18

我正在尝试授权 Spring Data REST 公开的 api。到目前为止,我能够进行基于角色的授权,即:

@RepositoryRestResource(path = "book")
public interface BookRepository extends JpaRepository<Book, Long> {

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    <S extends Book> Book save(Book book);
}

同样在同一个项目中,我有一个具有 ACL 机制的服务层,它正在工作。

我无法将 PostFilter 表达式与 Spring Data REST 一起使用,即:

@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, admin)")
List<Book> findAll();

如果有人将 ACL 与 Spring Data REST 一起使用,那将有很大帮助。

注意:我知道以下未解决的问题:

https://jira.spring.io/browse/DATAREST-236

https://jira.spring.io/browse/SEC-2409

4

1 回答 1

45

using JpaRepository was shadowing List<Book> findAll() method. Then I used CrudRepository, and PostFilter got applied.

For more details, a sample project is available on GitHub: https://github.com/charybr/spring-data-rest-acl

ACL-based authorization is working for below entity exposed by Spring Data REST.

import org.springframework.data.repository.CrudRepository;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;
import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;

@RepositoryRestResource(path = "book")
public interface BookRepository extends CrudRepository<Book, Long> {

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#book, 'write')")
    <S extends Book> Book save(@P("book") Book book);

    @Override
    @PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, admin)")
    Iterable<Book> findAll();
}
于 2014-10-25T16:53:06.327 回答