Java教程

Spring Security注解@PreAuthorize与AOP切面执行顺序

本文主要是介绍Spring Security注解@PreAuthorize与AOP切面执行顺序,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

引入Spring Security后,在Controller的方法中会出现Spring Security的方法注解与AOP同时存在的问题,这是就会设计顺序问题

@Controller
public class HelloController{
	@RequestMapping(value = "/hello")
	@BeforeController
	@PreAuthorize("validate(#user)")
	public void hello(@RequestParam("user) String user) {
		// 业务代码 
	}
}

上述Controller中@BeforeController是一个业务AOP,@PreAuthorize是来授权校验user。按照业务逻辑,执行顺序应该是如下:

Created with Raphaël 2.3.0 request @PreAuthorize @BeforeController 业务代码

但实际是@BeforeController@PreAuthorize之前。
其实@PreAuthorize也是依赖于AOP实现,当多个AOP在一个方法上时就会有顺序问题。在Aop中指定顺序的方法有:

@Documented
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface BeforeController {

}
  • 1、@Order注解
    @Aspect
    @Component
    @Order(0)
    public class BeforeControllerAction {
        @Before("@annotation(org.numb.web.aop.BeforeController)")
        public void before(final JoinPoint joinPoint) {
            // before切面业务代码
        }
    }
    
    @Order注解里面的值是一个整数,数值越大优先级越低,默认是Integer.MIN_VALUE,即最低优先级。
  • 2、实现org.springframework.core.Ordered接口
    @Aspect
    @Component
    public class BeforeControllerAction implements Ordered {
        @Before("@annotation(org.numb.web.aop.BeforeController)")
        public void before(final JoinPoint joinPoint) {
            // before切面业务代码
        }
    
    
        @Override
        public int getOrder() {
            return 0;
        }
    }
    
  • 3、通过配置文件配置顺序
    <aop:config expose-proxy="true">
        <aop:pointcut id="beforeController" expression="@annotation(org.numb.web.aop.BeforeController)"/>
        <aop:aspect ref="beforeControllerAction" id="beforeControllerAction">
            <aop:before method="before" pointcut-ref="beforeController"/>
        </aop:aspect>
    </aop:config>
    

而Spring Security的执行顺序本质上也是由AOP决定,可以通过指定order的方式确定:

@EnableGlobalMethodSecurity(order = 0)

查看源码可见

public @interface EnableGlobalMethodSecurity {
...
	/**
	 * Indicate the ordering of the execution of the security advisor when multiple
	 * advices are applied at a specific joinpoint. The default is
	 * {@link Ordered#LOWEST_PRECEDENCE}.
	 * @return the order the security advisor should be applied
	 */
	int order() default Ordered.LOWEST_PRECEDENCE;

}

这篇关于Spring Security注解@PreAuthorize与AOP切面执行顺序的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!