怎么让JSP 页面配置<security:authorize access="has('formDialog:edit')">的自定义方法有效,并且后台方法控制权限的地方也生效
时间: 2023-06-18 13:05:53 浏览: 40
要让JSP页面配置的<security:authorize access="has('formDialog:edit')">的自定义方法有效,需要在Spring Security的配置文件中定义自定义的表达式处理器。可以通过实现`org.springframework.security.access.expression.method.MethodSecurityExpressionHandler`接口来实现自定义表达式处理器,并在配置文件中引用该处理器。
例如,定义一个名为`customMethodSecurityExpressionHandler`的自定义表达式处理器:
```
<bean id="customMethodSecurityExpressionHandler" class="com.example.CustomMethodSecurityExpressionHandler">
<property name="permissionService" ref="permissionService" />
</bean>
```
然后在Spring Security的配置文件中引用该处理器:
```
<security:global-method-security pre-post-annotations="enabled"
secured-annotations="enabled"
jsr250-annotations="enabled"
access-decision-manager-ref="accessDecisionManager"
authentication-manager-ref="authenticationManager"
method-security-expression-handler-ref="customMethodSecurityExpressionHandler" />
```
接下来,在自定义表达式处理器`CustomMethodSecurityExpressionHandler`中实现自定义的表达式方法,例如:
```
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
private PermissionService permissionService;
public CustomMethodSecurityExpressionHandler() {
super();
}
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
CustomMethodSecurityExpressionRoot root = new CustomMethodSecurityExpressionRoot(authentication);
root.setPermissionService(permissionService);
root.setThis(invocation.getThis());
root.setTarget(invocation.getMethod().getDeclaringClass());
return root;
}
public void setPermissionService(PermissionService permissionService) {
this.permissionService = permissionService;
}
}
```
在`CustomMethodSecurityExpressionRoot`类中实现自定义的表达式方法,例如:
```
public class CustomMethodSecurityExpressionRoot extends MethodSecurityExpressionOperations {
private PermissionService permissionService;
public CustomMethodSecurityExpressionRoot(Authentication authentication) {
super(authentication);
}
public boolean hasPermission(String permission) {
return permissionService.hasPermission(permission);
}
public void setPermissionService(PermissionService permissionService) {
this.permissionService = permissionService;
}
}
```
现在,可以在JSP页面中使用自定义的表达式方法,例如:
```
<security:authorize access="hasPermission('formDialog:edit')">...</security:authorize>
```
同时,在后台方法中也可以使用相同的表达式,例如:
```
@PreAuthorize("hasPermission('formDialog:edit')")
public void editFormDialog() {
// ...
}
```