Spring security annotations with EL — requires deb

2019-02-02 17:40发布

站内问答 / 前沿技术
514 3 5

I am considering using Spring Security annotations for my application, with the EL (expression language) feature. For example:

@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid recipient, Permission permission);

I need the EL capability because I have built my own ACL implementation. However, to use this capability with the "#contact" type arguments, the Spring documentation says this:

You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in.

This begs two questions:

  1. It is acceptable to have a production application commercially distributed with debug info in it?
  2. If not, is there any way around this?

Thanks for any guidance on this!

3条回答
姐就是有狂的资本
2楼-- · 2019-02-02 17:59

I can't find the reference now, but you might be interested to know that Java 8 will include parameter names at all times, even when I believe Java 8 will include parameter names at all times, even in debug mode.

查看更多
0人赞 添加讨论(0) 举报
该账号已被封号
3楼-- · 2019-02-02 18:03

As a workaround you can implement a custom ParameterNameDiscoverer with your own strategy. Here is an example which produces simple numbered names (arg0, etc):

public class SimpleParameterNameDiscoverer implements
        ParameterNameDiscoverer {

    public String[] getParameterNames(Method m) {
        return  getParameterNames(m.getParameterTypes().length);        
    }

    public String[] getParameterNames(Constructor c) {
        return getParameterNames(c.getParameterTypes().length);        
    }

    protected String[] getParameterNames(int length) {
        String[] names = new String[length];

        for (int i = 0; i < length; i++)
            names[i] = "arg" + i;

        return names;
    }
}

And configuration:

<global-method-security ...>
    <expression-handler ref = "methodSecurityExpressionHandler" />
</global-method-security>

<beans:bean id = "methodSecurityExpressionHandler" 
    class = "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name = "parameterNameDiscoverer">
        <beans:bean class = "foo.bar.SimpleParameterNameDiscoverer" />
    </beans:property>
</beans:bean>
查看更多
0人赞 添加讨论(0) 举报
啃猪蹄的小仙女
4楼-- · 2019-02-02 18:10

I guess this wasn´t an option when you approached the problem the first time, but now you can do this

@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(@P("contact") Contact contact, Sid recipient, Permission permission);

http://docs.spring.io/spring-security/site/docs/current/reference/html/el-access.html#access-control-using-preauthorize-and-postauthorize

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)