Skip to content

Instantly share code, notes, and snippets.

@kawasima
Last active February 1, 2023 13:50
Show Gist options
  • Save kawasima/805349eef8dce01177aeedf9baf63333 to your computer and use it in GitHub Desktop.
Save kawasima/805349eef8dce01177aeedf9baf63333 to your computer and use it in GitHub Desktop.
ミニマルなSpring SecurityのMethod Security
import org.springframework.aop.aspectj.AspectJExpressionPointcut;
import org.springframework.aop.config.AopConfigUtils;
import org.springframework.context.support.GenericApplicationContext;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
import org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
public class MinimalMethodSecurity {
static class AdminApp {
@PreAuthorize("principal.username == 'admin'")
public void exec() {
System.out.println("I am an Admin!");
}
}
public static void main(String[] args) {
GenericApplicationContext context = new GenericApplicationContext();
context.registerShutdownHook();
// Enable AOP
AopConfigUtils.registerAspectJAnnotationAutoProxyCreatorIfNecessary(context);
// Setup the Method security
context.registerBean(MethodSecurityExpressionHandler.class, DefaultMethodSecurityExpressionHandler::new);
context.registerBean(AuthorizationManager.class, () -> {
PreAuthorizeAuthorizationManager preAuthorizeAuthorizationManager = new PreAuthorizeAuthorizationManager();
preAuthorizeAuthorizationManager.setExpressionHandler(context.getBean(MethodSecurityExpressionHandler.class));
return preAuthorizeAuthorizationManager;
});
context.registerBean(AuthorizationManagerBeforeMethodInterceptor.class, () -> {
AspectJExpressionPointcut pointcut = new AspectJExpressionPointcut();
pointcut.setExpression("execution(* *..*.exec())");
return new AuthorizationManagerBeforeMethodInterceptor(pointcut, context.getBean(AuthorizationManager.class));
});
context.registerBean(AdminApp.class);
context.refresh();
// ここからアプリケーション呼び出しのサンプル 権限が無いとAccessDeniedExceptionが発生する
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken(
User.builder().username("admin").password("").authorities("USERS").build(), ""
));
context.getBean(AdminApp.class).exec(); // SUCCESS
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken(
User.builder().username("not-admin").password("").authorities("USERS").build(), ""
));
context.getBean(AdminApp.class).exec(); // AccessDeniedException
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment