注解使用
Spring Security 默认是禁用注解的,要想开启注解,需要加上@EnableMethodSecurity 注解
- 使用@Secured 需要在配置类中添加注解@EnableGlobalMethodSecurity(securedEnabled = true)才华见效
- 使用@PreAuthorize 和@PostAuthorize 需要在配置类中配置注解@EnableGlobalMethodSecurity(prePostEnable = true)才华见效
@Secured
角色校验,请求到来访问控制单位方法时必须包罗 XX 角色才华访问
注意:
- 角色必须添加 ROLE_前缀
- 如果要求只有同时拥有 admin 和 user 的用户才华访问某个方法时,@Secured 就无能为力了
- @Component
- public class UserDetailServiceImpl implements UserDetailsService {
- @Resource
- private PasswordEncoder passwordEncoder;
- @Override
- public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
- if (username.equals("root")) {
- return new User(username, passwordEncoder.encode("123"), AuthorityUtils.createAuthorityList("ROLE_read"));
- } else if (username.equals("user")) {
- return new User(username, passwordEncoder.encode("123"), AuthorityUtils.createAuthorityList("ROLE_write"));
- }
- return new User(username, passwordEncoder.encode("123"), AuthorityUtils.createAuthorityList("read"));
- }
- }
- @RestController
- public class HelloController {
- @RequestMapping("/read")
- @Secured(value = {"ROLE_read"})
- public String read() {
- return "read";
- }
- @RequestMapping("/write")
- @Secured(value = {"ROLE_write"})
- public String write() {
- return "write";
- }
- // 错误实例
- @RequestMapping("/read2")
- @Secured(value = {"read"})
- public String read2() {
- return "read2";
- }
- }
权限校验,请求到来访问控制单位之前必须包罗 XX 权限才华访问,控制单位方法执行进步行角色校验- @RestController
- public class HelloController {
- @RequestMapping("/read3")
- @PreAuthorize(value = "hasRole('ROLE_read')")
- public String read3() {
- return "read3";
- }
- @RequestMapping("/read4")
- @PreAuthorize(value = "hasAnyRole('ROLE_read','ROLE_write')")
- public String read4() {
- return "read4";
- }
- @RequestMapping("/read5")
- @PreAuthorize(value = "hasAnyAuthority('ROLE_read','read')")
- public String read5() {
- return "read5";
- }
- }
- hasRole 的值会添加 ROLE_开头进行判断,而 hasAuthority 不会
- 其他方法判断一致
- public abstract class SecurityExpressionRoot implements SecurityExpressionOperations {
- protected final Authentication authentication;
- private AuthenticationTrustResolver trustResolver;
- private RoleHierarchy roleHierarchy;
- private Set<String> roles;
- private String defaultRolePrefix = "ROLE_";
- /** Allows "permitAll" expression */
- public final boolean permitAll = true;
- /** Allows "denyAll" expression */
- public final boolean denyAll = false;
- private PermissionEvaluator permissionEvaluator;
- public final String read = "read";
- public final String write = "write";
- public final String create = "create";
- public final String delete = "delete";
- public final String admin = "administration";
- //...
- public final boolean hasAuthority(String authority) {
- return hasAnyAuthority(authority);
- }
- public final boolean hasAnyAuthority(String... authorities) {
- return hasAnyAuthorityName(null, authorities);
- }
- public final boolean hasRole(String role) {
- return hasAnyRole(role);
- }
- public final boolean hasAnyRole(String... roles) {
- return hasAnyAuthorityName(defaultRolePrefix, roles);
- }
- private boolean hasAnyAuthorityName(String prefix, String... roles) {
- Set<String> roleSet = getAuthoritySet();
- for (String role : roles) {
- String defaultedRole = getRoleWithDefaultPrefix(prefix, role);
- if (roleSet.contains(defaultedRole)) {
- return true;
- }
- }
- return false;
- }
- // ....
- private static String getRoleWithDefaultPrefix(String defaultRolePrefix, String role) {
- if (role == null) {
- return role;
- }
- if (defaultRolePrefix == null || defaultRolePrefix.length() == 0) {
- return role;
- }
- // 判断是否以 ROLE_开头
- if (role.startsWith(defaultRolePrefix)) {
- return role;
- }
- return defaultRolePrefix + role;
- }
- }
权限校验,请求到来访问控制单位之后必须包罗 XX 权限才华访问,在方法执行后进行权限校验,适合验证带有返回值的权限- @PostAuthorize("hasRole('ROLE_管理员')")
- @RequestMapping("/toMain")
- public String toMain(){
- return "main";
- }
- @GetMapping("/helloUser")
- @PostAuthorize("returnObject!=null && returnObject.username == authentication.name")
- public User helloUser() {
- Object pricipal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
- User user;
- if("anonymousUser".equals(pricipal)) {
- user = null;
- }else {
- user = (User) pricipal;
- }
- return user;
- }
对传递参数值做过滤- @PostMapping("/preFilter")
- @PreAuthorize("hasAnyAuthority('admin','update')") // 注意单引号
- @PreFilter("filterObject.id % 2 == 0") // id 为偶数才能请求
- public String preFilter(@RequestBody List<User> userLists){
- log.info("=== 进入当前 preFilter ====");
- log.info(userLists.toString());
- return "security test 5 preFilter 需要验证的接口";
- }
权限验证通事后,留下指定用户名的数据,对返回数据做过滤- @RequestMapping("/postFilter")
- @PreAuthorize("hasAnyAuthority('admin','update')") // 注意单引号
- @PostFilter("filterObject.username == 'xiangjiao'") // 针对返回数据做过滤
- public List<User> postFilter(){
- log.info("=== 进入当前 postFilter ====");
- List<User> userLists = new ArrayList<>();
- userLists.add(new User(1,"xiangjiao","bunana",1,0));
- userLists.add(new User(2,"xiangjiao2","bunana2",1,0));
- return userLists;
- }
- 使用@EnableGlobalMethodSecurity 开启注解支持后,用户必须实现 UserDetailsService 方法,使用 auth.inMemoryAuthentication()内存管理用户信息会失效
- 如果注解要使用 permitAll()、isAnonymous()等方法时,需要在 config 方法中取消.anyRequest().authenticated()的设置,否则会无效。
- @Configuration
- @EnableGlobalMethodSecurity(prePostEnabled=true)
- public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
- @Autowired
- private UserDetailsService userDetailsService;
- @Autowired
- private BCryptPasswordEncoder bCryptPasswordEncoder;
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- http.cors()
- .and()
- .csrf().disable();
- // 下面需注释,否则注解无效,生效的是这里的配置
- /*.authorizeRequests()
- .anyRequest()
- .authenticated(); */
- }
- @Override
- protected void configure(AuthenticationManagerBuilder auth) throws Exception {
- auth.userDetailsService(userDetailsService)
- .passwordEncoder(bCryptPasswordEncoder);
- }
- }
- @RestController
- public class HelloController {
- @RequestMapping("/read3")
- @PreAuthorize(value = "hasRole('ROLE_read')")
- public String read3() {
- return "read3";
- }
- @RequestMapping("/read4")
- @PreAuthorize(value = "hasAnyRole('ROLE_read','ROLE_write')")
- public String read4() {
- return "read4";
- }
- @RequestMapping("/read5")
- @PreAuthorize(value = "hasAnyAuthority('ROLE_read','read')")
- public String read5() {
- return "read5";
- }
- @RequestMapping("/isAnonymous")
- @PreAuthorize(value = "isAnonymous()")
- public String isAnonymous() {
- return "isAnonymous";
- }
- }
- hasAuthority(String):判断角色是否具有特定权限
http.authorizeRequests().antMatchers("/main1.html").hasAuthority("admin")
- hasAnyAuthority(String ...):如果用户具备给定权限中某一个,就允许访问
http.authorizeRequests().antMatchers("/admin/read").hasAnyAuthority("xxx", "xxx")
- hasRole(String):如果用户具备给定角色就允许访问,否则出现 403
http.authorizeRequests().antMatchers("/admin/read").hasRole("ROLE_管理员")
- hasAnyRole(String ...):如果用户具备给定角色的任意一个,就允许被访问
http.authorizeRequests().antMatchers("/guest/read").hasAnyRole("ROLE_管理员", "ROLE_访客")
- hasIpAddress(String):请求是指定的 IP 就允许访问
http.authorizeRequests().antMatchers("/ip").hasIpAddress("127.0.0.1")
- permitAll():允许全部人(可无任何权限)访问
- denyAll():不允许任何(即使有最大权限)访问。
- isAnonymous():为可匿名(不登录)访问。
- isAuthenticated():为身份证认证后访问。
- isRememberMe():为记住我用户操作访问。
- isFullyAuthenticated():为非匿名且非记住我用户允许访问
JSR-250 注解
注意:使用 JSR-250 注解需要设置@EnableGlobalMethodSecurity(jsr250Enabled = true)才华使用
- @DenyAll
- @PermitAll
- @RolesAllowed
例如:@RolesAllowed({"USER", "ADMIN"}),代表标注的方法只要具有 USER、ADMIN 任意一种权限就可以访问
使用案例
自界说权限校验
- interface TestPermissionEvaluator {
- boolean check(Authentication authentication);
- }
- @Service("testPermissionEvaluator")
- public class TestPermissionEvaluatorImpl implements TestPermissionEvaluator {
- public boolean check(Authentication authentication) {
- System.out.println("进入了自定义的匹配器" + authentication);
- return false;
- }
- }
- @PreAuthorize("@testPermissionEvaluator.check(authentication)")
- public String test0() {
- return "说明你有自定义权限";
- }
AuthenticationEntryPoint
用来解决匿名用户访问无权限资源时的异常
注意:使用 AuthenticationEntryPoint 会导致原来的/login 登录页面失效- public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
- @Override
- public void commence(HttpServletRequest request, HttpServletResponse response,
- AuthenticationException authException) throws IOException, ServletException {
- response.setCharacterEncoding("utf-8");
- response.setContentType("text/javascript;charset=utf-8");
- response.getWriter().print(JSONObject.toJSONString(RestMsg.error("没有访问权限!")));
- }
- }
用来解决认证过的用户访问无权限资源时的异常- @Component
- public class MyAccessDeniedHandler implements AccessDeniedHandler {
-
- @Override
- public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e)
- throws IOException, ServletException {
- response.setStatus(HttpServletResponse.SC_OK);
- response.setContentType("text/html;charset=UTF-8");
- response.getWriter().write(
- "<html>" +
- "<body>" +
- "" +
- "权限不足,请联系管理员" +
- "" +
- "</body>" +
- "</html>"
- );
- response.getWriter().flush();//刷新缓冲区
- }
- }
- @Configuration
- @EnableGlobalMethodSecurity(prePostEnabled=true)
- public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
- @Autowired
- private UserDetailsService userDetailsService;
- @Autowired
- private BCryptPasswordEncoder bCryptPasswordEncoder;
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- http.cors()
- .and()
- .csrf().disable()
- .authorizeRequests()
- .antMatchers("/user/sign").permitAll()
- .anyRequest()
- .authenticated();
-
- //添加自定义异常入口
- http.exceptionHandling()
- .authenticationEntryPoint(new CustomAuthenticationEntryPoint())
- .accessDeniedHandler(new CustomAccessDeineHandler());
- }
- @Override
- protected void configure(AuthenticationManagerBuilder auth) throws Exception {
- auth.userDetailsService(userDetailsService)
- .passwordEncoder(bCryptPasswordEncoder);
- }
- }
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
