Spring Security如何使用URL地址进行权限控制
这篇文章主要介绍了SpringSecurity如何使用URL地址进行权限控制,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下
目的是:系统内存在很多不同的用户,每个用户具有不同的资源访问权限,具体表现就是某个用户对于某个URL是无权限访问的。需要SpringSecurity忙我们过滤。
FilterSecurityInterceptor是SpringSecurity进行URL权限判断的,FilterSecurityInterceptor又继承于AbstractSecurityInterceptor,由此可推测,我们可以新增一个Interceptor继承AbstractSecurityInterceptor,实现我们自己的权限校验逻辑。
查看父类及其代码逻辑,有几点必须要注意:
1、主要鉴权方法是调用父类中accessDecisionManager的decide值,所以我们需要自己实现一个accessDecisionManager
2、父类中存在抽象方法publicabstractSecurityMetadataSourceobtainSecurityMetadataSource();作用是获取URL及用户角色对应的关系。我们需要加入自己的实现。
以下是部分代码实现
主要拦截器JwtUrlSecurityInterceptor,需要在WebSecurityConfig(SpringSecurity配置)文件中注册
//这个拦截器用来实现按照用户权限,对所请求的url进行拦截
@Bean
publicJwtUrlSecurityInterceptorjwtUrlSecurityInterceptorBean()throwsException{
returnnewJwtUrlSecurityInterceptor();
}
@Override
protectedvoidconfigure(HttpSecurityhttpSecurity)throwsException{
...
httpSecurity.addFilterBefore(jwtUrlSecurityInterceptorBean(),FilterSecurityInterceptor.class);
...
}
实现自定义的accessDecisionManager
packageorg.zerhusen.security.dsuri;
importorg.springframework.security.access.AccessDecisionManager;
importorg.springframework.security.access.AccessDeniedException;
importorg.springframework.security.access.ConfigAttribute;
importorg.springframework.security.authentication.InsufficientAuthenticationException;
importorg.springframework.security.core.Authentication;
importjava.util.Collection;
/**
*Createdbydingshuoon2017/6/28.
*/
publicclassMyAccessDecisionManagerimplementsAccessDecisionManager{
@Override
publicvoiddecide(Authenticationauthentication,Objectobject,CollectionconfigAttributes)throwsAccessDeniedException,InsufficientAuthenticationException{
System.out.println("自定义的接口");
thrownewAccessDeniedException("noright");
}
@Override
publicBooleansupports(ConfigAttributeattribute){
returntrue;
}
@Override
publicBooleansupports(Classclazz){
returntrue;
}
}
实现自定义的资源SecurityMetadataSource
packageorg.zerhusen.security.dsuri;
importorg.springframework.beans.factory.annotation.Autowired;
importorg.springframework.security.access.ConfigAttribute;
importorg.springframework.security.access.SecurityConfig;
importorg.springframework.security.web.FilterInvocation;
importorg.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
importjava.util.*;
/**
*Createdbydingshuoon2017/6/28.
*/
publicclassMyInvocationSecurityMetadataSourceimplementsFilterInvocationSecurityMetadataSource{
privatestaticMap>resourceMap=null;
@Autowired
UrlMatcherurlMatcher;
publicMyInvocationSecurityMetadataSource(){
//这里可以查数据库实现
//注入dao即可
resourceMap=newHashMap>();
Collectionatts=newArrayList();
ConfigAttributeca=newSecurityConfig("ROLE_USER1");
atts.add(ca);
resourceMap.put("/index.jsp",atts);
Collectionattsno=newArrayList();
ConfigAttributecano=newSecurityConfig("ROLE_NO");
attsno.add(cano);
resourceMap.put("/other.jsp",attsno);
}
@Override
publicCollectiongetAttributes(Objectobject)throwsIllegalArgumentException{
Stringurl=((FilterInvocation)object).getRequestUrl();
Iteratorite=resourceMap.keySet().iterator();
while(ite.hasNext()){
StringresURL=ite.next();
if(url.equals("/protected")){
returnresourceMap.get(resURL);
}
}
returnnull;
}
@Override
publicCollectiongetAllConfigAttributes(){
returnnull;
}
@Override
publicBooleansupports(Classclazz){
returntrue;
}
}
实现JwtUrlSecurityInterceptor
packageorg.zerhusen.security.dsuri;
importorg.springframework.beans.factory.annotation.Autowired;
importorg.springframework.context.annotation.Bean;
importorg.springframework.security.access.AccessDecisionManager;
importorg.springframework.security.access.SecurityMetadataSource;
importorg.springframework.security.access.intercept.AbstractSecurityInterceptor;
importorg.springframework.security.access.intercept.InterceptorStatusToken;
importorg.springframework.security.authentication.AuthenticationManager;
importorg.springframework.security.web.FilterInvocation;
importjavax.servlet.*;
importjava.io.IOException;
/**
*Createdbydingshuoon2017/6/28.
*/
publicclassJwtUrlSecurityInterceptorextendsAbstractSecurityInterceptorimplements
Filter{
@Autowired
publicvoidsetMyAccessDecisionManager(){
super.setAccessDecisionManager(myAccessDecisionManagerBean());
}
@Bean
publicMyAccessDecisionManagermyAccessDecisionManagerBean(){
returnnewMyAccessDecisionManager();
}
@Bean
publicMyInvocationSecurityMetadataSourcemyInvocationSecurityMetadataSourceBean(){
returnnewMyInvocationSecurityMetadataSource();
}
@Override
publicvoidinit(FilterConfigfilterConfig)throwsServletException{
}
@Override
publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain)throwsIOException,ServletException{
FilterInvocationfi=newFilterInvocation(request,response,chain);
invoke(fi);
}
@Override
publicvoiddestroy(){
}
@Override
publicClassgetSecureObjectClass(){
returnFilterInvocation.class;
}
@Override
publicSecurityMetadataSourceobtainSecurityMetadataSource(){
returnthis.myInvocationSecurityMetadataSourceBean();
}
publicvoidinvoke(FilterInvocationfi)throwsIOException,ServletException{
InterceptorStatusTokentoken=super.beforeInvocation(fi);
try{
fi.getChain().doFilter(fi.getRequest(),fi.getResponse());
}
finally{
super.afterInvocation(token,null);
}
}
}
如上是简单的URL权限控制
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持毛票票。
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。