最近我正在努力将自己的投票者(AccessDecisionVoter)迁移到我项目中的 AuthorizationManager。我按照 migrations 文档(5.8.3) 来实现 AuthorizationManager 但从未成功。
我在 spring-security-configure.xml 中的配置是这样的
<security:filter-security-metadata-source id="metadataSource" use-expressions="true">
<security:intercept-url pattern="/xxxxx/xxxxx" method="DELETE" access="denyAll"
...
...
</security:filter-security-metadata-source>
我的 authorizationManager 示例代码是这样的:
public class DenyAllAuthorizationManager implements AuthorizationManager<Object>
{
private final static String DENY_ALL = "denyAll";
private SecurityMetadataSource securityMetadataSource;
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, Object object)
{
//final var requestWrapper = (SecurityContextHolderAwareRequestWrapper) object;
//final var request = (HttpServletRequest)requestWrapper.getRequest();
final var attributes = getSecurityMetadataSource().getAttributes(object);
if (isDeny(attributes))
{
return new AuthorizationDecision(false);
}
return new AuthorizationDecision(true);
}
private boolean isDeny(final ConfigAttribute attribute)
{
return DENY_ALL.equals(attribute.toString());
}
public void setSecurityMetadataSource(final SecurityMetadataSource securityMetadataSource)
{
this.securityMetadataSource = securityMetadataSource;
}
根据文档,这个T(AuthorizationManager< T >)可以是Object、MethodInvocation或RequestAuthorizationContext,但从我的调试来看,它只是SecurityContextHolderAwareRequestWrapper类型,导致getSecurityMetadataSource().getAttributes(object)抛出异常。
非常感谢您的帮助。