这篇文章主要介绍了Spring Security使用URL地址进行权限控制的方法,具有一定借鉴价值,感兴趣的朋友可以参考下,希望大家阅读完这篇文章之后大有收获,下面让小编带着大家一起了解一下。
创新互联是一家专业提供三穗企业网站建设,专注与成都网站设计、成都网站制作、H5场景定制、小程序制作等业务。10年已为三穗众多企业、政府机构等服务。创新互联专业的建站公司优惠进行中。
目的是:系统内存在很多不同的用户,每个用户具有不同的资源访问权限,具体表现就是某个用户对于某个URL是无权限访问的。需要Spring Security忙我们过滤。
FilterSecurityInterceptor是Spring Security进行URL权限判断的,FilterSecurityInterceptor又继承于AbstractSecurityInterceptor,由此可推测,我们可以新增一个Interceptor继承AbstractSecurityInterceptor,实现我们自己的权限校验逻辑。
查看父类及其代码逻辑,有几点必须要注意:
1、主要鉴权方法是调用父类中accessDecisionManager的decide值,所以我们需要自己实现一个accessDecisionManager
2、父类中存在抽象方法public abstract SecurityMetadataSource obtainSecurityMetadataSource();作用是获取URL及用户角色对应的关系。我们需要加入自己的实现。
以下是部分代码实现
主要拦截器JwtUrlSecurityInterceptor,需要在WebSecurityConfig(Spring Security配置)文件中注册
//这个拦截器用来实现按照用户权限,对所请求的url进行拦截 @Bean public JwtUrlSecurityInterceptor jwtUrlSecurityInterceptorBean() throws Exception{ return new JwtUrlSecurityInterceptor(); } @Override protected void configure(HttpSecurity httpSecurity) throws Exception { ... httpSecurity.addFilterBefore(jwtUrlSecurityInterceptorBean(), FilterSecurityInterceptor.class); ... }
实现自定义的accessDecisionManager
package org.zerhusen.security.dsuri; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.Authentication; import java.util.Collection; /** * Created by dingshuo on 2017/6/28. */ public class MyAccessDecisionManager implements AccessDecisionManager { @Override public void decide(Authentication authentication, Object object, CollectionconfigAttributes) throws AccessDeniedException, InsufficientAuthenticationException { System.out.println("自定义的接口"); throw new AccessDeniedException("no right"); } @Override public Boolean supports(ConfigAttribute attribute) { return true; } @Override public Boolean supports(Class> clazz) { return true; } }
实现自定义的资源SecurityMetadataSource
package org.zerhusen.security.dsuri; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import java.util.*; /** * Created by dingshuo on 2017/6/28. */ public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource { private static Map> resourceMap = null; @Autowired UrlMatcher urlMatcher; public MyInvocationSecurityMetadataSource() { //这里可以查数据库实现 //注入dao即可 resourceMap = new HashMap >(); Collection atts = new ArrayList (); ConfigAttribute ca = new SecurityConfig("ROLE_USER1"); atts.add(ca); resourceMap.put("/index.jsp", atts); Collection attsno =new ArrayList (); ConfigAttribute cano = new SecurityConfig("ROLE_NO"); attsno.add(cano); resourceMap.put("/other.jsp", attsno); } @Override public Collection getAttributes(Object object) throws IllegalArgumentException { String url = ((FilterInvocation)object).getRequestUrl(); Iterator ite = resourceMap.keySet().iterator(); while (ite.hasNext()) { String resURL = ite.next(); if (url.equals("/protected")) { return resourceMap.get(resURL); } } return null; } @Override public Collection getAllConfigAttributes() { return null; } @Override public Boolean supports(Class> clazz) { return true; } }
实现JwtUrlSecurityInterceptor
package org.zerhusen.security.dsuri; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.SecurityMetadataSource; import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.access.intercept.InterceptorStatusToken; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.web.FilterInvocation; import javax.servlet.*; import java.io.IOException; /** * Created by dingshuo on 2017/6/28. */ public class JwtUrlSecurityInterceptor extends AbstractSecurityInterceptor implements Filter { @Autowired public void setMyAccessDecisionManager(){ super.setAccessDecisionManager(myAccessDecisionManagerBean()); } @Bean public MyAccessDecisionManager myAccessDecisionManagerBean(){ return new MyAccessDecisionManager(); } @Bean public MyInvocationSecurityMetadataSource myInvocationSecurityMetadataSourceBean(){ return new MyInvocationSecurityMetadataSource(); } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { FilterInvocation fi = new FilterInvocation(request, response, chain); invoke(fi); } @Override public void destroy() { } @Override public Class> getSecureObjectClass() { return FilterInvocation.class; } @Override public SecurityMetadataSource obtainSecurityMetadataSource() { return this.myInvocationSecurityMetadataSourceBean(); } public void invoke(FilterInvocation fi) throws IOException, ServletException { InterceptorStatusToken token = super.beforeInvocation(fi); try { fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } finally { super.afterInvocation(token, null); } } }
如上是简单的URL权限控制
感谢你能够认真阅读完这篇文章,希望小编分享的“Spring Security使用URL地址进行权限控制的方法”这篇文章对大家有帮助,同时也希望大家多多支持创新互联,关注创新互联行业资讯频道,更多相关知识等着你来学习!
售后响应及时
7×24小时客服热线数据备份
更安全、更高效、更稳定价格公道精准
项目经理精准报价不弄虚作假合作无风险
重合同讲信誉,无效全额退款