我在我的应用程序中使用 Spring Security。我正在根据角色(管理员、用户)对 API 进行身份验证。有一个 API 端点,我想使用作为参数传递给它的变量的值来限制访问。
我有
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable().exceptionHandling().authenticationEntryPoint(this.unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/api/**").authenticated()
.anyRequest().permitAll();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
我有一个电话
@PostMapping("/something")
public ResponseEntity<BotResponse> handleRequest(@Valid @RequestBody SomeClass someClass) {
// if someClass.getSomeValue() is not present in the User permissions, then it should give an unauthorized response.
return value(someClass);
}
Spring Security 中的用户是:
public Class User {
String userId;
String userName;
String authorities;
List<String> someList;
//Getters and setters for variables
}
使用的 SomeClass 是:
public Class SomeClass {
String someValue;
String userName;
...
// Getters and Setters
}
如何根据用户的 someList 中是否存在 someClass.getSomeValue 的值来不允许用户?