 

這裏是我的道

import com.***.appconfig.model.User; 
import org.springframework.security.access.prepost.PreAuthorize; 
import org.springframework.stereotype.Component; 
import java.util.HashMap; 

@Component 
public class UserDaoImplementation implements UserDao { 

    @Override 
    public User addListValues(User user) { 
     HashMap < String, String > permissionList = new HashMap < String, String >(); 
     permissionList.put("server", "write"); 
     user.setPermissionList(permissionList); 
     return null; 
    } 

    @PreAuthorize("hasPermission(#user,'write')") 
    public Boolean assignUser(User user) { 
     System.out.println("in assign"); 
     return true; 
    } 
} 

這是我CustomPermissionEvaluator

package com.***.appconfig.security; 

import org.springframework.security.access.PermissionEvaluator; 
import org.springframework.security.core.Authentication; 
import com.***.appconfig.controller.CheckPermissionController; 
import com.***.appconfig.model.User; 
import com.***.appconfig.dao.UserDaoImplementation; 
import java.io.Serializable; 
import java.util.HashMap; 

public class CustomPermissionEvaluator implements PermissionEvaluator { 

    public static User user; 
    public UserDaoImplementation userDao; 

    @Override 
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { 
     setPermissions(); 
     String targetType = targetDomainObject.getClass().getSimpleName().toUpperCase(); 
     HashMap < String, String > permissionList = user.getPermissionList(); 
     System.out.print("before check"); 
     if (permissionList.containsValue("write")) { 
      System.out.print("success check"); 
      hasPermission = true; 
     } 
     return hasPermission; 
    } 

    @Override 
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) { 
     Boolean hasPermission = false; 
     return hasPermission; 
    } 

    public void setPermissions() { 
     user.setUserName("andrew"); 
     userDao.addListValues(user); 
    } 
} 

我創建序在PermissionEvaluator.The調用hasPermission dynmically填充重複的用戶對象（）overrride是沒有得到調用。

這裏是我的彈簧security.xml文件

<http auto-config="true"> 
    <access-denied-handler error-page="/403page" /> 
    <intercept-url pattern="/user" access="ROLE_USER" /> 
    <intercept-url pattern="/admin" access="ROLE_ADMIN" /> 
    <form-login login-page='/login' username-parameter="username" password-parameter="password" default-target-url="/user" authentication-failure-url="/login?authfailed" /> 
    <logout logout-success-url="/login?logout" /> 
</http> 
<global-method-security pre-post-annotations="enabled" secured-annotations="enabled"> 
    <expression-handler ref="expressionHandler" /> 
</global-method-security> 
<authentication-manager> 
    <authentication-provider> 
     <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from users where username=?" authorities-by-username-query="select username, role from user_roles where username =? " /> 
    </authentication-provider> 
</authentication-manager> 
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> 
    <beans:property name="permissionEvaluator" ref="permissionEvaluator" /> 
</beans:bean> 
<beans:bean name="permissionEvaluator" class="com.coolminds.appconfig.security.CustomPermissionEvaluator" />undefined</beans:beans> 

Answer 1

控制器類應注入所有的依賴關係，以確保春季可以創建相應的代理對象：你爲什麼要使用`新UserDaoImplementation

package com.***.appconfig.controller; 

import com.***.appconfig.dao.UserDaoImplementation; 
import org.springframework.security.access.prepost.PreAuthorize; 
import org.springframework.stereotype.Controller; 
import org.springframework.web.bind.annotation.RequestMapping; 
import org.springframework.web.servlet.ModelAndView; 
import com.***.appconfig.model.User; 

@Inject 
UserDao userDao; 

@Controller 
public class CheckPermissionController { 

    @RequestMapping("/checkPermission") 
    protected ModelAndView direct() throws Exception { 
     User user = new User(); 
     boolean directPermission = false; 

     System.out.println("in direct"); 
     user.setUserName("andrew"); 
     userDao.addListValues(user); 
     System.out.println("before assign"); 
     directPermission = userDao.assignUser(user); 
     System.out.print("after assign"); 
     if (directPermission) { 
      return new ModelAndView("checkPermission"); 
     } else { 
      return new ModelAndView("login"); 
     } 
    } 
}