0

We are using MyBatis 3.0.3 & Spring 3.0.5 in our project.

We are trying to implement data level security through a table which stores where clauses (userid < 200, active == true, ...).

So, the problem comes when we want to add a clause to a select query dinamically in execution time.

We are thinking about the possibility of using Spring AOP but we are not sure if it is possible or not, if it is a good solution and appart from that we don't know how to implement it.

Please share your thoughts.

Thanks in advance,

Silvia.

4

1 回答 1

0

我认为这是可能的。实现服务层,以便您可以通过安全上下文(Spring security)获取用户(userID),或者您也可以在服务层方法中将用户作为参数提供。

一个可能的 Aspect 实现示例:

@Aspect
public class MyAspect {

   @Pointcut("within(my.package.MyClass)")
   public void pointcutClass() {
   }

   @Pointcut("execution(* create*(..))")
   public void pointcutMethod() {
   }

   @Pointcut("pointcutClass() && pointcutMethod()")
   public void myPointcut() {
   }

   @Before("myPointcut()")
   public void checkAuthorization(final JoinPoint joinPoint) {

    // Fetch User via spring security:
     Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
     if (principal == null)
        throw new Exception("No principal found");
     if (!(principal instanceof User)) {
        throw new Exception("principal is not a User");
     }
     User user = (User) principal;

     // Or fetch User via the joinPoint:
     Object[] args = joinPoint.getArgs();
     User user = (User) args[0]

     if (user.getUserId == null || user.getUserId > 200)
        throw new Exception("User is not authorised.");
}
于 2012-02-13T15:04:32.967 回答