spring安全性中的自定义表达式

<sec:global-method-security
    pre-post-annotations="enabled" secured-annotations="enabled"
    metadata-source-ref="customMetadataSource" />

<beans:bean id="customMetadataSource"
    class="org.dummy.CustomMetadataSource">
    <beans:constructor-arg>
        <beans:map>
            <beans:entry
                key="#{T(org.dummy.RoleAuthenticatedUser)}"
                value="hasRole('ROLE_AUTHENTICATED_USER')" />                                   
        </beans:map>
    </beans:constructor-arg>
    <beans:constructor-arg>
        <beans:bean
            class="org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory">
            <beans:constructor-arg>
                <beans:bean
                    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />
            </beans:constructor-arg>
        </beans:bean>
    </beans:constructor-arg>
</beans:bean>

注释@RoleAuthenticatedUser非常简单:

 @java.lang.annotation.Target(value={java.lang.annotation.ElementType.METHOD,java.lang.annotation.ElementType.TYPE})
@java.lang.annotation.Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME)
@java.lang.annotation.Inherited
@java.lang.annotation.Documented
public @interface RoleAuthenticatedUser {

}

当我想要安全化REST web服务时,我只需要用这个注释来修饰它。

@RoleAuthenticatedUser
@Transactional
@Benchmark  
@GetMapping(value = RICHIESTA_ABILITAZIONE_DOCUMENTI_URL, headers = "Accept="
        + MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
public ResponseEntity<RichiestaAccesso> impostaAbilitazioneDocumenti(@AuthenticationPrincipal JwtUser user,  @PathVariable("richiestaAccesso") String idRichiestaAccesso, @PathVariable("codiceFiscale") String codiceFiscale, @PathVariable("abilita")  boolean abilitazioneDocumenti) {           
    return ...;
}

public interface JwtUser extends UserIdentity {

    long getLastAccessedTime();

    long getDurationTime();

    String getUid();

    void touched();

    boolean isValid();

    List<ProfiloUtente> getProfiles();

}

我定义了一个 JwtUser Authentication.getPrincipal 我收到一封信 JwtUser 对象

它工作完美,没有任何问题。我想添加另一个注释,检查用户(JwtUser)是否至少有2个配置文件(我需要检查 getProfiles 列表)。为了完成此任务,我通过以下方式扩展配置:

<beans:bean id="customMetadataSource"
    class="it.insiel.stt.interrogazioni.web.security.CustomMetadataSource">
    <beans:constructor-arg>
        <beans:map>
            <beans:entry
                key="#{T(org.dummy.RoleAuthenticatedUser)}"
                value="hasRole('ROLE_AUTHENTICATED_USER')" />                   
                <beans:entry
                key="#{T(org.dummy.RoleProfiledUser)}"
                value="hasRole('ROLE_AUTHENTICATED_USER') and authentication.principal.profiles.size>1" />                  
        </beans:map>
    </beans:constructor-arg>
    <beans:constructor-arg>
        <beans:bean
            class="org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory">
            <beans:constructor-arg>
                <beans:bean
                    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />
            </beans:constructor-arg>
        </beans:bean>
    </beans:constructor-arg>
</beans:bean>

正如您所注意到的,我只是添加了另一个名为@RoleProfiledUser的注释,并将其关联到以下表达式:

hasRole('ROLE_AUTHENTICATED_USER') and authentication.principal.profiles.size>1

我将它与REST控制器关联,但它不工作。错在哪里?非常感谢。