sec:authorize-url标签不生效问题
2017-07-20 10:18
183 查看
问题描述:
我这里的项目使用spring cloud+thymeleaf+spring security,使用的thymeleaf和spring security整合的标签,网上的解决方法很多,很简单 sec:authorize="hasRole('ROLE_ADMIN')" 标签可以生效,但是我想控制button的显示与隐藏,
我这里的项目使用spring cloud+thymeleaf+spring security,使用的thymeleaf和spring security整合的标签,网上的解决方法很多,很简单 sec:authorize="hasRole('ROLE_ADMIN')" 标签可以生效,但是我想控制button的显示与隐藏,
sec:authorize-url 无效,下面说一下解决方法,很简单,只是想不到。
解决方法:
1.继承DefaultWebInvocationPrivilegeEvaluator并重写方法
2.将DefaultWebInvocationPrivilegeEvaluator子类在WebSecurityConfigurerAdapter中进行注册
点击参考博客:
源码
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
import org.springframework.stereotype.Component;
@Component
public class CustomWebInvocationPrivilegeEvaluator extends DefaultWebInvocationPrivilegeEvaluator{
public CustomWebInvocationPrivilegeEvaluator(AbstractSecurityInterceptor securityInterceptor) {
super(securityInterceptor);
}
@Override
public boolean isAllowed(String uri, Authentication authentication) {
return super.isAllowed(uri, authentication);
}
@Override
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
return super.isAllowed(contextPath, uri, method, authentication);
}
}import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
@Configuration
@EnableOAuth2Sso
@EnableConfigurationProperties(SecuritySettings.class)
@Order(1)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomFilterSecurityInterceptor customFilterSecurityInterceptor;
@Autowired
private SecuritySettings settings;
@Autowired
private CustomWebInvocationPrivilegeEvaluator webInvocationPrivilegeEvaluator;
@Override
public void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(customFilterSecurityInterceptor, FilterSecurityInterceptor.class)
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf()
.requireCsrfProtectionMatcher(csrfSecurityRequestMatcher())
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.logout()
.logoutUrl("/logout")
.permitAll()
.logoutSuccessUrl(settings.getLogoutsuccssurl())
.and()
.exceptionHandling()
.accessDeniedPage(settings.getDeniedpage());
}
@Override
public void configure(WebSecurity web) throws Exception {
//web.securityInterceptor(customFilterSecurityInterceptor);
web.privilegeEvaluator(webInvocationPrivilegeEvaluator);//在这里进行注册
web.ignoring().antMatchers("/assets/**","/styles/**","/images/**");
}
private CsrfSecurityRequestMatcher csrfSecurityRequestMatcher() {
CsrfSecurityRequestMatcher csrfSecurityRequestMatcher = new CsrfSecurityRequestMatcher();
List<String> list = new ArrayList<String>();
//此处绝对拦截
//list.add("/assets/");
//list.add("/styles/");
//list.add("/");
csrfSecurityRequestMatcher.setExecludeUrls(list);
return csrfSecurityRequestMatcher;
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken());
cookie.setPath("/");
response.addCookie(cookie);
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 【转】Spring security3 sec:authorize url 无效的问题
- jsp中使用 <a>、<img>、<link>、<form>和ajax 标签中的URL相对路径问题
- a标签连接是###时,url出现问题
- Struts2 中 关于s:url 标签 的使用问题
- sec:authorize 标签 通过不通过权限例子
- 解决struts 2 的url标签参数保持的问题
- spring security的权限页面标签可以根据 ifAnyGranted="ROLE_SYSTEM" 这个不同的权限觉得在<sec:authorize的作用不作用,就相当于c:if标签的作用
- html object 标签 高度不生效问题
- a标签点击跳转之后返回url多了#以及相关问题
- Java乱码 数据库乱码 url乱码 url中文参数乱码 标签乱码问题解决方法
- struts2的s:url标签传中文参数乱码问题
- 关于linux环境下配置solr6.3.0的welcome-file-list标签不生效问题解决办法
- ASPX界面里的link标签中使用<%=myurl %>的问题求解
- django rest framework 的url标签的问题
- NSMutableURLRequest实现Post请求及其timeoutInterval不生效问题解决
- <security:authorize url=''>标签不能控制控制是否显示的解决办法
- a标签设置background url出现的问题
- Spring Security入门篇——标签sec:authorize的使用
- Spring Security入门篇——标签sec:authorize的使用
- Spring Security入门篇——标签sec:authorize的使用