Spring Security（十八）：5.9 Post Processing Configured Objects

Posted 2021-01-28 帅S俊

Spring Security’s Java Configuration does not expose every property of every object that it configures. This simplifies the configuration for a majority of users. Afterall, if every property was exposed, users could use standard bean configuration.

Spring Security的Java配置不会公开它配置的每个对象的每个属性。这简化了大多数用户的配置。毕竟，如果每个属性都被暴露，用户可以使用标准bean配置。

 

While there are good reasons to not directly expose every property, users may still need more advanced configuration options. To address this Spring Security introduces the concept of an ObjectPostProcessor which can be used to modify or replace many of the Object instances created by the Java Configuration. For example, if you wanted to configure the filterSecurityPublishAuthorizationSuccess property on FilterSecurityInterceptor you could use the following:

 

虽然有充分的理由不直接公开每个属性，但用户可能仍需要更高级的配置选项。为了解决这个问题，Spring Security引入了ObjectPostProcessor的概念，可用于修改或替换Java Configuration创建的许多Object实例。例如，如果要在FilterSecurityInterceptor上配置filterSecurityPublishAuthorizationSuccess属性，可以使用以下命令：

@Override
protected void configure(HttpSecurity http) throws Exception {
	http
		.authorizeRequests()
			.anyRequest().authenticated()
			.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
				public <O extends FilterSecurityInterceptor> O postProcess(
						O fsi) {
					fsi.setPublishAuthorizationSuccess(true);
					return fsi;
				}
			});
}

5.10 Custom DSLs

You can provide your own custom DSLs in Spring Security. For example, you might have something that looks like this:

您可以在Spring Security中提供自己的自定义DSL。例如，您可能看起来像这样：

 

public class MyCustomDsl extends AbstractHttpConfigurer<CorsConfigurerMyCustomDsl, HttpSecurity> {
	private boolean flag;

	@Override
	public void init(H http) throws Exception {
		// any method that adds another configurer
		// must be done in the init method
		http.csrf().disable();
	}

	@Override
	public void configure(H http) throws Exception {
		ApplicationContext context = http.getSharedObject(ApplicationContext.class);

		// here we lookup from the ApplicationContext. You can also just create a new instance.
		MyFilter myFilter = context.getBean(MyFilter.class);
		myFilter.setFlag(flag);
		http.addFilterBefore(myFilter, UsernamePasswordAuthenticationFilter.class);
	}

	public MyCustomDsl flag(boolean value) {
		this.flag = value;
		return this;
	}

	public static MyCustomDsl customDsl() {
		return new MyCustomDsl();
	}
}

This is actually how methods like HttpSecurity.authorizeRequests() are implemented.

这实际上是如何实现HttpSecurity.authorizeRequests（）之类的方法。

 

The custom DSL can then be used like this:

然后可以像这样使用自定义DSL：

 

@EnableWebSecurity
public class Config extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
			.apply(customDsl())
				.flag(true)
				.and()
			...;
	}
}

The code is invoked in the following order:

代码按以下顺序调用：

• Code in `Config`s configure method is invoked
• Code in `MyCustomDsl`s init method is invoked
• Code in `MyCustomDsl`s configure method is invoked

If you want, you can have WebSecurityConfiguerAdapter add MyCustomDsl by default by using SpringFactories. For example, you would create a resource on the classpath named META-INF/spring.factories with the following contents:

如果需要，可以使用SpringFactories默认添加WebSecurityConfiguerAdapter添加MyCustomDsl。例如，您将在名为META-INF / spring.factories的类路径上创建一个具有以下内容的资源：

 

META-INF/spring.factories. 

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyCustomDsl

Users wishing to disable the default can do so explicitly.

希望禁用默认值的用户可以明确地这样做。

 

@EnableWebSecurity
public class Config extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
			.apply(customDsl()).disable()
			...;
	}
}