sec:authorize-url标签不生效问题
2017-07-20 10:18
183 查看
问题描述:
我这里的项目使用spring cloud+thymeleaf+spring security,使用的thymeleaf和spring security整合的标签,网上的解决方法很多,很简单 sec:authorize="hasRole('ROLE_ADMIN')" 标签可以生效,但是我想控制button的显示与隐藏,
我这里的项目使用spring cloud+thymeleaf+spring security,使用的thymeleaf和spring security整合的标签,网上的解决方法很多,很简单 sec:authorize="hasRole('ROLE_ADMIN')" 标签可以生效,但是我想控制button的显示与隐藏,
sec:authorize-url 无效,下面说一下解决方法,很简单,只是想不到。
解决方法:
1.继承DefaultWebInvocationPrivilegeEvaluator并重写方法
2.将DefaultWebInvocationPrivilegeEvaluator子类在WebSecurityConfigurerAdapter中进行注册
点击参考博客:
源码
import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.core.Authentication; import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator; import org.springframework.stereotype.Component; @Component public class CustomWebInvocationPrivilegeEvaluator extends DefaultWebInvocationPrivilegeEvaluator{ public CustomWebInvocationPrivilegeEvaluator(AbstractSecurityInterceptor securityInterceptor) { super(securityInterceptor); } @Override public boolean isAllowed(String uri, Authentication authentication) { return super.isAllowed(uri, authentication); } @Override public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { return super.isAllowed(contextPath, uri, method, authentication); } }
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List; @Configuration @EnableOAuth2Sso @EnableConfigurationProperties(SecuritySettings.class) @Order(1) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private CustomFilterSecurityInterceptor customFilterSecurityInterceptor; @Autowired private SecuritySettings settings; @Autowired private CustomWebInvocationPrivilegeEvaluator webInvocationPrivilegeEvaluator; @Override public void configure(HttpSecurity http) throws Exception { http.addFilterBefore(customFilterSecurityInterceptor, FilterSecurityInterceptor.class) .authorizeRequests() .anyRequest() .authenticated() .and() .csrf() .requireCsrfProtectionMatcher(csrfSecurityRequestMatcher()) .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) .logout() .logoutUrl("/logout") .permitAll() .logoutSuccessUrl(settings.getLogoutsuccssurl()) .and() .exceptionHandling() .accessDeniedPage(settings.getDeniedpage()); } @Override public void configure(WebSecurity web) throws Exception { //web.securityInterceptor(customFilterSecurityInterceptor); web.privilegeEvaluator(webInvocationPrivilegeEvaluator);//在这里进行注册 web.ignoring().antMatchers("/assets/**","/styles/**","/images/**"); } private CsrfSecurityRequestMatcher csrfSecurityRequestMatcher() { CsrfSecurityRequestMatcher csrfSecurityRequestMatcher = new CsrfSecurityRequestMatcher(); List<String> list = new ArrayList<String>(); //此处绝对拦截 //list.add("/assets/"); //list.add("/styles/"); //list.add("/"); csrfSecurityRequestMatcher.setExecludeUrls(list); return csrfSecurityRequestMatcher; } private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken()); cookie.setPath("/"); response.addCookie(cookie); } filterChain.doFilter(request, response); } }; } private CsrfTokenRepository csrfTokenRepository() { HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); repository.setHeaderName("X-XSRF-TOKEN"); return repository; } }
相关文章推荐
- 【转】Spring security3 sec:authorize url 无效的问题
- jsp中使用 <a>、<img>、<link>、<form>和ajax 标签中的URL相对路径问题
- a标签连接是###时,url出现问题
- Struts2 中 关于s:url 标签 的使用问题
- sec:authorize 标签 通过不通过权限例子
- 解决struts 2 的url标签参数保持的问题
- spring security的权限页面标签可以根据 ifAnyGranted="ROLE_SYSTEM" 这个不同的权限觉得在<sec:authorize的作用不作用,就相当于c:if标签的作用
- html object 标签 高度不生效问题
- a标签点击跳转之后返回url多了#以及相关问题
- Java乱码 数据库乱码 url乱码 url中文参数乱码 标签乱码问题解决方法
- struts2的s:url标签传中文参数乱码问题
- 关于linux环境下配置solr6.3.0的welcome-file-list标签不生效问题解决办法
- ASPX界面里的link标签中使用<%=myurl %>的问题求解
- django rest framework 的url标签的问题
- NSMutableURLRequest实现Post请求及其timeoutInterval不生效问题解决
- <security:authorize url=''>标签不能控制控制是否显示的解决办法
- a标签设置background url出现的问题
- Spring Security入门篇——标签sec:authorize的使用
- Spring Security入门篇——标签sec:authorize的使用
- Spring Security入门篇——标签sec:authorize的使用