我在我的应用程序中使用了Spring Security。我基于角色(ADMIN,USER)对API进行身份验证。 有一个API端点,我想使用作为参数传递给它的变量的值来限制访问。使用类中的变量值进行身份验证的Spring Security
我
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable().exceptionHandling().authenticationEntryPoint(this.unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/api/**").authenticated()
.anyRequest().permitAll();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
我有一个电话
@PostMapping("/something")
public ResponseEntity<BotResponse> handleRequest(@Valid @RequestBody SomeClass someClass) {
// if someClass.getSomeValue() is not present in the User permissions, then it should give an unauthorized response.
return value(someClass);
}
Spring Security的用户:
public Class User {
String userId;
String userName;
String authorities;
List<String> someList;
//Getters and setters for variables
}
和所使用的SomeClass的是:
public Class SomeClass {
String someValue;
String userName;
...
// Getters and Setters
}
如果用户的someList中存在someClass.getSomeValue的值,我该如何拒绝用户?