如果認證對象爲空，hasPermission返回false

Question

我有下面的代碼更改。

- @PreAuthorize("isAuthenticated()") 
+ @PreAuthorize("hasPermission(#dto.perusteId, 'peruste', 'LUKU')") 
    public void setStarted(DokumenttiDto dto); 

根據spring文檔，認證對象不應該爲空。在這裏，開發人員刪除身份驗證檢查並放入hasPermission檢查。那麼如果認證對象爲空，那麼hasPermission方法將返回false？認證對象將由Spring安全框架自動提供。這可以被視爲重構改變？兩個檢查（認證+權限檢查）合併爲一個（權限檢查）！我不認爲調用hasPermission方法實現了認證對象進行任何檢查（https://github.com/Opetushallitus/eperusteet/blob/cd9eff86bdda5dd91072354392dedbe0783c9ddf/eperusteet/eperusteet-service/src/main/java/fi/vm/sade/eperusteet/service/security/PermissionEvaluator.java）

下面的代碼更改鏈接：https://github.com/Opetushallitus/eperusteet/commit/e8459

Method Detail 

hasPermission 
public boolean hasPermission(Authentication authentication, 
        Object domainObject, 
        Object permission) 
Determines whether the user has the given permission(s) on the domain object using the ACL configuration. If the domain object is null, returns false (this can always be overridden using a null check in the expression itself). 
Specified by: 
hasPermission in interface PermissionEvaluator 
Parameters: 
authentication - represents the user in question. Should not be null. 
domainObject - the domain object for which permissions should be checked. May be null in which case implementations should return false, as the null condition can be checked explicitly in the expression. 
permission - a representation of the permission object as supplied by the expression system. Not null. 

Answer 1

我希望他們做的是

它返回一個對象的權限實際上是用戶擁有的所有權限的Array/List

如果您的用戶沒有任何角色，則會返回一個空列表並將其添加到Authe ntication對象

e.g

Authentication object when 

User with roles 
permissions = ['admin, 'user', 'moderator']; 
User with no roles 
permissions = [] 

Answer 2

的

hasPermission函數（如果正確將安全表達式求值）實際上只傳遞在authentication令牌PermissionManager.hasPermission。如果您查看代碼，大部分錯綜複雜的if語句最終會調用hasAnyRole，如果authentication對象爲空，則返回false。

但是，這整個班級如此混亂，我不能說它比現實中的隨機數發生器更好。