实现从 url 获取路径变量的选民

Posted 2023-02-27

【中文标题】实现从 url 获取路径变量的选民

【英文标题】：Implement voter that grabs path variable from url

【发布时间】：2021-12-07 18:01:59

【问题描述】：

我正在尝试实现这一点：https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/el-access.html#el-access-web-path-variables 但老师明确告诉我们使用 spring-security 4.0.4（因为与 spring 框架 4.2.5 的传递依赖项冲突）并且我已经广泛搜索了如何创建一个可以获取路径变量的 AccessDecisionVoter 但到目前为止，这是我进入what is the actual type of object parameter in vote method of spring security access decision voter 的唯一事情，我不知道这是否确实是最好的方法，因为这个答案是为 Spring Security 3.1 设计的。

【参考方案1】：

通过编写我自己的 AccessDecisionVoter 解决了这个问题：

public class CourseVoter implements AccessDecisionVoter<FilterInvocation> 

    @Autowired
    private CourseService courseService;

    @Autowired
    private AuthFacade authFacade;

    @Autowired
    private FileService fileService;

    static final Pattern GET_FILE_PATTERN = Pattern.compile("/files/(\\d+)");
    static final Pattern UPLOAD_FILE_PATTERN = Pattern.compile("/course/(\\d+)/files");
    static final Pattern UPLOAD_ANNOUNCEMENT_PATTERN = Pattern.compile("/course/(\\d+)/announcements");
    static final Pattern GET_COURSE_PATTERN = Pattern.compile("/course/(\\d+)");

    @Override
    public boolean supports(ConfigAttribute attribute) 
        return false;
    

    @Override
    public boolean supports(Class<?> clazz) 
        return clazz.isAssignableFrom(FilterInvocation.class);
    

    @Override
    public int vote(Authentication authentication, FilterInvocation fi, Collection<ConfigAttribute> attributes) 
        final String url = fi.getRequestUrl();
        final String method = fi.getHttpRequest().getMethod();
        Matcher getCourseMatcher = GET_COURSE_PATTERN.matcher(url);
        Matcher getFileMatcher = GET_FILE_PATTERN.matcher(url);
        Matcher uploadFileMatcher = UPLOAD_FILE_PATTERN.matcher(url);
        Matcher uploadAnnouncementMatcher = UPLOAD_ANNOUNCEMENT_PATTERN.matcher(url);
        if(getFileMatcher.find()) return voteFileAccess(authentication, getMappingValue(getFileMatcher));
        if(method.equals("POST") && uploadAnnouncementMatcher.find()) return voteCoursePrivileges(authentication, getMappingValue(uploadAnnouncementMatcher));
        if(method.equals("POST") && uploadFileMatcher.find()) return voteCoursePrivileges(authentication, getMappingValue(uploadFileMatcher));
        if(getCourseMatcher.find()) return voteCourseAccess(authentication, getMappingValue(getCourseMatcher));
        return ACCESS_ABSTAIN;
    

    private Long getMappingValue(Matcher m) 
        return Long.valueOf(m.group(1));
    

    private boolean isAdminOrAnonymous(Authentication authentication) 
        if(authentication instanceof AnonymousAuthenticationToken) return true;
        User user = authFacade.getCurrentUser();
        return user.isAdmin();
    

    private int voteFileAccess(Authentication authentication, Long fileId) 
        if(isAdminOrAnonymous(authentication)) return ACCESS_DENIED;
        return fileService.hasAccess(fileId, authFacade.getCurrentUserId()) ? ACCESS_GRANTED : ACCESS_DENIED;
    

    private int voteCourseAccess(Authentication authentication, Long courseId) 
        if(isAdminOrAnonymous(authentication)) return ACCESS_DENIED;
        return courseService.belongs(authFacade.getCurrentUserId(), courseId) ? ACCESS_GRANTED : ACCESS_DENIED;
    

    private int voteCoursePrivileges(Authentication authentication, Long courseId) 
        if(isAdminOrAnonymous(authentication)) return ACCESS_DENIED;
        return courseService.isPrivileged(authFacade.getCurrentUserId(), courseId) ? ACCESS_GRANTED : ACCESS_DENIED;