也没啥说的,直接上代码吧;
- 先创建自定义表达式类,我们的测试方法叫mustAA
public class CustomizeMethodSecurityExpression extends SecurityExpressionRoot implements MethodSecurityExpressionOperations {
private Object filterObject;
private Object returnObject;
private Object target;
/**
* Creates a new instance
*
* @param authentication the {@link Authentication} to use. Cannot be null.
*/
public CustomizeMethodSecurityExpression(Authentication authentication) {
super(authentication);
}
/**
* 自定义权限方法
* @return
*/
public boolean mustAA(){
User user = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
return "AA".equals(user.getUsername());
}
@Override
public void setFilterObject(Object filterObject) {
this.filterObject = filterObject;
}
@Override
public Object getFilterObject() {
return this.filterObject;
}
@Override
public void setReturnObject(Object returnObject) {
this.returnObject = returnObject;
}
@Override
public Object getReturnObject() {
return this.returnObject;
}
public void setThis(Object target){
this.target = target;
}
@Override
public Object getThis() {
return target;
}
}
- 再创建表达式处理器
public class CustomizeMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
CustomizeMethodSecurityExpression root = new CustomizeMethodSecurityExpression(authentication);
root.setThis(invocation.getThis());
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(getTrustResolver());
root.setRoleHierarchy(getRoleHierarchy());
root.setDefaultRolePrefix(getDefaultRolePrefix());
return root;
}
}
- 最后需要将处理器通过配置类配置起来,这里需要注意,需要将@EnableGlobalMethodSecurity(prePostEnabled = true)放在这个配置类上,否则报错
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfigure extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new CustomizeMethodSecurityExpressionHandler();
}
}
最后,我们测试一下自定义的权限方法
@RestController
@RequestMapping("/test")
public class TestController {
@GetMapping("/testMustAA")
@PreAuthorize("mustAA()")
public String testMustAA(){
return "yes! i'm AA";
}
}
我们自定义的权限方法的内容是判断登录用户名是否为AA,是的话就可以正常访问,如果不是则不允许
首先我们登录AA
然后测试方法
再登录BB
然后再测试方法
测试通过,代码有效,打完收工