java 安全等级_java – 方法级别的#oauth2安全表达式

最新推荐文章于 2022-02-22 14:59:05 发布

考霸宝典小助手

最新推荐文章于 2022-02-22 14:59:05 发布

阅读量586

点赞数

文章标签： java 安全等级

本文链接：https://blog.csdn.net/weixin_36182916/article/details/114461589

版权

如何在方法级别上使用#oauth2安全表达式,如下例所示,我该怎么办？

@RequestMapping(value = "email", method = RequestMethod.GET)

@ResponseBody

@PreAuthorize("#oauth2.hasScope('read')")

public String email() {

return "test@email.com";

}

如果我对我收到的资源提出请求

[INFO] java.lang.IllegalArgumentException: Failed to evaluate expression '#oauth2.hasScope('read')'

[INFO] at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:14)

[INFO] at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:44)

[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:57)

[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:25)

[INFO] at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)

[INFO] at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232)

[INFO] at org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor.invoke(AspectJMethodSecurityInterceptor.java:43)

[INFO] at org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect.ajc$around$org_springframework_security_access_intercept_aspectj_aspect_AnnotationSecurityAspect$1$c4d57a2b(AnnotationSecurityAspect.aj:63)

[INFO] at pl.insert.controllers.ResourceController.email(ResourceController.java:22)

如果我在ResourceServerConfiguration而不是@Controllers方法中指定访问权限,则同样适用

@Configuration

@EnableResourceServer

public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

@Override

public void configure(HttpSecurity http) throws Exception {

http.requestMatchers().antMatchers("/oauth/resources/**");

http.authorizeRequests().anyRequest().access("#oauth2.hasScope('read')");

}

标准安全表达式(如@PreAuthorize(“permitAll”)或@PreAuthorize(“denyAll”)按预期工作.所以,我可能不得不告诉我的AspectJMethodSecurityInterceptor使用OAuth2WebSecurityExpressionHandler.有任何想法吗？