spring 权限评估器，只发送 id

Question

自定义权限评估器

    @Component
    public class EventWritePermissionEvaluator implements PermissionEvaluator{

        @Override
        public boolean hasPermission(Authentication authentication,
                Object targetDomainObject, Object permission) {
            return true;
        }

        @Override
        public boolean hasPermission(Authentication authentication,
                Serializable targetId, String targetType, Object permission) {
            return true;
        }

    }



    @PreAuthorize("hasPermission(#event,'write')")
    @RequestMapping(value="/events/{id}/start")
    @ResponseBody
    public Map<String, Object> eventStart(@RequestBody Event event, @PathVariable("id") int id, HttpServletRequest request, HttpServletResponse response) throws MessagingException
    {
        event.setId(id);
        return eventService.eventStart(event, request, response);
    }

在上面的示例中，我将事件对象发送给权限评估器，在它之前放置一个“#”。为什么 ”＃”？我如何只发送 id 而不是对象？

Answer 1

对你来说，它看起来像：

@PreAuthorize("hasPermission(#id, 'com.company.product.Event', 'read')")
@RequestMapping(value="/events/{id}")
@ResponseBody
public Event getEvent(@PathVariable("id") int id)
{
    // get Event from dao
}

注意hasPermission 的额外参数，它应该是您的域模型类的名称（如果您自己实现 PermissionEvaluator，则可以自定义）。