Spring Security-利用URL地址进行权限控制
目的是:系统内存在不少不一样的用户,每一个用户具备不一样的资源访问权限,具体表现就是某个用户对于某个URL是无权限访问的。须要Spring Security忙咱们过滤。
本文的不少命名都是参考连接博文的,最大的不一样应该是本文是基于Spring boot,再次也向前人致敬!
由上一篇可知,FilterSecurityInterceptor是Spring Security进行URL权限判断的,
FilterSecurityInterceptor又继承于AbstractSecurityInterceptor,由此可推测,咱们能够新增一个Interceptor继承
AbstractSecurityInterceptor,实现咱们本身的权限校验逻辑。
查看父类及其代码逻辑,有几点必需要注意:
一、主要鉴权方法是调用父类中accessDecisionManager的decide值,因此咱们须要本身实现一个
accessDecisionManager
二、父类中存在抽象方法public abstract SecurityMetadataSource obtainSecurityMetadataSource();做用是获取URL及用户角色对应的关系。咱们须要加入本身的实现。
如下是部分代码实现
主要拦截器JwtUrlSecurityInterceptor,须要在WebSecurityConfig(Spring Security配置)文件中注册
//这个拦截器用来实现按照用户权限,对所请求的url进行拦截 @Bean public JwtUrlSecurityInterceptor jwtUrlSecurityInterceptorBean() throws Exception{ return new JwtUrlSecurityInterceptor(); }@Override protected void configure(HttpSecurity httpSecurity) throws Exception {... httpSecurity.addFilterBefore(jwtUrlSecurityInterceptorBean(), FilterSecurityInterceptor.class);... }
实现自定义的
accessDecisionManager
package org.zerhusen.security.dsuri;import org.springframework.security.access.AccessDecisionManager;import org.springframework.security.access.AccessDeniedException;import org.springframework.security.access.ConfigAttribute;import org.springframework.security.authentication.InsufficientAuthenticationException;import org.springframework.security.core.Authentication;import java.util.Collection;/** * Created by dingshuo on 2017/6/28. */public class MyAccessDecisionManager implements AccessDecisionManager { @Override public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException { System.out.println("自定义的接口"); throw new AccessDeniedException("no right"); } @Override public boolean supports(ConfigAttribute attribute) { return true; } @Override public boolean supports(Class<?> clazz) { return true; }}
实现自定义的资源
SecurityMetadataSource
package org.zerhusen.security.dsuri;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.access.ConfigAttribute;import org.springframework.security.access.SecurityConfig;import org.springframework.security.web.FilterInvocation;import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;import java.util.*;/** * Created by dingshuo on 2017/6/28. */public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource { private static Map<String, Collection<ConfigAttribute>> resourceMap = null; @Autowired UrlMatcher urlMatcher; public MyInvocationSecurityMetadataSource() {//这里能够查数据库实现//注入dao便可 resourceMap = new HashMap<String, Collection<ConfigAttribute>>(); Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>(); ConfigAttribute ca = new SecurityConfig("ROLE_USER1"); atts.add(ca); resourceMap.put("/index.jsp", atts); Collection<ConfigAttribute> attsno =new ArrayList<ConfigAttribute>(); ConfigAttribute cano = new SecurityConfig("ROLE_NO"); attsno.add(cano); resourceMap.put("/other.jsp", attsno); } @Override public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { String url = ((FilterInvocation)object).getRequestUrl(); Iterator<String> ite = resourceMap.keySet().iterator(); while (ite.hasNext()) { String resURL = ite.next(); if (url.equals("/protected")) { return resourceMap.get(resURL); } } return null; } @Override public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } @Override public boolean supports(Class<?> clazz) { return true; }}
实现
JwtUrlSecurityInterceptor
package org.zerhusen.security.dsuri;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.context.annotation.Bean;import org.springframework.security.access.AccessDecisionManager;import org.springframework.security.access.SecurityMetadataSource;import org.springframework.security.access.intercept.AbstractSecurityInterceptor;import org.springframework.security.access.intercept.InterceptorStatusToken;import org.springframework.security.authentication.AuthenticationManager;import org.springframework.security.web.FilterInvocation;import javax.servlet.*;import java.io.IOException;/** * Created by dingshuo on 2017/6/28. */public class JwtUrlSecurityInterceptor extends AbstractSecurityInterceptor implements Filter { @Autowired public void setMyAccessDecisionManager(){ super.setAccessDecisionManager(myAccessDecisionManagerBean()); } @Bean public MyAccessDecisionManager myAccessDecisionManagerBean(){ return new MyAccessDecisionManager(); } @Bean public MyInvocationSecurityMetadataSource myInvocationSecurityMetadataSourceBean(){ return new MyInvocationSecurityMetadataSource(); } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { FilterInvocation fi = new FilterInvocation(request, response, chain); invoke(fi); } @Override public void destroy() { } @Override public Class<?> getSecureObjectClass() { return FilterInvocation.class; } @Override public SecurityMetadataSource obtainSecurityMetadataSource() { return this.myInvocationSecurityMetadataSourceBean(); } public void invoke(FilterInvocation fi) throws IOException, ServletException { InterceptorStatusToken token = super.beforeInvocation(fi); try { fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); }finally { super.afterInvocation(token, null); } }}
如上是简单的URL权限控制
相关文章
- 1. spring - security 权限控制
- 2. spring security 权限控制
- 3. Spring Security权限控制
- 4. spring 的权限控制:security
- 5. security权限控制
- 6. Spring Boot + Spring Security权限控制
- 7. spring-boot+Spring-security+jwt控制权限
- 8. spring security 权限控制表达式
- 9. 浅谈spring security中的权限控制
- 10. Spring Security权限控制源码分析
- 更多相关文章...
- • 物理地址(MAC地址)是什么? - TCP/IP教程
- • MySQL删除用户权限(REVOKE) - MySQL教程
- • Docker容器实战(六) - 容器的隔离与限制
- • Spring Cloud 微服务实战(三) - 服务注册与发现
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. No provider available from registry 127.0.0.1:2181 for service com.ddbuy.ser 解决方法
- 2. Qt5.7以上调用虚拟键盘(支持中文),以及源码修改(可拖动,水平缩放)
- 3. 软件测试面试- 购物车功能测试用例设计
- 4. ElasticSearch(概念篇):你知道的, 为了搜索…
- 5. redux理解
- 6. gitee创建第一个项目
- 7. 支持向量机之硬间隔(一步步推导,通俗易懂)
- 8. Mysql 异步复制延迟的原因及解决方案
- 9. 如何在运行SEPM配置向导时将不可认的复杂数据库密码改为简单密码
- 10. windows系统下tftp服务器使用
欢迎关注本站公众号,获取更多信息
