@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {      @Autowired     private ApplicationContext context;      @Override     protected MethodSecurityExpressionHandler createExpressionHandler() {         DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();         expressionHandler.setPermissionEvaluator(new UserPermissionEvaluator());         expressionHandler.setApplicationContext(context);         return expressionHandler;     } } 

和UserPermission类

@Component("UsrPermission") public class UserPermissionEvaluator implements PermissionEvaluator {     @Override     public boolean hasPermission(Authentication authentication, Object targetObject, Object permission) {         if (!targetObject.toString().equals("true") && targetObject.toString().equals(permission.toString())) {             return true;         } else if (!targetObject.toString().equals("true")) {             return false;         }         ...         return hasPermission;     }      public boolean isAdmin() {         return CustomSecurityPrincipal.getSecurityPrincipal().isAdmin();     }      @Override     public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,             Object permission) {         return false;     }  } 

“ hasPermission(x,y,z)”的工作方式就像是魅力。 但是,由于它已在MethodSecurityConfig中注册,因此我尝试创建新的自定义方法。 我正在尝试直接调用它

@PreAuthorize("isAdmin()") 

错误:-

org.springframework.expression.spel.SpelEvaluationException: EL1004E: Method call: Method isAdmin() cannot be found on type org.springframework.security.access.expression.method.MethodSecurityExpressionRoot     at org.springframework.expression.spel.ast.MethodReference.findAccessorForMethod(MethodReference.java:225) ~[spring-expression-5.1.6.RELEASE.jar:5.1.6.RELEASE]     at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:134) ~[spring-expression-5.1.6.RELEASE.jar:5.1.6.RELEASE]     at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94) ~     at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:114) ~[spring-expression-5.1.6.RELEASE.jar:5.1.6.RELEASE]     at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:300) ~[spring-expression-5.1.6.RELEASE.jar:5.1.6.RELEASE]     at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]     at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:59) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]     at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:72) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]     at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:40) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]     at  

...

===============>>#1 票数:0

为了创建新的自定义表达式,您需要创建MethodSecurityExpressionOperations的自定义实现,并向其添加新的操作。 请注意,您可以扩展SecurityExpressionRoot以支持默认表达式:

public class CustomMethodSecurityExpressionRoot         extends SecurityExpressionRoot implements MethodSecurityExpressionOperations {      private Object filterObject;     private Object returnObject;     private Object target;      CustomMethodSecurityExpressionRoot(Authentication a) {         super(a);     }      @Override     public void setFilterObject(Object filterObject) {         this.filterObject = filterObject;     }      @Override     public Object getFilterObject() {         return filterObject;     }      @Override     public void setReturnObject(Object returnObject) {         this.returnObject = returnObject;     }      @Override     public Object getReturnObject() {         return returnObject;     }      void setThis(Object target) {         this.target = target;     }      @Override     public Object getThis() {         return target;     }      /**      * Custom 'isAdmin()' expression      */     public boolean isAdmin() {         // TODO: Add implement         return true;     } } 

接下来,您需要扩展DefaultMethodSecurityExpressionHandler并使其使用CustomMethodSecurityExpressionRoot

public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {     @Override     protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {         CustomMethodSecurityExpressionRoot root = new CustomMethodSecurityExpressionRoot(authentication);         root.setPermissionEvaluator(getPermissionEvaluator());         root.setTrustResolver(new AuthenticationTrustResolverImpl());         root.setRoleHierarchy(getRoleHierarchy());         return root;     } } 

最后,您应该在配置中使用CustomMethodSecurityExpressionHandler

@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {     @Override     protected MethodSecurityExpressionHandler createExpressionHandler() {         return new CustomMethodSecurityExpressionHandler();     } } 

  ask by P Satish Patro translate from so

本文未有回复,本站智能推荐: