我想使用权限或范围或类似的范围,以便允许细粒度访问REST资源。
理想情况下,我想做类似的事情:
@PreAuthorize("hasPermission('Brands', 'brands:write')")
ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String brandCode);
其中"品牌"是带有范围品牌的KeyCloak客户授权资源:写作,品牌:阅读'。
似乎有效的唯一注释是@Secting扮演角色,我不想做RBAC。
@Secured({"ROLE_STAFF"})
我已经看过policyenforcer,我不清楚应该如何使用它。
我可以编写表格的代码:
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
if (authzContext.hasScopePermission("brands:write")) {
// This works....
}
如何将授权限制从策略填充到标准弹簧安全注释?
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
@Autowired
private HttpServletRequest request;
@Override
public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) {
if ((auth == null) || (targetDomainObject == null) || !(permission instanceof String)){
return false;
}
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
if(targetDomainObject instanceof String) {
return authzContext.hasPermission((String)targetDomainObject, (String)permission);
} else if(targetDomainObject == null) {
return authzContext.hasScopePermission((String)permission);
} else {
return false;
}
}