Spring Security如何使用URL地址进行权限控制

这篇文章主要介绍了Spring Security如何使用URL地址进行权限控制,文中通过示例代码介绍的非常详细，对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下

目的是：系统内存在很多不同的用户，每个用户具有不同的资源访问权限，具体表现就是某个用户对于某个URL是无权限访问的。需要Spring Security忙我们过滤。

FilterSecurityInterceptor是Spring Security进行URL权限判断的，FilterSecurityInterceptor又继承于AbstractSecurityInterceptor，由此可推测，我们可以新增一个Interceptor继承AbstractSecurityInterceptor，实现我们自己的权限校验逻辑。

查看父类及其代码逻辑，有几点必须要注意：

1、主要鉴权方法是调用父类中accessDecisionManager的decide值，所以我们需要自己实现一个accessDecisionManager

2、父类中存在抽象方法public abstract SecurityMetadataSource obtainSecurityMetadataSource();作用是获取URL及用户角色对应的关系。我们需要加入自己的实现。

以下是部分代码实现

主要拦截器JwtUrlSecurityInterceptor，需要在WebSecurityConfig(Spring Security配置)文件中注册

//这个拦截器用来实现按照用户权限，对所请求的url进行拦截
@Bean
public JwtUrlSecurityInterceptor jwtUrlSecurityInterceptorBean() throws Exception{
return new JwtUrlSecurityInterceptor();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
...
httpSecurity.addFilterBefore(jwtUrlSecurityInterceptorBean(), FilterSecurityInterceptor.class);
...
}

实现自定义的accessDecisionManager

package org.zerhusen.security.dsuri;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import java.util.Collection;
/**
* Created by dingshuo on 2017/6/28.
*/
public class MyAccessDecisionManager implements AccessDecisionManager {
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
System.out.println("自定义的接口");
throw new AccessDeniedException("no right");
}
@Override
public Boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public Boolean supports(Class<?> clazz) {
return true;
}
}

实现自定义的资源SecurityMetadataSource

package org.zerhusen.security.dsuri;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import java.util.*;
/**
* Created by dingshuo on 2017/6/28.
*/
public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
@Autowired
UrlMatcher urlMatcher;
public MyInvocationSecurityMetadataSource() {
//这里可以查数据库实现
//注入dao即可
resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
ConfigAttribute ca = new SecurityConfig("ROLE_USER1");
atts.add(ca);
resourceMap.put("/index.jsp", atts);
Collection<ConfigAttribute> attsno =new ArrayList<ConfigAttribute>();
ConfigAttribute cano = new SecurityConfig("ROLE_NO");
attsno.add(cano);
resourceMap.put("/other.jsp", attsno);
}
@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
String url = ((FilterInvocation)object).getRequestUrl();
Iterator<String> ite = resourceMap.keySet().iterator();
while (ite.hasNext()) {
String resURL = ite.next();
if (url.equals("/protected")) {
return resourceMap.get(resURL);
}
}
return null;
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public Boolean supports(Class<?> clazz) {
return true;
}
}

实现JwtUrlSecurityInterceptor

package org.zerhusen.security.dsuri;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.web.FilterInvocation;
import javax.servlet.*;
import java.io.IOException;
/**
* Created by dingshuo on 2017/6/28.
*/
public class JwtUrlSecurityInterceptor extends AbstractSecurityInterceptor implements
Filter {
@Autowired
public void setMyAccessDecisionManager(){
super.setAccessDecisionManager(myAccessDecisionManagerBean());
}
@Bean
public MyAccessDecisionManager myAccessDecisionManagerBean(){
return new MyAccessDecisionManager();
}
@Bean
public MyInvocationSecurityMetadataSource myInvocationSecurityMetadataSourceBean(){
return new MyInvocationSecurityMetadataSource();
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
@Override
public void destroy() {
}
@Override
public Class<?> getSecureObjectClass() {
return FilterInvocation.class;
}
@Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.myInvocationSecurityMetadataSourceBean();
}
public void invoke(FilterInvocation fi) throws IOException, ServletException {
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
}
finally {
super.afterInvocation(token, null);
}
}
}

如上是简单的URL权限控制

以上就是本文的全部内容，希望对大家的学习有所帮助

您可能感兴趣的文章:

• Spring Security代码实现JWT接口权限授予与校验功能
• SpringBoot+Spring Security+JWT实现RESTful Api权限控制的方法
• SpringBoot+Vue前后端分离，使用SpringSecurity完美处理权限问题的解决方法
• Spring Boot中使用 Spring Security 构建权限系统的示例代码
• 话说Spring Security权限管理（源码详解）
• java中自定义Spring Security权限控制管理示例（实战篇）
• Spring security实现权限管理示例
• Spring security实现登陆和权限角色控制
• Spring security用户URL权限FilterSecurityInterceptor使用解析