授权事件
| 本站(springdoc.cn)中的内容来源于 spring.io ,原始版权归属于 spring.io。由 springdoc.cn 进行翻译,整理。可供个人学习、研究,未经许可,不得进行任何转载、商用或与之相关的行为。 商标声明:Spring 是 Pivotal Software, Inc. 在美国以及其他国家的商标。 |
对于每个被拒绝的授权,都会触发一个 AuthorizationDeniedEvent 事件。另外,对于被授予的授权,也有可能触发 AuthorizationGrantedEvent 事件。
为了监听这些事件,你必须首先发布一个 AuthorizationEventPublisher。
Spring Security的 SpringAuthorizationEventPublisher 可能会做得很好。它使用Spring的 ApplicationEventPublisher 来发布授权事件。
-
Java
-
Kotlin
@Bean
public AuthorizationEventPublisher authorizationEventPublisher
(ApplicationEventPublisher applicationEventPublisher) {
return new SpringAuthorizationEventPublisher(applicationEventPublisher);
}@Bean
fun authorizationEventPublisher
(applicationEventPublisher: ApplicationEventPublisher?): AuthorizationEventPublisher {
return SpringAuthorizationEventPublisher(applicationEventPublisher)
}然后,你可以使用Spring的 @EventListener 支持。
-
Java
-
Kotlin
@Component
public class AuthenticationEvents {
@EventListener
public void onFailure(AuthorizationDeniedEvent failure) {
// ...
}
}@Component
class AuthenticationEvents {
@EventListener
fun onFailure(failure: AuthorizationDeniedEvent?) {
// ...
}
}授权批准的事件
因为 AuthorizationGrantedEvent 有可能是相当嘈杂的,所以它们默认不被发布。
事实上,发布这些事件很可能需要你的一些业务逻辑,以确保你的应用程序不会被嘈杂的授权事件所淹没。
你可以创建你自己的事件发布器来过滤成功事件。例如,下面这个发布器只发布需要 ROLE_ADMIN 的授权许可。
-
Java
-
Kotlin
@Component
public class MyAuthorizationEventPublisher implements AuthorizationEventPublisher {
private final ApplicationEventPublisher publisher;
private final AuthorizationEventPublisher delegate;
public MyAuthorizationEventPublisher(ApplicationEventPublisher publisher) {
this.publisher = publisher;
this.delegate = new SpringAuthorizationEventPublisher(publisher);
}
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication,
T object, AuthorizationDecision decision) {
if (decision == null) {
return;
}
if (!decision.isGranted()) {
this.delegate.publishAuthorizationEvent(authentication, object, decision);
return;
}
if (shouldThisEventBePublished(decision)) {
AuthorizationGrantedEvent granted = new AuthorizationGrantedEvent(
authentication, object, decision);
this.publisher.publishEvent(granted);
}
}
private boolean shouldThisEventBePublished(AuthorizationDecision decision) {
if (!(decision instanceof AuthorityAuthorizationDecision)) {
return false;
}
Collection<GrantedAuthority> authorities = ((AuthorityAuthorizationDecision) decision).getAuthorities();
for (GrantedAuthority authority : authorities) {
if ("ROLE_ADMIN".equals(authority.getAuthority())) {
return true;
}
}
return false;
}
}@Component
class MyAuthorizationEventPublisher(val publisher: ApplicationEventPublisher,
val delegate: SpringAuthorizationEventPublisher = SpringAuthorizationEventPublisher(publisher)):
AuthorizationEventPublisher {
override fun <T : Any?> publishAuthorizationEvent(
authentication: Supplier<Authentication>?,
`object`: T,
decision: AuthorizationDecision?
) {
if (decision == null) {
return
}
if (!decision.isGranted) {
this.delegate.publishAuthorizationEvent(authentication, `object`, decision)
return
}
if (shouldThisEventBePublished(decision)) {
val granted = AuthorizationGrantedEvent(authentication, `object`, decision)
this.publisher.publishEvent(granted)
}
}
private fun shouldThisEventBePublished(decision: AuthorizationDecision): Boolean {
if (decision !is AuthorityAuthorizationDecision) {
return false
}
val authorities = decision.authorities
for (authority in authorities) {
if ("ROLE_ADMIN" == authority.authority) {
return true
}
}
return false
}
}