![the]( "the")
本文介绍了是否有可能破解spring-security-core插件@Secured注释以便能够引用给控制器的请求参数?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在使用 Grails 2.3.3 和 spring-security-core:2.0-RC4 插件。 p>
我试图通过保护控制器操作来保护它,具体取决于来自接受参数的服务的方法调用的结果。这个参数应该是请求参数里面的东西。
我希望能够做到以下几点:
@Secured(@ mySecurityService.myCustomCheck(params.id))
def myAction(){
//做一些事情
}
我设法做到以下几点:
@Secured(@ mySecurityService.myCustomCheck())
但是现在我不知道如何访问发送给控制器的请求参数。
在架构上甚至可以引用 params 变量在 @Secured 符号里面?
PS:我知道你会请求我使用 spring-security-acl 插件。我的问题是,它也增加了一些其他的东西,我不认为我需要。
解决方案 使用闭包作为注解的检查;在文档中有一个简短的文字和示例:
你会表达你的意见例如:
@Secured(closure = {
ctx.mySecurityService.myCustomCheck(
request。 getParameter('id'))
})
返回 true 允许访问。
请注意, ApplicationContext 可用作 ctx 变量,请求为请求;这是使用SpEL时可用的其他变量和方法的补充(请参阅Spring Security文档以获取详细信息)。 params 不可用,但您可以使用 request.getParameter
访问值
I am using Grails 2.3.3 and spring-security-core:2.0-RC4 plugin.
I am trying to protect a controller action by securing it depending on the result of a method call from a service that takes a parameter. This parameter should be something inside the request parameters.
I'd like to be able to do the following:
@Secured("@mySecurityService.myCustomCheck(params.id)")
def myAction(){
//do some things
}
I managed to be able to do the following:
@Secured("@mySecurityService.myCustomCheck()")
but now I have no idea how to access the request parameters that are sent to the controller.
Is it even architecturally possible to reference params variables inside the @Secured notation?
PS: I know you'll ask me to use spring-security-acl plugin. My problem is that it also adds a bunch of other things that I don't think I require.
解决方案
In 2.0 you can use a closure as the annotation's check; there's a brief writeup and example in the docs: https://grails-plugins.github.io/grails-spring-security-core/v2/guide/newInV2.html
You'd express your example as this:
@Secured(closure={
ctx.mySecurityService.myCustomCheck(
request.getParameter('id'))
})
Return true to allow access.
Note that the ApplicationContext is available as the ctx variable, and the request as request; this is in addition to the other variables and methods that are available when using SpEL (see the Spring Security docs for details). params isn't available, but you can access values using request.getParameter
这篇关于是否有可能破解spring-security-core插件@Secured注释以便能够引用给控制器的请求参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!