spring security url动态授权

已于 2022-09-19 15:49:40 修改
阅读量511 收藏
点赞数 1
分类专栏: spring security 文章标签: spring security
于 2022-09-18 14:53:33 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43931625/article/details/126917739
版权

spring security url动态授权

        

官网:https://docs.spring.io/spring-security/reference/servlet/appendix/faq.html#appendix-faq-dynamic-url-metadata

                        

                                        

引入jar包

              

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.3</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        ...
    </dependencies>

    ...

</project>

       

            

                                        

动态数据源

              

FilterInvocationSecurityMetadataSource:获取数据源

public interface FilterInvocationSecurityMetadataSource extends SecurityMetadataSource {
}

           

SecurityMetadataSource

public interface SecurityMetadataSource extends AopInfrastructureBean {
    Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException;
                                //获取object对应的权限

    Collection<ConfigAttribute> getAllConfigAttributes();

    boolean supports(Class<?> clazz);
}

            

ConfigAttribute:权限属性

public interface ConfigAttribute extends Serializable {
    String getAttribute();
}

             

             

 SecurityConfig:attrib可用来设置权限值(admin、user等)

public class SecurityConfig implements ConfigAttribute {
    private final String attrib;

    public SecurityConfig(String config) {
        Assert.hasText(config, "You must provide a configuration attribute");
        this.attrib = config;
    }

    public boolean equals(Object obj) {
        if (obj instanceof ConfigAttribute) {
            ConfigAttribute attr = (ConfigAttribute)obj;
            return this.attrib.equals(attr.getAttribute());
        } else {
            return false;
        }
    }

    public String getAttribute() {
        return this.attrib;
    }

    public int hashCode() {
        return this.attrib.hashCode();
    }

    public String toString() {
        return this.attrib;
    }

    public static List<ConfigAttribute> createListFromCommaDelimitedString(String access) {
        return createList(StringUtils.commaDelimitedListToStringArray(access));
    }

    public static List<ConfigAttribute> createList(String... attributeNames) {
        Assert.notNull(attributeNames, "You must supply an array of attribute names");
        List<ConfigAttribute> attributes = new ArrayList(attributeNames.length);
        String[] var2 = attributeNames;
        int var3 = attributeNames.length;

        for(int var4 = 0; var4 < var3; ++var4) {
            String attribute = var2[var4];
            attributes.add(new SecurityConfig(attribute.trim()));
        }

        return attributes;
    }
}

                

                     

                                        

权限拦截器

            

AbstractSecurityInterceptor

public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware {
    protected final Log logger = LogFactory.getLog(this.getClass());
    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private ApplicationEventPublisher eventPublisher;
    private AccessDecisionManager accessDecisionManager;
    private AfterInvocationManager afterInvocationManager;
    private AuthenticationManager authenticationManager = new AbstractSecurityInterceptor.NoOpAuthenticationManager();
    private RunAsManager runAsManager = new NullRunAsManager();
    private boolean alwaysReauthenticate = false;
    private boolean rejectPublicInvocations = false;
    private boolean validateConfigAttributes = true;
    private boolean publishAuthorizationSuccess = false;

    public AbstractSecurityInterceptor() {
    }


    public void afterPropertiesSet() {
    public void setRunAsManager(RunAsManager runAsManager) {
    public void setMessageSource(MessageSource messageSource) {
    public void setAlwaysReauthenticate(boolean alwaysReauthenticate) {
    public void setAuthenticationManager(AuthenticationManager newManager) {
    public void setRejectPublicInvocations(boolean rejectPublicInvocations) {
    public void setValidateConfigAttributes(boolean validateConfigAttributes) {
    public void setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess) {
    public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
    public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager) {
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {


    public boolean isAlwaysReauthenticate() {
    public boolean isRejectPublicInvocations() {
    public boolean isValidateConfigAttributes() {

    public AccessDecisionManager getAccessDecisionManager() {
    public AfterInvocationManager getAfterInvocationManager() {
    public AuthenticationManager getAuthenticationManager() {
    public RunAsManager getRunAsManager() {


    public abstract Class<?> getSecureObjectClass();
    public abstract SecurityMetadataSource obtainSecurityMetadataSource();

    protected void finallyInvocation(InterceptorStatusToken token) {
    protected InterceptorStatusToken beforeInvocation(Object object) {
    protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {


    private Authentication authenticateIfRequired() {
    private void publishEvent(ApplicationEvent event) {
    private void validateAttributeDefs(Collection<ConfigAttribute> attributeDefs) {
    private void attemptAuthorization(Object object, Collection<ConfigAttribute> attributes, Authentication authenticated) {
    private void credentialsNotFound(String reason, Object secureObject, Collection<ConfigAttribute> configAttribs) {


*********
静态内部类:NoOpAuthenticationManager

    private static class NoOpAuthenticationManager implements AuthenticationManager {
        private NoOpAuthenticationManager() {
        }

        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            throw new AuthenticationServiceException("Cannot authenticate " + authentication);
        }
    }
}

             

           

FilterSecurityInterceptor

public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
    private static final String FILTER_APPLIED = "__spring_security_filterSecurityInterceptor_filterApplied";
    private FilterInvocationSecurityMetadataSource securityMetadataSource;
    private boolean observeOncePerRequest = true;

    public FilterSecurityInterceptor() {
    }

    public void init(FilterConfig arg0) {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        this.invoke(new FilterInvocation(request, response, chain));
    }

    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
        return this.securityMetadataSource;
    }

    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return this.securityMetadataSource;
    }

    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource newSource) {
        this.securityMetadataSource = newSource;
    }

    public Class<?> getSecureObjectClass() {
        return FilterInvocation.class;
    }

    public void invoke(FilterInvocation filterInvocation) throws IOException, ServletException {
        if (this.isApplied(filterInvocation) && this.observeOncePerRequest) {
            filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
        } else {
            if (filterInvocation.getRequest() != null && this.observeOncePerRequest) {
                filterInvocation.getRequest().setAttribute("__spring_security_filterSecurityInterceptor_filterApplied", Boolean.TRUE);
            }

            InterceptorStatusToken token = super.beforeInvocation(filterInvocation);

            try {
                filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
            } finally {
                super.finallyInvocation(token);
            }

            super.afterInvocation(token, (Object)null);
        }
    }

    private boolean isApplied(FilterInvocation filterInvocation) {
        return filterInvocation.getRequest() != null && filterInvocation.getRequest().getAttribute("__spring_security_filterSecurityInterceptor_filterApplied") != null;
    }

    public boolean isObserveOncePerRequest() {
        return this.observeOncePerRequest;
    }

    public void setObserveOncePerRequest(boolean observeOncePerRequest) {
        this.observeOncePerRequest = observeOncePerRequest;
    }
}

           

                          

                                        

认证管理器

            

AccessDecisionManager

public interface AccessDecisionManager {
    void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException;

    boolean supports(ConfigAttribute attribute);

    boolean supports(Class<?> clazz);
}

             

AbstractAccessDecisionManager

public abstract class AbstractAccessDecisionManager implements AccessDecisionManager, InitializingBean, MessageSourceAware {
    protected final Log logger = LogFactory.getLog(this.getClass());
    private List<AccessDecisionVoter<?>> decisionVoters;
    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private boolean allowIfAllAbstainDecisions = false;


    public boolean supports(ConfigAttribute attribute) {
        Iterator var2 = this.decisionVoters.iterator();

        AccessDecisionVoter voter;
        do {
            if (!var2.hasNext()) {
                return false;
            }

            voter = (AccessDecisionVoter)var2.next();
        } while(!voter.supports(attribute));

        return true;
    }

    public boolean supports(Class<?> clazz) {
        Iterator var2 = this.decisionVoters.iterator();

        AccessDecisionVoter voter;
        do {
            if (!var2.hasNext()) {
                return true;
            }

            voter = (AccessDecisionVoter)var2.next();
        } while(voter.supports(clazz));

        return false;
    }


    public void setMessageSource(MessageSource messageSource) {
    public void setAllowIfAllAbstainDecisions(boolean allowIfAllAbstainDecisions) {

    public List<AccessDecisionVoter<?>> getDecisionVoters() {
    public boolean isAllowIfAllAbstainDecisions() {

    public String toString() {
    public void afterPropertiesSet() {

    protected final void checkAllowIfAllAbstainDecisions() {
    protected AbstractAccessDecisionManager(List<AccessDecisionVoter<?>> decisionVoters) {

             

                

AffirmativedBased

public class AffirmativeBased extends AbstractAccessDecisionManager {
    public AffirmativeBased(List<AccessDecisionVoter<?>> decisionVoters) {
        super(decisionVoters);
    }

    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException {
        int deny = 0;
        Iterator var5 = this.getDecisionVoters().iterator();

        while(var5.hasNext()) {
            AccessDecisionVoter voter = (AccessDecisionVoter)var5.next();
            int result = voter.vote(authentication, object, configAttributes);
            switch(result) {
            case -1:
                ++deny;
                break;
            case 1:
                return;
            }
        }

        if (deny > 0) {
            throw new AccessDeniedException(this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access is denied"));
        } else {
            this.checkAllowIfAllAbstainDecisions();
        }
    }
}

             

AccessDecisionVoter

public interface AccessDecisionVoter<S> {
    int ACCESS_GRANTED = 1;
    int ACCESS_ABSTAIN = 0;
    int ACCESS_DENIED = -1;

    boolean supports(ConfigAttribute attribute);

    boolean supports(Class<?> clazz);

    int vote(Authentication authentication, S object, Collection<ConfigAttribute> attributes);
}

             

          

 RoleVoter:根据权限判断是否让请求通过

public class RoleVoter implements AccessDecisionVoter<Object> {
    private String rolePrefix = "ROLE_";

    public RoleVoter() {
    }

    public String getRolePrefix() {
        return this.rolePrefix;
    }

    public void setRolePrefix(String rolePrefix) {
        this.rolePrefix = rolePrefix;
    }

    public boolean supports(ConfigAttribute attribute) {
        return attribute.getAttribute() != null && attribute.getAttribute().startsWith(this.getRolePrefix());
    }

    public boolean supports(Class<?> clazz) {
        return true;
    }

    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        if (authentication == null) {
            return -1;
        } else {
            int result = 0;
            Collection<? extends GrantedAuthority> authorities = this.extractAuthorities(authentication);
            Iterator var6 = attributes.iterator();

            while(true) {
                ConfigAttribute attribute;
                do {
                    if (!var6.hasNext()) {
                        return result;
                    }

                    attribute = (ConfigAttribute)var6.next();
                } while(!this.supports(attribute));

                result = -1;
                Iterator var8 = authorities.iterator();

                while(var8.hasNext()) {
                    GrantedAuthority authority = (GrantedAuthority)var8.next();
                    if (attribute.getAttribute().equals(authority.getAuthority())) {
                        return 1;
                    }
                }
            }
        }
    }

    Collection<? extends GrantedAuthority> extractAuthorities(Authentication authentication) {
        return authentication.getAuthorities();
    }
}

         

             

                                        

使用示例

            

                            

         

AuthorityDto

@Data
public class AuthorityDto {

    private String path;
    private List<String> authorities;
}

          

SecurityDataSourceUtil

public class SecurityDataSourceUtil {

    public static Map<String, Collection<ConfigAttribute>> requestAuthoritiesMap = new HashMap<>();

    public static void setAuthorities(String path, Collection<ConfigAttribute> configAttributes){
        requestAuthoritiesMap.put(path, configAttributes);
    }

    public static Collection<ConfigAttribute> getAuthorities(String path){
        return requestAuthoritiesMap.get(path);
    }
}

           

CustomFilterSecurityMetadataSource

@Component
public class CustomFilterSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

    @Override
    public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        Set<ConfigAttribute> configAttributes = new HashSet<>();
        for (Collection<ConfigAttribute> item : SecurityDataSourceUtil.requestAuthoritiesMap.values()){
            configAttributes.addAll(item);
        }

        return configAttributes;
    }

    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        HttpServletRequest request = ((FilterInvocation)object).getRequest();

        for (Map.Entry<String, Collection<ConfigAttribute>> entry: SecurityDataSourceUtil.requestAuthoritiesMap.entrySet()){
            if (new AntPathRequestMatcher(entry.getKey()).matches(request)) {
                return entry.getValue();
            }
        }

        return null;
    }
}

         

CustomUrlInterceptor

@Data
@Component
@EqualsAndHashCode(callSuper = true)
public class CustomUrlInterceptor extends AbstractSecurityInterceptor implements Filter, InitializingBean {

    private static final String FILTER_APPLIED = "__spring_security_custom_filterSecurityInterceptor_filterApplied";
    private boolean observeOncePerRequest = true;

    @Resource
    private FilterInvocationSecurityMetadataSource securityMetadataSource;


    public CustomUrlInterceptor() {
    }

    @Override
    public void afterPropertiesSet() {
        List<AccessDecisionVoter<?>> accessDecisionVoters = new ArrayList<>();
        accessDecisionVoters.add(new RoleVoter());

        AccessDecisionManager accessDecisionManager = new AffirmativeBased(accessDecisionVoters);
        this.setAccessDecisionManager(accessDecisionManager);
    }

    public void init(FilterConfig arg0) {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        this.invoke(new FilterInvocation(request, response, chain));
    }

    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return this.securityMetadataSource;
    }

    public Class<?> getSecureObjectClass() {
        return FilterInvocation.class;
    }

    public void invoke(FilterInvocation filterInvocation) throws IOException, ServletException {
        if (this.isApplied(filterInvocation) && this.observeOncePerRequest) {
            filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
        } else {
            if (filterInvocation.getRequest() != null && this.observeOncePerRequest) {
                filterInvocation.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
            }

            InterceptorStatusToken token = super.beforeInvocation(filterInvocation);

            try {
                filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
            } finally {
                super.finallyInvocation(token);
            }

            super.afterInvocation(token, null);
        }
    }

    private boolean isApplied(FilterInvocation filterInvocation) {
        return filterInvocation.getRequest() != null && filterInvocation.getRequest().getAttribute(FILTER_APPLIED) != null;
    }

    public boolean isObserveOncePerRequest() {
        return this.observeOncePerRequest;
    }

    public void setObserveOncePerRequest(boolean observeOncePerRequest) {
        this.observeOncePerRequest = observeOncePerRequest;
    }
}

             

WebSecurity

@Configuration
public class WebSecurity {

    @Bean
    public PasswordEncoder initPasswordEncoder(){
        return new Pbkdf2PasswordEncoder();
    }
}

           

WebSecurityConfig

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Resource
    private PasswordEncoder passwordEncoder;

    @Resource
    private CustomUrlInterceptor customUrlInterceptor;

    @Bean
    public SecurityFilterChain initSecurityFilterChain(HttpSecurity http) throws Exception{
        http.addFilterAfter(customUrlInterceptor, FilterSecurityInterceptor.class);
        http.csrf().disable();

        return http.formLogin().and().authorizeRequests()
                .antMatchers("/authority").permitAll()
                .antMatchers("/hello").hasRole("admin")
                .anyRequest().authenticated()
                .and().build();
    }

    @Bean
    public UserDetailsService initUserDetailsService(){
        UserDetails userDetails = User.withUsername("gtlx").password(passwordEncoder.encode("123456")).roles("admin").build();

        return new InMemoryUserDetailsManager(userDetails);
    }
}

           

HelloController

@RestController
public class HelloController {

    @RequestMapping("/hello")
    public String hello(){
        return "hello";
    }

    @RequestMapping("/hello2")
    public String hello2(){
        return "hello2";
    }
}

            

AuthorityController

@RestController
public class AuthorityController {

    @RequestMapping("/authority")
    public String authority(@RequestBody AuthorityDto authorityDto){
        List<ConfigAttribute> configAttributes = new ArrayList<>();
        for (String s: authorityDto.getAuthorities()){
            SecurityConfig securityConfig = new SecurityConfig("ROLE_"+s);
            configAttributes.add(securityConfig);
        }
        SecurityDataSourceUtil.setAuthorities(authorityDto.getPath(), configAttributes);

        return "success";
    }
}

          

                  

                                        

使用测试

            

localhost:8080/hello,输入密码

            

            

            

localhost:8080/hello2

            

            

localhost:8080/authority,路径/hello2添加权限认证

            

            

localhost:8080/hello2,当前用户没有user权限,禁止访问

            

            

localhost:8080/authority,修改路径权限为admin

            

            

localhost:8080/hello2,当前用户有admin权限,可正常访问

            

                 

                              

o_瓜田李下_o
关注
专栏目录
SpringSecurity 授权详解
流楚丶格念的博客
09-18 1771
在前面讲解了认证中所有常用配置,主要是对 http.formLogin()进行操作。而在配置类中 http.authorizeRequests()主要是对 url 进行控制,也就是我们所说的授权(访问控制)。url 匹配规则 . 权限控制方法通过上面的格式可以有很多 url 匹配规则和很多权限控制方法。这些内容进行各种组合就形成了 Spring Security 中的授权。在所有匹配规则中取所有规则的交集。配置顺序影响了之后授权效果,越是具体的应该放在前面,越是笼统的应该放到后面。
SpringSecurity系列——授权与认证概述,安全架构day2-2(源于官网5.7.2版本)
qq_51553982的博客
07-20 1741
简单来说就是授予用户某一个权限让用户能够通过这个权限使用某个对应的服务验证访问系统的用户身份。
Spring security 动态权限管理(基于数据库)
最新发布
冬阳
09-10 1381
当我们配置的 URL 拦截规则请求 URL 所需要的权限都是通过代码来配置的,这样就比较死板,如果想要调整访问某一个 URL 所需要的权限,就需要修改代码。动态管理权限规则就是我们将UR 拦截规则和访问 URI 所需要的权限都保存在数据库中,这样,在不修改源代码的情况下,只需要修改数据库中的数据,就可以对权限进行调整。
Spring Security 入门 权限表达式控制URL权限
SheTing'Blog
04-17 493
配置资源授权,默认是不需要授权。现在访问/say是要有权限aa的 @Configuration public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protecte
SpringSecurity 动态权限
热门推荐
qq_34287953的博客
01-29 1万+
springboot+mybatis+SpringSecurity 实现用户角色权限数据库管理 spring security的简单原理: 使用众多的拦截器对url拦截,以此来管理权限。但是这么多拦截器,笔者不可能对其一一来讲,主要讲里面核心流程的两个。 首先,权限管理离不开登陆验证的,所以登陆验证拦截器AuthenticationProcessingFilter要讲; 还有就是对访问的资源管理吧,所以资源管理拦截器AbstractSecurityInterceptor要讲; 但拦截器里面的实现需
java url 授权,Spring Security OAuth2 - 向授权URL添加参数
weixin_32287801的博客
03-13 794
我需要在OAuth2授权网址中添加参数 . 我不确定应该如何将它添加到AuthorizationCodeResourceDetails bean?问题是我想通过登录或从客户端站点注册来启动用户旅程 . 客户端将发送OAuth请求,在授权服务器上,我将显示注册表单或登录表单,以便用户继续其旅程 .默认流只有以下参数/ oauth / authorize?client_id = []&redirect...
spring security动态配置url权限的2种实现方法
08-27
本文将探讨两种在Spring Security中实现动态配置URL权限的方法。 ### 方法一:自定义Filter 虽然自定义Filter可以实现动态权限判断,但这并不符合Spring Security的设计原则,因为这会使你绕过框架提供的安全机制...
Spring Security如何使用URL地址进行权限控制
08-25
Spring Security是一个功能强大且广泛应用的Java安全框架,它提供了许多功能,包括身份验证、授权、加密等。其中,权限控制是Spring Security的一个重要组件,它允许开发者根据用户角色和权限来控制访问不同的资源...
Spring security认证授权
11-30
在这个例子中,我们将深入探讨如何使用Spring Security进行认证和授权,并结合数据库操作进行动态配置。 首先,Spring Security的核心概念包括认证(Authentication)和授权(Authorization)。认证是确认用户身份...
spring security实现动态授权
02-08
总的来说,Spring Security动态授权功能使得权限管理变得更加灵活和高效。通过对源代码的适当修改,我们可以构建一个完全可配置的权限管理系统,适应不断变化的业务需求。这个过程涉及多个组件的定制,但一旦设置...
springboot springsecurity动态权限控制
09-18
在这个“springboot springsecurity动态权限控制”的主题中,我们将深入探讨如何在Spring Boot项目中集成Spring Security,实现动态权限控制,让菜单权限的管理更加灵活和高效。 首先,我们需要理解Spring Security...
SpringSecurity实现动态管理权限(三)
zhoubangbang1的博客
01-07 821
SpringBoot整合SpringSecurity实现接口动态管理权限 接上一篇权限管理是后台管理不可缺少的部分,今天结合SpringSecurity实现接口的动态管理。 动态权限管理 SpringSecurity实现权限动态管理,第一步需要创建一个过滤器,doFilter方法需要注意,对于OPTIONS直接放行,否则会出现跨域问题。并且对在上篇文章提到的IgnoreUrlsConfig中的白名单也是直接放行,所有的权限操作都会在super.beforeInvocation(fi)中实现。
spring security实现动态配置url权限的两种方法
weixin_33713350的博客
06-07 1713
缘起 标准的RABC, 权限需要支持动态配置,spring security默认是在代码里约定好权限,真实的业务场景通常需要可以支持动态配置角色访问权限,即在运行时去配置url对应的访问角色。 基于spring security,如何实现这个需求呢? 最简单的方法就是自定义一个Filter去完成权限判断,但这脱离了spring security框架,如何基于spring security优雅的实现...
Spring Security 实战干货:动态权限控制(下)实现
码农小胖哥
11-29 2180
1. 前言 Spring Security 实战干货:内置 Filter 全解析 中提到的第 32 个 Filter 不知道你是否有印象。它决定了访问特定路径应该具备的权限,访问的用户的角色,权限是什么?访问的路径需要什么样的角色和权限? 它就是 FilterSecurityInterceptor ,正是我们需要的那个轮子。 2.FilterSecurityInterceptor 过滤器排行榜第...
Spring Security(3) 动态url权限控制
郑清
10-19 1万+
一、前言 本篇文章将讲述Spring Security 动态分配url权限,未登录权限控制,登录过后根据登录用户角色授予访问url权限 基本环境 spring-boot 2.1.8 mybatis-plus 2.2.0 mysql 数据库 maven项目 Spring Security入门学习可参考之前文章: SpringBoot集成Spring Security入门体验(一) https:...
如何在 Spring 安全性中动态决定<拦截 url> 访问属性值?
allway2的博客
10-27 841
请注意后者,因为它是在启动时调用的,并且此时可能没有很好地配置(我的意思是,数据源或持久性上下文自动连接,具体取决于您使用的内容)。集合 getAttributes(Object 对象),您可以在其中访问数据库,搜索受保护的“对象”(通常是要访问的 URL)以获取允许的 ConfigAttribute(通常是 ROLE 的)我有同样的问题,基本上我想将拦截网址列表与其他 springsecurity 配置部分分开,第一个属于应用程序配置,后者属于产品(核心、插件)配置。遗憾的是,没有简单的方法来拆分定义。
spring security 实现自定义url鉴权
骆佳威的博客
03-11 2342
package com.liuyanzhao.sens.config.security; import com.liuyanzhao.sens.common.utils.SecurityUtil; import com.liuyanzhao.sens.config.security.jwt.AuthenticationFailHandler; import com.liuyanzhao.sens....
springBoot+springSecurity+swagger2 Unable to infer base url. This is common when using dynamic
mengtianning的博客
05-08 239
项目场景: springBoot+springSecurity+swagger2, 访问http://localhost:8080/swagger-ui.html#/时出现: 解决方案: 在配置访问白名单的时候将swagger相关路径添加进去, String[] whiteUrl = new String[] {"/swagger-ui.html", "/swagger-resources/**", "/v2/api-docs", "/webjars/springfox-swagger-ui
springboot+springsecurity跨域配置完整版(俺被坑了一个上午,特此前来用爱发电)
GD_MRS_LIN的博客
02-05 752
springboot跨域配置不必多说,网上很多: 首先配置好,我用的是继承WebMvcConfigurer配置,还可以通过过滤器配置,我觉得这样应该是最方便了,缺点就是这种配置不能在interceptor中再配置header。 @Configuration public class MyWebConfigurer implements WebMvcConfigurer { @Autowired private LoginInterceptor loginInterceptor;
Spring Security动态配置URL权限解决方案
"本文将探讨如何在Spring Security框架中实现动态配置URL权限的两种方法,以满足在运行时根据业务需求调整URL访问角色的需求。在标准的基于角色的访问控制(RBAC)系统中,权限的灵活性至关重要。Spring Security...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值