问题描述:
我这里的项目使用spring cloud+thymeleaf+spring security,使用的thymeleaf和spring security整合的标签,网上的解决方法很多,很简单 sec:authorize="hasRole('ROLE_ADMIN')" 标签可以生效,但是我想控制button的显示与隐藏,
sec:authorize-url 无效,下面说一下解决方法,很简单,只是想不到。
解决方法:
1.继承DefaultWebInvocationPrivilegeEvaluator并重写方法
2.将DefaultWebInvocationPrivilegeEvaluator子类在WebSecurityConfigurerAdapter中进行注册
点击参考博客:
源码
import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.core.Authentication; import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator; import org.springframework.stereotype.Component; @Component public class CustomWebInvocationPrivilegeEvaluator extends DefaultWebInvocationPrivilegeEvaluator{ public CustomWebInvocationPrivilegeEvaluator(AbstractSecurityInterceptor securityInterceptor) { super(securityInterceptor); } @Override public boolean isAllowed(String uri, Authentication authentication) { return super.isAllowed(uri, authentication); } @Override public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { return super.isAllowed(contextPath, uri, method, authentication); } }
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List; @Configuration @EnableOAuth2Sso @EnableConfigurationProperties(SecuritySettings.class) @Order(1) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private CustomFilterSecurityInterceptor customFilterSecurityInterceptor; @Autowired private SecuritySettings settings; @Autowired private CustomWebInvocationPrivilegeEvaluator webInvocationPrivilegeEvaluator; @Override public void configure(HttpSecurity http) throws Exception { http.addFilterBefore(customFilterSecurityInterceptor, FilterSecurityInterceptor.class) .authorizeRequests() .anyRequest() .authenticated() .and() .csrf() .requireCsrfProtectionMatcher(csrfSecurityRequestMatcher()) .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) .logout() .logoutUrl("/logout") .permitAll() .logoutSuccessUrl(settings.getLogoutsuccssurl()) .and() .exceptionHandling() .accessDeniedPage(settings.getDeniedpage()); } @Override public void configure(WebSecurity web) throws Exception { //web.securityInterceptor(customFilterSecurityInterceptor); web.privilegeEvaluator(webInvocationPrivilegeEvaluator);//在这里进行注册 web.ignoring().antMatchers("/assets/**","/styles/**","/images/**"); } private CsrfSecurityRequestMatcher csrfSecurityRequestMatcher() { CsrfSecurityRequestMatcher csrfSecurityRequestMatcher = new CsrfSecurityRequestMatcher(); List<String> list = new ArrayList<String>(); //此处绝对拦截 //list.add("/assets/"); //list.add("/styles/"); //list.add("/"); csrfSecurityRequestMatcher.setExecludeUrls(list); return csrfSecurityRequestMatcher; } private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken()); cookie.setPath("/"); response.addCookie(cookie); } filterChain.doFilter(request, response); } }; } private CsrfTokenRepository csrfTokenRepository() { HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); repository.setHeaderName("X-XSRF-TOKEN"); return repository; } }