Spring security用户URL权限FilterSecurityInterceptor使用解析
这篇文章主要介绍了Springsecurity用户URL权限FilterSecurityInterceptor使用解析,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下
用户通过浏览器发送URL地址,由FilterSecurityInterceptor判断是否具有相应的访问权限。
对于用户请求的方法权限,例如注解@PreAuthorize("hasRole('ADMIN')"),由MethodSecurityInterceptor判断
两个拦截器都继承了AbstractSecurityInterceptor
代码如下
/* *Copyright2004,2005,2006AcegiTechnologyPtyLimited * *LicensedundertheApacheLicense,Version2.0(the"License"); *youmaynotusethisfileexceptincompliancewiththeLicense. *YoumayobtainacopyoftheLicenseat * *http://www.apache.org/licenses/LICENSE-2.0 * *Unlessrequiredbyapplicablelaworagreedtoinwriting,software *distributedundertheLicenseisdistributedonan"ASIS"BASIS, *WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied. *SeetheLicenseforthespecificlanguagegoverningpermissionsand *limitationsundertheLicense. */ packageorg.springframework.security.web.access.intercept; importjava.io.IOException; importjavax.servlet.Filter; importjavax.servlet.FilterChain; importjavax.servlet.FilterConfig; importjavax.servlet.ServletException; importjavax.servlet.ServletRequest; importjavax.servlet.ServletResponse; importorg.springframework.security.access.SecurityMetadataSource; importorg.springframework.security.access.intercept.AbstractSecurityInterceptor; importorg.springframework.security.access.intercept.InterceptorStatusToken; importorg.springframework.security.web.FilterInvocation; /** *PerformssecurityhandlingofHTTPresourcesviaafilterimplementation. *通过筛选器实现对HTTP资源的安全处理。 **The
SecurityMetadataSource
requiredbythissecurityinterceptorisof *type{@linkFilterInvocationSecurityMetadataSource}. **安全拦截器所需的SecurityMetadataSource类型是FilterInvocationSecurityMetadataSource * *Referto{@linkAbstractSecurityInterceptor}fordetailsontheworkflow. *
* *@authorBenAlex *@authorRobWinch */ publicclassFilterSecurityInterceptorextendsAbstractSecurityInterceptorimplements Filter{ //~Staticfields/initializers //===================================================================================== privatestaticfinalStringFILTER_APPLIED="__spring_security_filterSecurityInterceptor_filterApplied"; //~Instancefields //================================================================================================ /** *securityMetadataSource中包含了一个HashMap,map中保存了用户请求的Http.Method和相应的URL地址 *例如在Springboot中,可能是如下的配置,参考图1 *securityMetadataSource中的内容,参考图2 */ privateFilterInvocationSecurityMetadataSourcesecurityMetadataSource; privateBooleanobserveOncePerRequest=true; //~Methods //======================================================================================================== /** *Notused(werelyonIoCcontainerlifecycleservicesinstead) * *@paramarg0ignored * *@throwsServletExceptionneverthrown */ publicvoidinit(FilterConfigarg0)throwsServletException{ } /** *Notused(werelyonIoCcontainerlifecycleservicesinstead) */ publicvoiddestroy(){ } /** *Methodthatisactuallycalledbythefilterchain.Simplydelegatestothe *{@link#invoke(FilterInvocation)}method. * *@paramrequesttheservletrequest *@paramresponsetheservletresponse *@paramchainthefilterchain * *@throwsIOExceptionifthefilterchainfails *@throwsServletExceptionifthefilterchainfails * * *通过责任链式调用,执行doFilter方法 *FilterInvocation中保存了filter相关的信息,比如request,response,chain *通过invoke方法处理具体的url过滤 */ publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse, FilterChainchain)throwsIOException,ServletException{ FilterInvocationfi=newFilterInvocation(request,response,chain); invoke(fi); } publicFilterInvocationSecurityMetadataSourcegetSecurityMetadataSource(){ returnthis.securityMetadataSource; } publicSecurityMetadataSourceobtainSecurityMetadataSource(){ returnthis.securityMetadataSource; } publicvoidsetSecurityMetadataSource(FilterInvocationSecurityMetadataSourcenewSource){ this.securityMetadataSource=newSource; } publicClass>getSecureObjectClass(){ returnFilterInvocation.class; } publicvoidinvoke(FilterInvocationfi)throwsIOException,ServletException{ //获取当前http请求的地址,比如说“/login” if((fi.getRequest()!=null) &&(fi.getRequest().getAttribute(FILTER_APPLIED)!=null) &&observeOncePerRequest){ //filteralreadyappliedtothisrequestanduserwantsustoobserve //once-per-requesthandling,sodon'tre-dosecuritychecking fi.getChain().doFilter(fi.getRequest(),fi.getResponse()); }else{ //firsttimethisrequestbeingcalled,soperformsecuritychecking if(fi.getRequest()!=null){ fi.getRequest().setAttribute(FILTER_APPLIED,Boolean.TRUE); } //这里做主要URL比对,将当前URL与securityMetadataSource(我们自己配置)中的URL过滤条件进行比对 //首先判断当前URL是permit的还是需要验证的 //若需要验证,尝试加载保存在SecurityContextHolder.getContext()中的已登录信息 //调用AbstractSecurityInterceptor中的AccessDecisionManager对象的decide方法 //如果对于配置中需要登录才可访问的URL,已经查找到登录信息,则执行下一个Filter InterceptorStatusTokentoken=super.beforeInvocation(fi); try{ fi.getChain().doFilter(fi.getRequest(),fi.getResponse()); } finally{ super.finallyInvocation(token); } super.afterInvocation(token,null); } } /** *Indicateswhetheronce-per-requesthandlingwillbeobserved.Bydefaultthisis *true
,meaningtheFilterSecurityInterceptor
willonly *executeonce-per-request.Sometimesusersmaywishittoexecutemorethanonceper *request,suchaswhenJSPforwardsarebeingusedandfiltersecurityisdesiredon *eachincludedfragmentoftheHTTPrequest. * *@returntrue
(thedefault)ifonce-per-requestishonoured,otherwise *false
ifFilterSecurityInterceptor
willenforce *authorizationsforeachandeveryfragmentoftheHTTPrequest. */ publicBooleanisObserveOncePerRequest(){ returnobserveOncePerRequest; } publicvoidsetObserveOncePerRequest(BooleanobserveOncePerRequest){ this.observeOncePerRequest=observeOncePerRequest; } }
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持毛票票。
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。