Spring Security如何使用URL地址进行权限控制

Spring Security如何使用URL地址进行权限控制

这篇文章主要介绍了Spring Security如何使用URL地址进行权限控制,文中通过示例代码介绍的非常详细，对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下

目的是：系统内存在很多不同的用户，每个用户具有不同的资源访问权限，具体表现就是某个用户对于某个URL是无权限访问的。需要Spring Security忙我们过滤。

FilterSecurityInterceptor是Spring Security进行URL权限判断的，FilterSecurityInterceptor又继承于AbstractSecurityInterceptor，由此可推测，我们可以新增一个Interceptor继承AbstractSecurityInterceptor，实现我们自己的权限校验逻辑。

查看父类及其代码逻辑，有几点必须要注意：

1、主要鉴权方法是调用父类中accessDecisionManager的decide值，所以我们需要自己实现一个accessDecisionManager

2、父类中存在抽象方法public abstract SecurityMetadataSource obtainSecurityMetadataSource();作用是获取URL及用户角色对应的关系。我们需要加入自己的实现。

以下是部分代码实现

主要拦截器JwtUrlSecurityInterceptor，需要在WebSecurityConfig(Spring Security配置)文件中注册

//这个拦截器用来实现按照用户权限，对所请求的url进行拦截

@Bean

public JwtUrlSecurityInterceptor jwtUrlSecurityInterceptorBean() throws Exception{

return new JwtUrlSecurityInterceptoqLGJWlMRlUr();

}

@Override

protected void configure(HttpSecurity httpSecurity) throws Exception {

...

httpSecurity.addFilterBefore(jwtUrlSecurityInterceptorBean(), FilterSecurityInterceptor.class);

...

}

实现自定义的accessDecisionManager

package org.zerhusen.security.dsuri;

import org.springframework.security.access.AccessDecisionManager;

import org.springframework.security.access.AccessDeniedException;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.authentication.InsufficientAuthenticationException;

import org.springframework.security.core.Authentication;

import java.util.Collection;

/**

* Created by dingshuo on 2017/6/28.

*/

public class MyAccessDecisionManager implements AccessDecisionManager {

@Override

public void decide(Authentication authentication, Object object, Collection configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {

System.out.println("自定义的接口");

throw new AccessDeniedException("no right");

}

@Override

public Boolean supports(ConfigAttribute attribute) {

return true;

}

@Override

public Boolean supports(Class> clazz) {

return true;

}

}

实现自定义的资源SecurityMetadataSource

package org.zerhusen.security.dsuri;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.SecurityConfig;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

import java.util.*;

/**

* Created by dingshuo on 2017/6/28.

*/

public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

private static Map> resourceMap = null;

@Autowired

UrlMatcher urlMatcher;

public MyInvocationSecurityMetadataSource() {

//这里可以查数据库实现

//注入dao即可

resourceMap = new HashMap>();

Collection atts = new ArrayList();

ConfigAttribute ca = new SecurityConfig("ROLE_USER1");

atts.add(ca);

resourceMap.put("/index.jsp", atts);

Collection attsno =new ArrayList();

ConfigAttribute cano = new SecurityConfig("ROLE_NO");

attsno.add(cano);

resourceMap.put("/other.jsp", attsno);

}

@Override

public Collection getAttributes(Object object) throws IllegalArgumentException {

String url = ((FilterInvocation)object).getRequestUrl();

Iterator ite = resourceMap.keySet().iterator();

while (ite.hasNext()) {

String resURL = ite.next();

if (url.equals("/protected")) {

return resourceMap.get(resURL);

}

}

return null;

}

@Override

public Collection getAllConfigAttributes() {

return null;

}

@Override

public Boolean supports(Class> clazz) {

return true;

}

}

实现JwtUrlSecurityInterceptor

package org.zerhusen.security.dsuri;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.Bean;

import org.springframework.security.access.AccessDecisionManager;

import org.springframework.security.access.SecurityMetadataSource;

import org.springframework.security.access.intercept.AbstractSecurityInterceptor;

import org.springframework.security.access.intercept.InterceptorStatusToken;

import org.springframework.security.authentication.AuthenticationManager;

import org.springframework.security.web.FilterInvocation;

import javax.servlet.*;

import java.io.IOException;

/**

* Created by dingshuo on 2017/6/28.

*/

public class JwtUrlSecurityInterceptor extends AbstractSecurityInterceptor implements

Filter {

@Autowired

public void setMyAccessDecisionManager(){

super.setAccessDecisionManager(myAccessDecisionManagerBean());

}

@Bean

public MyAccessDecisionManager myAccessDecisionManagerBean(){

return new MyAccessDecisionManager();

}

@Bean

public MyInvocationSecurityMetadataSource myInvocationSecurityMetadataSourceBean(){

return new MyInvocationSecurityMetadataSource();

}

@Override

public void init(FilterConfig filterConfig) throws ServletException {

}

@Override

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

FilterInvocation fi = new FilterInvocation(request, response, chain);

invoke(fi);

}

@Override

public void destroy() {

}

@Override

public Class> getSecureObjectClass() {

return FilterInvocation.class;

}

@Override

public SecurityMetadataSource obtainSecurityMetadataSource() {

return this.myInvocationSecurityMetadataSourceBean();

}

public void invoke(FilterInvocation fi) throws IOException, ServletException {

InterceptorStatusToken token = super.beforeInvocation(fi);

try {

fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

}

finally {

super.afterInvocation(token, null);

}

}

}

如上是简单的URL权限控制

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。