SpringBoot @PreAuthorize 使用 String.contains 或正则表达式在 hasAuthority 中

huangapple go评论83阅读模式
英文:

SpringBoot @PreAuthorize with String.contains or regex in hasAuthority

问题

我正在使用Spring Boot(2.7.6),并且正在查看@PreAuthorize注解。

我想知道如何在hasAuthority方法中使用String.Containsregex匹配来检查有效的权限。

例如,我有以下权限:

MYAPI_ORDER_PROCESSING_DEV
MYAPI_ORDER_PROCESSING_PROD
MYAPI_ORDER_TRACKING_DEV
MYAPI_ORDER_TRACKING_PROD

在某些情况下,我可能只需要MYAPI_ORDER_PROCESSING_DEV,在这种情况下,我可以使用:

@PreAuthorize("hasAuthority('MYAPI_ORDER_PROCESSING_DEV')")

在其他情况下,我可以检查任何数量的权限,如:

@PreAuthorize("hasAnyAuthority(
   'MYAPI_ORDER_PROCESSING_DEV',
   'MYAPI_ORDER_PROCESSING_PROD',
   'MYAPI_ORDER_TRACKING_DEV',
   'MYAPI_ORDER_TRACKING_PROD')")

这对我来说都很清楚和有效,但如果我有很长的权限列表,这可能会变得很长和复杂。

我想知道是否有一种方法可以使用String.contains(substring)regex来匹配多个权限。例如,类似于:

@PreAuthorize("hasAuthority(authorityString.contains('MYAPI_ORDER_'))")

这将匹配上述的所有4个权限。

英文:

I am using Spring Boot (2.7.6) and I am looking at @PreAuthorize annotation.

I am wondering how can I use String.Contains or regex matching to check for valid authorities within hasAuthority method.

For example, I have following authorities:

MYAPI_ORDER_PROCESSING_DEV
MYAPI_ORDER_PROCESSING_PROD
MYAPI_ORDER_TRACKING_DEV
MYAPI_ORDER_TRACKING_PROD

In some cases, I might just need MYAPI_ORDER_PROCESSING_DEV in which case, I can use

@PreAuthorize("hasAuthority('MYAPI_ORDER_PROCESSING_DEV')

In other cases, I can check for any of number of authorities like:

@PreAuthorize("hasAnyAuthority(
   'MYAPI_ORDER_PROCESSING_DEV', 
   'MYAPI_ORDER_PROCESSING_PROD', 
   'MYAPI_ORDER_TRACKING_DEV', 
   'MYAPI_ORDER_TRACKING_PROD')

This is all clear and working for me, but this might get to long and complicated if I have a long list of authorities.

I wonder if there is a way to use String.contains(substring) or regex to match multiple authorities. For example, something like:

@PreAuthorize("hasAuthority(authorityString.Contains('MYAPI_ORDER_')

, which would match all 4 authorities above.

答案1

得分: 1

你可以创建一个处理检查权限逻辑的组件

```java
@Component
public class AuthorityHelper {

  public boolean hasAuthorityContaining(Authentication authentication, String substring) {
    return authentication.getAuthorities().stream()
        .map(GrantedAuthority::getAuthority)
        .anyMatch(i -> i.contains(substring));
  }
}

由于@PreAuthorize支持SpEL表达式,可以定义如下:

@PreAuthorize("@authorityHelper.hasAuthorityContaining(authentication, 'MYAPI_ORDER_')")

authentication是与方法调用关联的内置Authentication实例,其中包含权限等其他数据。

参考:Spring文档 - 使用SpEL表达式表示授权


<details>
<summary>英文:</summary>

You can create a component that handles the logic for checking authorities:

```java
@Component
public class AuthorityHelper {

  public boolean hasAuthorityContaining(Authentication authentication, String substring) {
    return authentication.getAuthorities().stream()
        .map(GrantedAuthority::getAuthority)
        .anyMatch(i -&gt; i.contains(substring));
  }
}

Since @PreAuthorize supports SpEL expressions, it can be defined as follows:

@PreAuthorize(&quot;@authorityHelper.hasAuthorityContaining(authentication, &#39;MYAPI_ORDER_&#39;)&quot;)

authentication is a built-in Authentication instance associated with the method invocation and it contains authorities among other data.

Reference: Spring Documentation - Expressing Authorization with SpEL

huangapple
  • 本文由 发表于 2023年6月8日 06:26:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/76427466.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定