1

我想根据身份验证甚至角色过滤对象属性。因此,例如,完整的用户配置文件将为经过身份验证的用户返回,并针对未经过身份验证的用户进行过滤。

我怎样才能实现它MappingJacksonHttpMessageConverter?我已经为 Jaskon 声明了自定义 bean:

 <bean id="objectMapper" class="com.example.CustomObjectMapper"/>

    <bean id="MappingJacksonHttpMessageConverter" class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter">
        <property name="objectMapper" ref="objectMapper"/>
    </bean>

    <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
        <property name="order" value="1" />
        <!-- <property name="customArgumentResolver" ref="sessionParamResolver"/> -->
        <property name="webBindingInitializer">
        <bean class="org.springframework.web.bind.support.ConfigurableWebBindingInitializer">
            <!-- <property name="conversionService" ref="conversionService" />  -->
            <!-- <property name="validator" ref="validator" /> -->
        </bean>
        </property>
        <property name="messageConverters">
            <list>
                <bean class="org.springframework.http.converter.ByteArrayHttpMessageConverter" />
                <bean class="org.springframework.http.converter.StringHttpMessageConverter" />
                <bean class="org.springframework.http.converter.ResourceHttpMessageConverter" />
                <bean class="org.springframework.http.converter.FormHttpMessageConverter" />
                <ref bean="MappingJacksonHttpMessageConverter"/>
            </list>
        </property>
    </bean>

注意:在控制器中,我将结果写为:

public void writeJson (Object jsonBean, HttpServletResponse response) {
        MediaType jsonMimeType = MediaType.APPLICATION_JSON;
        if (jsonConverter.canWrite(jsonBean.getClass(), jsonMimeType)) {
            try {
                jsonConverter.write(jsonBean, jsonMimeType, new ServletServerHttpResponse(response));
            } catch (IOException m_Ioe) {
            } catch (HttpMessageNotWritableException p_Nwe) {
            }   catch (Exception e) {
                e.printStackTrace();
            }
        } else {
            log.info("json Converter cant write class " +jsonBean.getClass() );
        }
    }
4

2 回答 2

0

如果您想要返回两种不同类型的 JSON 对象(例如fullProfilepartialProfile),那么您最好使用两个不同的 url 创建两个不同的服务。然后,您可以使用 Spring Security 的拦截 url标签以正常方式控制对这些 url 的访问。

于 2012-05-09T11:59:00.500 回答
0

我在这里做了大部分工作https://stackoverflow.com/a/39168090/6761668

您需要做的就是编写您自己的安全规则,也许注入当前用户并根据他们的角色决定包含或不包含哪些内容。我在实体列上使用了注释:

  import java.lang.annotation.Retention;
  import java.lang.annotation.RetentionPolicy;
  import java.util.Set;
  @Retention(RetentionPolicy.RUNTIME)
  public @interface MyRestricted {
    String[] permittedRoles() default {};
  }

该列如下所示:

    @Column(name = "DISCOUNT_RATE", columnDefinition = "decimal", precision = 7, scale = 2)
    @MyRestricted(permittedRoles = { "accountsAdmin", "accountsSuperUser" })
    private BigDecimal discountRate;

规则如下所示:

    final MyRestricted roleRestrictedProperty = pWriter.findAnnotation(MyRestricted.class);
    if (roleRestrictedProperty == null) {
        // public item
        super.serializeAsField(pPojo, pJgen, pProvider, pWriter);
        return;
    } 

    // restricted - are we in role?
    if (permittedRoles.contains(myRole)) {
        super.serializeAsField(pPojo, pJgen, pProvider, pWriter);
        return;
    }
    // Its a restricted item for ME
    pWriter.serializeAsOmittedField(pPojo, pJgen, pProvider);
于 2016-08-26T14:26:48.370 回答