2023年6月20日发(作者：)

SpringSecurity_权限注解@PreAuthorize、@PostAuthorizespring是如何实现对HTTP请求进⾏安全检查和资源使⽤授权的？实现过程由类AbstractSecurityInterceptor在beforeInvocation⽅法中完成，在beforeInvocation的实现中，⾸先，需要读取IoC容器中Bean的配置，在这些属性配置中配置了对HTTP请求资源的安全需求，⽐如，哪个⾓⾊的⽤户可以接⼊哪些URL请求资源，具体实现逻辑见：#与Web环境的接⼝FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter@PreAuthorize、@PostAuthorize注解实现逻辑继承根节点：SecurityMetaSource可以通过Spring注解声明，需要依赖类注⼊，实现权限灵活配置如：@Component("securityMetadataSource")public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSourcePrePostAnnotationSecurityMetadataSource类继承关系AbstractMethodSecurityMetadataSource类继承关系package t;import tion;import ;import ist;import tion;import tions;import tionUtils;import Attribute;import ctMethodSecurityMetadataSource;import tils;public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecurityMetadataSource { private final PrePostInvocationAttributeFactory attributeFactory; public PrePostAnnotationSecurityMetadataSource(PrePostInvocationAttributeFactory attributeFactory) { uteFactory = attributeFactory; } public Collection getAttributes(Method method, Class targetClass) { if (laringClass() == ) { return ist(); } else { ("Looking for Pre/Post annotations for method '" + e() + "' on target class '" + targetClass + "'"); PreFilter preFilter = (PreFilter)notation(method, targetClass, ); PreAuthorize preAuthorize = (PreAuthorize)notation(method, targetClass, ); PostFilter postFilter = (PostFilter)notation(method, targetClass, ); PostAuthorize postAuthorize = (PostAuthorize)notation(method, targetClass, ); if (preFilter == null && preAuthorize == null && postFilter == null && postAuthorize == null) { ("No expression annotations found"); return ist(); } else { String preFilterAttribute = preFilter == null ? null : (); String filterObject = preFilter == null ? null : Target(); String preAuthorizeAttribute = preAuthorize == null ? null : (); String postFilterAttribute = postFilter == null ? null : (); String postAuthorizeAttribute = postAuthorize == null ? null : (); ArrayList attrs = new ArrayList(2); PreInvocationAttribute pre = PreInvocationAttribute(preFilterAttribute, filterObject, preAuthorizeAttribute); if (pre != null) { (pre); } PostInvocationAttribute post = PostInvocationAttribute(postFilterAttribute, postAuthorizeAttribute); if (post != null) { (post); } Size(); return attrs; } } } public Collection getAllConfigAttributes() { return null; } private A findAnnotation(Method method, Class targetClass, Class annotationClass) { Method specificMethod = tSpecificMethod(method, targetClass); A annotation = notation(specificMethod, annotationClass); if (annotation != null) { (annotation + " found on specific method: " + specificMethod); return annotation; } else { if (specificMethod != method) { annotation = notation(method, annotationClass); if (annotation != null) { (annotation + " found on: " + method); return annotation; } } annotation = notation(laringClass(), annotationClass); if (annotation != null) { (annotation + " found on: " + laringClass().getName()); return annotation; } else { return null; } } }}//注解开启权限@EnableResourceServer@EnableGlobalMethodSecuritySecurityContextHolder作为全局缓存，从上下⽂获取授权信息Authentication authentication = text().getAuthentication();Collection authorities = horities();上⾯权限列表初始化由具体实现类实现：public class User implements UserDetails, CredentialsContainer { ... private final Set authorities; ... //authorities权限列表 public User(String username, String password, Collection authorities) { this(username, password, true, true, true, true, authorities); }