问题
I want to pass property values assigned in an xml file to a Spring expression (an SpEL) in Java. Can you point me out how to achieve that? To make it clear, I've provided the following example.
example.xml file:
<beans>
<bean id="user" class="x.y.User">
<property name="name" value="A"/>
<property name="userId" value="33"/>
<bean id="customer" class="x.y.Customer">
<property name="name" value="B"/>
<property name="customerId" value="33"/>
</bean>
</beans>
Bear in mind that I have 'User' and 'Customer' model classes.
I want to secure a method called 'edit' by using Pre-Authorize annotation and Spring expressions in the following way.
@PreAuthorize("(#user.userId == #customer.customerId)")
public Boolean edit(User user, Customer custmer) {
return true;
}
The question is, how can I pass values of userId and customerId from "example.xml file to the above expression to compare the two values, then to secure the 'edit' method?
Note: I don't want to use permission evaluator. Please point me if it is possible to do it without considering permission evaluator. your support and cooperation will be strongly appreciated!.
回答1:
You can refer to beans references in SpEL expressions using @.
I have changed your example around a little to make it more apparent which part of the SpEL expression is referring to beans and which part is referring to the method arguments. Given the following configuration:
<beans>
<bean id="userBean" class="x.y.User">
<property name="name" value="A"/>
<property name="userId" value="33"/>
<bean id="customerBean" class="x.y.Customer">
<property name="name" value="B"/>
<property name="customerId" value="33"/>
</bean>
</beans>
This method will only be allowed if the User argument has the userId of 33 (this is the value of the userBeans userId property).
@PreAuthorize("#user.userId == @userBean.userId")
public Boolean edit(User user, Customer custmer) {
return true;
}
Similarly, you can refer to the Customer with id of customerBean (as defined in my example XML) with the following:
@PreAuthorize("#custmer.userId == @customerBean.userId")
public Boolean edit(User user, Customer custmer) {
return true;
}
If you want it to do the same thing with your current XML configuration you can use the following. The point here is that the value after @ should match the name of the bean.
@PreAuthorize("#user.userId == @user.userId")
public Boolean edit(User user, Customer custmer) {
return true;
}
回答2:
@Rob, it doesn't work. 'edit' method is allowed if userBean's userId and customerBean's customerId are equal. Based on your suggestion it should be written like the following way:
@PreAuthorize("@userBean.userId == @customerBean.customerId")
public Boolean edit(User user, Customer custmer) {
return true;
}
But it returns the following error:
java.lang.IllegalArgumentException: Failed to evaluate expression '(@userBean.userId == @customerBean.customerId)'
Any suggestion please?
UPDATE. Change @userBean.userId to @user.userId and @customerBean.customerId to @customer.customerId
回答3:
Why do you declare User and Customer as spring bean?
来源:https://stackoverflow.com/questions/19625465/spel-for-spring-security-passing-values-from-xml-to-java-based-spel-configurati