There is an Spring security-related problem (dynamic authorization)

as a general practice, permissions have been assigned to the corresponding method in the controller layer, for example:

  • PreAuthorize
  • Secured
  • RolesAllowed

however, this way to change the code when adjusting permissions, the most annoying, while writing code, but also thinking about what appropriate permissions should be given.

in this way, it is expected that after the encoder completes the interface, after the program starts, the corresponding role of the URL/ or controller layer method is queried from DB, and then the permissions related to Spring Security are directly called to scan (such as the initial processing of the above notes), and then the permissions are loaded. You can verify the user role later.

then the question arises: how to find initialization methods for PreAuthorize , Secured , RolesAllowed annotations, and do these methods provide public interfaces for programs to call?

I would appreciate it if someone could give me some advice.

Feb.27,2021

here the security framework is used in springboot.

the specific process is as follows:

class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomAuthenticationProvider authProvider
   

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // 
        auth.authenticationProvider(authProvider)
    }
}

@Component
class CustomAuthenticationProvider implements AuthenticationProvider {

  
    @Override
    Authentication authenticate(Authentication authentication) throws AuthenticationException {
       
       // ...
       
       //  token  SimpleGrantedAuthority
       List list = new ArrayList();
       list.put(new SimpleGrantedAuthority("Expert"))
       return new UsernamePasswordAuthenticationToken(session, token,list )
   

    }
}

//  Expert  SimpleGrantedAuthority  role
@PostMapping("/add")
@PreAuthorize("hasAuthority('Expert')")
Response<?> release(@RequestBody Request req) {
   //....
}

temporarily traverses the interface ID, that matches the in-memory RequestMapper path > custom annotations through AntPathMatcher, and then finds the corresponding roles in DB to intersect with the user's roles to achieve the function.
if the amount of data is large, you may have to go to the AOP/ControllerAdvise intercept Controller layer, and then read custom annotations to query roles and compare with users.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e4443d-4304f.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e4443d-4304f.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?