我有下面的代碼更改。如果認證對象爲空,hasPermission返回false
- @PreAuthorize("isAuthenticated()")
+ @PreAuthorize("hasPermission(#dto.perusteId, 'peruste', 'LUKU')")
public void setStarted(DokumenttiDto dto);
根據spring文檔,認證對象不應該爲空。在這裏,開發人員刪除身份驗證檢查並放入hasPermission檢查。那麼如果認證對象爲空,那麼hasPermission方法將返回false?認證對象將由Spring安全框架自動提供。這可以被視爲重構改變?兩個檢查(認證+權限檢查)合併爲一個(權限檢查)!我不認爲調用hasPermission方法實現了認證對象進行任何檢查(https://github.com/Opetushallitus/eperusteet/blob/cd9eff86bdda5dd91072354392dedbe0783c9ddf/eperusteet/eperusteet-service/src/main/java/fi/vm/sade/eperusteet/service/security/PermissionEvaluator.java)
下面的代碼更改鏈接:https://github.com/Opetushallitus/eperusteet/commit/e8459
Method Detail
hasPermission
public boolean hasPermission(Authentication authentication,
Object domainObject,
Object permission)
Determines whether the user has the given permission(s) on the domain object using the ACL configuration. If the domain object is null, returns false (this can always be overridden using a null check in the expression itself).
Specified by:
hasPermission in interface PermissionEvaluator
Parameters:
authentication - represents the user in question. Should not be null.
domainObject - the domain object for which permissions should be checked. May be null in which case implementations should return false, as the null condition can be checked explicitly in the expression.
permission - a representation of the permission object as supplied by the expression system. Not null.
當認證對象爲空時會發生什麼? – Zack
您在Spring Security中有一個委託過濾器,它創建一個Authentication對象並將其發送給AuthenticationManger,然後AuthenticationProvider對訪問該資源的用戶進行身份驗證。如果用戶沒有通過身份驗證,它將採用默認操作(或您聲明的操作),否則它只是從SpringSecutity上下文中提取用戶,並允許用戶訪問資源 –