Spring Security如何使用URL地址进行权限控制
这篇文章主要介绍了SpringSecurity如何使用URL地址进行权限控制,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下
目的是:系统内存在很多不同的用户,每个用户具有不同的资源访问权限,具体表现就是某个用户对于某个URL是无权限访问的。需要SpringSecurity忙我们过滤。
FilterSecurityInterceptor是SpringSecurity进行URL权限判断的,FilterSecurityInterceptor又继承于AbstractSecurityInterceptor,由此可推测,我们可以新增一个Interceptor继承AbstractSecurityInterceptor,实现我们自己的权限校验逻辑。
查看父类及其代码逻辑,有几点必须要注意:
1、主要鉴权方法是调用父类中accessDecisionManager的decide值,所以我们需要自己实现一个accessDecisionManager
2、父类中存在抽象方法publicabstractSecurityMetadataSourceobtainSecurityMetadataSource();作用是获取URL及用户角色对应的关系。我们需要加入自己的实现。
以下是部分代码实现
主要拦截器JwtUrlSecurityInterceptor,需要在WebSecurityConfig(SpringSecurity配置)文件中注册
//这个拦截器用来实现按照用户权限,对所请求的url进行拦截 @Bean publicJwtUrlSecurityInterceptorjwtUrlSecurityInterceptorBean()throwsException{ returnnewJwtUrlSecurityInterceptor(); } @Override protectedvoidconfigure(HttpSecurityhttpSecurity)throwsException{ ... httpSecurity.addFilterBefore(jwtUrlSecurityInterceptorBean(),FilterSecurityInterceptor.class); ... }
实现自定义的accessDecisionManager
packageorg.zerhusen.security.dsuri; importorg.springframework.security.access.AccessDecisionManager; importorg.springframework.security.access.AccessDeniedException; importorg.springframework.security.access.ConfigAttribute; importorg.springframework.security.authentication.InsufficientAuthenticationException; importorg.springframework.security.core.Authentication; importjava.util.Collection; /** *Createdbydingshuoon2017/6/28. */ publicclassMyAccessDecisionManagerimplementsAccessDecisionManager{ @Override publicvoiddecide(Authenticationauthentication,Objectobject,CollectionconfigAttributes)throwsAccessDeniedException,InsufficientAuthenticationException{ System.out.println("自定义的接口"); thrownewAccessDeniedException("noright"); } @Override publicBooleansupports(ConfigAttributeattribute){ returntrue; } @Override publicBooleansupports(Class>clazz){ returntrue; } }
实现自定义的资源SecurityMetadataSource
packageorg.zerhusen.security.dsuri; importorg.springframework.beans.factory.annotation.Autowired; importorg.springframework.security.access.ConfigAttribute; importorg.springframework.security.access.SecurityConfig; importorg.springframework.security.web.FilterInvocation; importorg.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; importjava.util.*; /** *Createdbydingshuoon2017/6/28. */ publicclassMyInvocationSecurityMetadataSourceimplementsFilterInvocationSecurityMetadataSource{ privatestaticMap>resourceMap=null; @Autowired UrlMatcherurlMatcher; publicMyInvocationSecurityMetadataSource(){ //这里可以查数据库实现 //注入dao即可 resourceMap=newHashMap >(); Collection atts=newArrayList (); ConfigAttributeca=newSecurityConfig("ROLE_USER1"); atts.add(ca); resourceMap.put("/index.jsp",atts); Collection attsno=newArrayList (); ConfigAttributecano=newSecurityConfig("ROLE_NO"); attsno.add(cano); resourceMap.put("/other.jsp",attsno); } @Override publicCollection getAttributes(Objectobject)throwsIllegalArgumentException{ Stringurl=((FilterInvocation)object).getRequestUrl(); Iterator ite=resourceMap.keySet().iterator(); while(ite.hasNext()){ StringresURL=ite.next(); if(url.equals("/protected")){ returnresourceMap.get(resURL); } } returnnull; } @Override publicCollection getAllConfigAttributes(){ returnnull; } @Override publicBooleansupports(Class>clazz){ returntrue; } }
实现JwtUrlSecurityInterceptor
packageorg.zerhusen.security.dsuri; importorg.springframework.beans.factory.annotation.Autowired; importorg.springframework.context.annotation.Bean; importorg.springframework.security.access.AccessDecisionManager; importorg.springframework.security.access.SecurityMetadataSource; importorg.springframework.security.access.intercept.AbstractSecurityInterceptor; importorg.springframework.security.access.intercept.InterceptorStatusToken; importorg.springframework.security.authentication.AuthenticationManager; importorg.springframework.security.web.FilterInvocation; importjavax.servlet.*; importjava.io.IOException; /** *Createdbydingshuoon2017/6/28. */ publicclassJwtUrlSecurityInterceptorextendsAbstractSecurityInterceptorimplements Filter{ @Autowired publicvoidsetMyAccessDecisionManager(){ super.setAccessDecisionManager(myAccessDecisionManagerBean()); } @Bean publicMyAccessDecisionManagermyAccessDecisionManagerBean(){ returnnewMyAccessDecisionManager(); } @Bean publicMyInvocationSecurityMetadataSourcemyInvocationSecurityMetadataSourceBean(){ returnnewMyInvocationSecurityMetadataSource(); } @Override publicvoidinit(FilterConfigfilterConfig)throwsServletException{ } @Override publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain)throwsIOException,ServletException{ FilterInvocationfi=newFilterInvocation(request,response,chain); invoke(fi); } @Override publicvoiddestroy(){ } @Override publicClass>getSecureObjectClass(){ returnFilterInvocation.class; } @Override publicSecurityMetadataSourceobtainSecurityMetadataSource(){ returnthis.myInvocationSecurityMetadataSourceBean(); } publicvoidinvoke(FilterInvocationfi)throwsIOException,ServletException{ InterceptorStatusTokentoken=super.beforeInvocation(fi); try{ fi.getChain().doFilter(fi.getRequest(),fi.getResponse()); } finally{ super.afterInvocation(token,null); } } }
如上是简单的URL权限控制
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持毛票票。
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。