Spring Security – @PreFilter and @PostFilter – Spring Security – @PreFilter 和 @PostFilter

最后修改: 2016年 12月 16日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In this article, we’ll learn how to use the @PreFilter and @PostFilter annotations to secure operations in a Spring application.

在这篇文章中,我们将学习如何使用@PreFilter@PostFilter注解来保障Spring应用程序中的操作。

When used together with the authenticated principal information, @PreFilter and @PostFilter allows us to define fine-grained security rules using Spring Expression Language.

当与经过验证的委托人信息一起使用时,@PreFilter@PostFilter允许我们使用Spring表达式语言定义细粒度的安全规则。

2. Introducing @PreFilter and @PostFilter

2、介绍@PreFilter@PostFilter

Simply put, the @PreFilter and @PostFilter annotations are used to filter lists of objects based on custom security rules we define.

简单地说,@PreFilter@PostFilter注解被用于根据我们定义的自定义安全规则过滤对象列表

@PostFilter defines a rule for filtering the return list of a method, by applying that rule to every element in the list. If the evaluated value is true, the item will be kept in the list. Otherwise, the item will be removed.

@PostFilter定义了一条过滤方法返回列表的规则,将该规则应用于列表中的每个元素。如果评估值为真,该项目将被保留在列表中。否则,该项目将被删除。

@PreFilter works in a very similar fashion, however, the filtering is applied to a list that is being passed as an input parameter to the annotated method.

@PreFilter以非常类似的方式工作,然而,过滤被应用于作为输入参数传递给注释方法的列表。

Both annotations can be used on methods or types (classes and interfaces). We’ll use them only on methods throughout this article.

这两种注解都可以用在方法或类型(类和接口)上。在本文中,我们将只在方法上使用它们。

Theses annotations are not active by default – we’ll need to enable them with the @EnableGlobalMethodSecurity annotation and prePostEnabled = true – in our security configuration:

这些注解在默认情况下是不活跃的–我们需要在安全配置中用@EnableGlobalMethodSecurity注解和prePostEnabled = true来启用它们。

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {
    // ...
}

3. Writing Security Rules

3.编写安全规则

To write the security rules in these two annotations – we’ll make use of Spring-EL expressions; we can also use the built-in object filterObject to get a reference to the particular list element being tested.

为了在这两个注解中编写安全规则–我们将利用Spring-EL表达式;我们也可以使用内置对象filterObject来获取对被测试的特定列表元素的引用。

Spring Security provides many other built-in objects to create very specific and exact rules.

Spring Security提供了许多其他内置对象,以创建非常具体和精确的规则。

For example, we can use @PreFilter to check if the assignee property of a Task object is equal to the name of the currently authenticated user:

例如,我们可以使用@PreFilter 来检查Task对象的assignee属性是否与当前认证用户的name相等。

@PostFilter("filterObject.assignee == authentication.name")
List<Task> findAll() {
    ...
}

We’ve used the @PostFilter annotation here since we want the method to execute and get all tasks first, and they pass every single task from the list through our filter rule.

我们在这里使用了@PostFilter注解,因为我们希望该方法首先执行并获得所有的任务,并且他们通过我们的过滤规则传递列表中的每一个任务。

So, if the authenticated user is michael, the final list of tasks returned by the findAll method would only contain the tasks that are assigned to michael, even if the database has tasks assigned to jim and pam.

因此,如果认证的用户是michael,由findAll方法返回的最终任务列表将只包含分配给michael的任务,即使数据库中有分配给jimpam的任务。

Now let’s make the rule a little bit more interesting. Assume that if a user is a manager they can see all tasks, regardless of whom they are assigned to:

现在让我们把这个规则变得更有趣一点。假设如果一个用户是经理,他们可以看到所有的任务,不管它们被分配给谁。

@PostFilter("hasRole('MANAGER') or filterObject.assignee == authentication.name")
List<Task> findAll() {
    // ...
}

We’ve used the built-in method hasRole to check if the authenticated user has the role of MANAGER. If hasRole returns true, the task will be kept in the final list. So, if the user is a manager, the rule will return true for every item in the list. Thus the final list will contain all items.

我们使用内置方法hasRole来检查认证的用户是否有MANAGER的角色。如果hasRole返回true,该任务将被保留在最终列表中。因此,如果用户是经理,该规则将对列表中的每个项目返回真。因此,最终列表将包含所有项目。

Now let’s filter a list passed as a parameter to a save method using @PreFilter:

现在让我们使用@PreFilter过滤作为参数传递给save方法的一个列表。

@PreFilter("hasRole('MANAGER') or filterObject.assignee == authentication.name")
Iterable<Task> save(Iterable<Task> entities) {
    // ...
}

The security rule is the same as the one we’ve used on the @PostFilter example. The main difference here is that the list items will be filtered before the method executes, thus allowing us to remove some items from the list, preventing them from being saved in the database.

这个安全规则与我们在@PostFilter例子中使用的规则相同。这里的主要区别是,在方法执行之前,列表项将被过滤,从而允许我们从列表中删除一些项目,防止它们被保存在数据库中。

So jim, who is not a manager, may try to save a list of tasks, some of which are assigned to pam. However only those tasks assigned to jim will be included, the other ones will be ignored.

因此,不是经理的jim可能试图保存一个任务列表,其中一些任务被分配给pam。然而,只有那些分配给jim的任务将被包括在内,其他的将被忽略。

4. Performance on Large Lists

4.大列表的性能

@PreFilter is really cool and easy to use, but it can be inefficient when dealing with very large lists since the fetching operation will retrieve all the data and apply the filter afterward.

@PreFilter确实很酷,也很容易使用,但在处理非常大的列表时,它的效率可能很低,因为获取操作将检索所有数据,并在之后应用过滤器。

Imagine, for example, that we have thousands of tasks in our database and we want to retrieve the five tasks that are currently assigned to pam. If we use @PreFilter, the database operation will fetch all the tasks first, and iterate through all of them to filter out the ones that are not assigned to pam.

例如,想象一下,我们的数据库中有成千上万的任务,我们想检索当前分配给pam的五个任务。如果我们使用@PreFilter数据库操作将首先获取所有的任务,然后遍历所有的任务,过滤掉没有分配给pam的任务。

5. Conclusion

5.结论

This quick article explained how to create a simple, but secure, application using Spring Security’s @PreFilter and @PostFilter annotations.

这篇快速文章介绍了如何使用Spring Security的@PreFilter@PostFilter注解创建一个简单但安全的应用程序。

Check the complete code example in this Github repository.

查看完整的代码示例在这个Github资源库