【问题标题】:Spring WebFlow + Spring Security: use expression instead of roleSpring WebFlow + Spring Security:使用表达式而不是角色
【发布时间】:2015-07-01 22:35:10
【问题描述】:

我创建了一个 CustomWebSecurityExpressionHandler 来通过搜索函数 id 来检查 db 表上的用户。我想改变我在每个函数上的角色,只需要更新一些数据库并重新启动上下文,而不需要重新编译和编辑大量 XML。

我想在 webflow 中使用 SpringSecurityExpression!就像我在 Spring 的任何其他部分可以做的那样......

<?xml version="1.0" encoding="UTF-8"?>
<flow xmlns="http://www.springframework.org/schema/webflow"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/webflow
                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">

    <secured attributes="isFUUU('key')" />

    <view-state id="main" view="dashboard/main.html" >
    </view-state>

</flow>

如何使 isFUU("key") 工作?需要自定义的 CustomAccessDecisionManager 吗?

【问题讨论】:

    标签: java spring spring-security spring-webflow


    【解决方案1】:

    我找到了解决方法

    我必须调试 20 个 spring security 和 webflow 类才能发现,在 SecurityFlowExecutionListener 中,即使您将 spring security 设置为使用表达式,侦听器也将仅基于角色。 我发现为了解析表达式 a 需要一个特定的类型配置属性,准确地说是 WebExpressionConfigAttribute。 但是不是公开课!!! https://jira.spring.io/browse/SEC-1727 。 因此,正如这个 OLD Jira 中所建议的,我需要在同一个包中创建我的 CustomSecurityFlowExecutionListener (org.springframework.security.web.access.expression)

    这里是例子

    CustomSecurityFlowExecutionListener:

    package org.springframework.security.web.access.expression; //First part of the trick!
    
    import foo.bar.example.services.security.CustomAccessDecisionManager; 
    
    import java.util.ArrayList;
    import java.util.Collection;
    import java.util.List;
    
    import org.springframework.expression.ExpressionParser;
    import org.springframework.security.access.AccessDecisionManager;
    import org.springframework.security.access.ConfigAttribute;
    import org.springframework.security.access.SecurityConfig;
    import org.springframework.webflow.security.SecurityFlowExecutionListener;
    import org.springframework.webflow.security.SecurityRule;
    
    /**
     * Force Spring WebFlow Security listener to use expression!
     * 
     * @author roberto.gabrieli
     */
    public class CustomSecurityFlowExecutionListener<T > extends SecurityFlowExecutionListener
    {
    
        /**
         * Convert SecurityRule into a form understood by Spring Security Force the usage of WebExpressionConfigAttribute!
         * 
         * @param rule
         *            the rule to convert
         * @return list of ConfigAttributes for Spring Security
         */
        @Override
        @SuppressWarnings("deprecation")
        protected Collection<ConfigAttribute> getConfigAttributes(SecurityRule rule)
        {
            // Get Access Decision Manager to find if has my expression handler
            AccessDecisionManager adm = getAccessDecisionManager();
    
            ExpressionParser ep = null;
            //  Check if is my CustomAccessDecisionManager so I can use my expressions
            if ( adm instanceof CustomAccessDecisionManager )
            {
                ep = ((CustomAccessDecisionManager) adm).getWebSecurityExpressionHandler().getExpressionParser();
            }
    
            List<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>();
            for ( String attribute : rule.getAttributes() )
            {
                if ( ep != null )
                    // this will end the trick with fireworks!
                    configAttributes.add(new WebExpressionConfigAttribute(ep.parseExpression(attribute)));
                else
                    configAttributes.add(new SecurityConfig(attribute));
            }
            return configAttributes;
        }
    }
    

    WebFlow-config.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:util="http://www.springframework.org/schema/util" xmlns:webflow="http://www.springframework.org/schema/webflow-config"
        xmlns:mvc="http://www.springframework.org/schema/mvc"
        xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.1.xsd
            http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.4.xsd
            http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
    ... 
    
        <bean id="securityFlowExecutionListener"
            class="org.springframework.security.web.access.expression.MamSecurityFlowExecutionListener">
            <property name="accessDecisionManager" ref="customAccessDecisionManager"/>
        </bean>
    
    ...
    </beans>
    

    【讨论】:

      【解决方案2】:

      我找到了另一种如何在 WebFlows 中使用 Spring 表达式语言的解决方案。它来自“Pro Spring Security”一书。简而言之,他们定义了一个自定义AccessDecisionManger,一个自定义AccessDecisionVoter (implements AccessDesisionVoter&lt;org.springframework.webflow.engine.State) 和一个自定义SecurityExpressionRoot。因此,不需要像您的解决方案那样拥有自己的听众。这些自定义类支持流状态级别的表达式。你可以在 github 上找到完整的示例link

      【讨论】:

        猜你喜欢
        • 2015-07-29
        • 2014-10-19
        • 1970-01-01
        • 2014-12-26
        • 2016-09-03
        • 2017-01-01
        • 2017-12-30
        • 2011-07-14
        • 1970-01-01
        相关资源
        最近更新 更多