Spring安全性-决定是否需要登录或允许匿名访问的复杂逻辑

Question

使用securiity，我面临着一个复杂的商业决策需求，即是允许匿名访问还是坚持用户登录。逻辑太复杂，不适合“截获-url”表达式(截获-url模式=‘/mypattern/**’)

E.g. assume a RESTFul books service:
https://myserver/rest/book?title=war_and_peace
https://myserver/rest/book?title=the_firm

Say "war and peace" allows anonymous access because its old and its copyrights have expired.
While "the firm" is copyrighted & requires login (so as to charge the user).
This copyright info is available in a database.

有谁能对如何在春天的安全中实现这一点提供任何提示吗？提前感谢

Answer 1

当然，代码看起来有多种方式，但是要想得到这样的想法：

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth instanceof AnonymousAuthenticationToken && "the_firm".equals(title)) {
    throw new AccessDeniedException("Requires login!");
}

更新：更多的声明性方法是使用注释：

@PostAuthorize("hasPermission(returnObject, 'READ')")
public Book findBook(String title) {
    // ...
}

这要求您创建一个权限评估器 bean并添加配置：

<global-method-security pre-post-annotations="enabled">
  <expression-handler ref="expressionHandler" />
</global-method-security>

@Bean
public DefaultMethodSecurityExpressionHandler expressionHandler() {
    DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
    handler.setPermissionEvaluator(permissionEvaluator);
    return handler;
}