如何预授权对 Http.InboundGateway 的访问？

Question

我知道可以将 @PreAuthorize 注释添加到 Rest Controller...

@RestController
public class WebController {
    @PreAuthorize("hasAuthority('Foo')")
    @GetMapping("/restricted")
    public ResponseEntity<String> restricted() {
        return ResponseEntity.ok("Restricted section");
    }
}

如何预授权对 Spring Integration Http.inbound 网关的访问？我知道我可以在集成流中添加一个组件，并在转换器或服务激活器方法上添加注释，但我宁愿没有单独的对象。

@Bean
//@PreAuthorize("hasAuthority('Foo')") ?
public HttpRequestHandlingMessagingGateway restrictedGateway() {
    return Http.inboundGateway("/restricted")
            ...
            .get();
}

@Bean
public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway restrictedGateway) {
    return IntegrationFlows
            .from(restrictedGateway)
            .transform(source -> "Restricted section")
            .get();
}

Answer 1

• 我认为你是对的，看看https://docs.spring.io/spring-integration/reference/html/security.htm，它允许将频道声明为@Secured

• 即使我们在没有集成的情况下考虑普通 Spring Boot 应用程序上的 Spring Security，它也处于过滤器级别，因此我认为 HttpRequestHandlingMessagingGateway 作为 http 请求的侦听器似乎是有道理的

你可以试试

    @Bean
    @SecuredChannel(interceptor = "channelSecurityInterceptor", sendAccess = "ROLE_XXX")
    public SubscribableChannel secureChannel() {
        return new DirectChannel();
    }

    @Bean
    public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway 
                                  restrictedGateway) {
    return IntegrationFlows
            .from(restrictedGateway)
            .channel(secureChannel())
            .transform(source -> "Restricted section")
            .get();
}