后续会讲解如何实现方法拦截。其实与url拦截大同小异。
拦截方法,会更简单一点吧 基于PermissionEvaluator 可以自行先了解
1、了解主要的过滤器
1、SecurityMetadataSource
权限资源拦截器。
有一个接口继承与它FilterInvocationSecurityMetadataSource,但FilterInvocationSecurityMetadataSource只是一个标识接口,
对应于FilterInvocation,本身并无任何内容:
主要方法:
public CollectiongetAttributes(Object object) throws IllegalArgumentException { }
每一次请求url,都会调用这个方法。object存储了请求的信息。如;rul
2、UserDetailsService
用户登录,会先调用这里面的 loadUserByUsername。通过用户名去查询用户是否存在数据库。
在这里面进行查询,获得用户权限信息
3、AccessDecisionManager
里面的decide方法。
// decide 方法是判定是否拥有权限的决策方法, //authentication 是释UserService中循环添加到 GrantedAuthority 对象中的权限信息集合. //object 包含客户端发起的请求的requset信息 ,可转换为 HttpServletRequest request = ((FilterInvocation) object).getHttpRequest(); //configAttributes 为MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法返回的结果, 此方法是为了判定用户请求的url 是否在权限表中,如果在权限表中,则返回给 decide 方法, 用来判定用户是否有此权限。如果不在权限表中则放行。 @Override public void decide(Authentication authentication, Object o, CollectionconfigAttributes)
2、正式实战了
1 使用idea的Srping Initializr 创建一个项目 我的版本如下Pom.xml
4.0.0 com.example demo 0.0.1-SNAPSHOT jar demo Demo project for Spring Boot org.springframework.boot spring-boot-starter-parent 1.5.9.RELEASE UTF-8 UTF-8 1.8 1.8 1.8 3.2.7 1.2.2 org.springframework.boot spring-boot-starter-aop org.springframework.boot spring-boot-starter-security org.springframework.boot spring-boot-starter-thymeleaf org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-test test org.springframework.security spring-security-test test org.thymeleaf.extras thymeleaf-extras-springsecurity4 org.webjars bootstrap 3.3.7 mysql mysql-connector-java 5.1.6 com.mchange c3p0 0.9.5.2 commons-logging commons-logging org.springframework spring-jdbc org.mybatis mybatis ${mybatis.version} org.mybatis mybatis-spring ${mybatis-spring.version} org.springframework.boot spring-boot-maven-plugin
2,创建一个springSecurity配置类,你也可以使用配置文件的方法。我这里使用了boot的配置类
package com.example.config; import com.example.service.CustomUserService; import com.example.service.MyFilterSecurityInterceptor; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; @Configuration //声明为配置类 @EnableWebSecurity //这里启动security public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired //下面会编写这个类 private MyFilterSecurityInterceptor myFilterSecurityInterceptor; @Autowired //下面会编写这个类 private DefaultAccessDeniedHandler defaultAccessDeniedHandler; @Bean UserDetailsService customUserService(){ //注册UserDetailsService 的bean return new CustomUserService(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(customUserService()); //user Details Service验证 } @Override protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling() .accessDeniedHandler(defaultAccessDeniedHandler); http.authorizeRequests() .antMatchers("/css/**").permitAll() .anyRequest().authenticated() //任何请求,登录后可以访问 .and() .formLogin().loginPage("/login").failureUrl("/login?error").permitAll() //登录页面用户任意访问 .and() .logout().permitAll(); //注销行为任意访问 http.addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class); } }
3、自定义SecurityMetadataSource拦截器
package com.example.service; import com.example.dao.PermissionDao; import com.example.domain.Permission; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.stereotype.Service; import javax.servlet.http.HttpServletRequest; import java.util.*; /** */ @Service public class MyInvocationSecurityMetadataSourceService implements FilterInvocationSecurityMetadataSource { private HashMap> map =null; @Autowired private PermissionDao permissionDao; /** * 自定义方法。最好在项目启动时,去数据库查询一次就好。 * 数据库查询一次 权限表出现的所有要拦截的url */ public void loadResourceDefine(){ map = new HashMap<>(); Collection array; ConfigAttribute cfg; //去数据库查询 使用dao层。 你使用自己的即可 List permissions = permissionDao.findAll(); for(Permission permission : permissions) { array = new ArrayList<>(); //下面你可以添加你想要比较的信息过去。 注意的是,需要在用户登录时存储的权限信息一致 cfg = new SecurityConfig(permission.getName()); //此处添加了资源菜单的名字,例如请求方法到ConfigAttribute的集合中去。此处添加的信息将会作为MyAccessDecisionManager类的decide的第三个参数。 array.add(cfg); //用权限的getUrl() 作为map的key,用ConfigAttribute的集合作为 value, map.put(permission.getUrl(), array); } } //此方法是为了判定用户请求的url 是否在权限表中,如果在权限表中,则返回给 decide 方法,用来判定用户是否有此权限。如果不在权限表中则放行。 @Override public Collection getAttributes(Object object) throws IllegalArgumentException { FilterInvocation filterInvocation = (FilterInvocation) object; String fullRequestUrl = filterInvocation.getFullRequestUrl(); //若是静态资源 不做拦截 下面写了单独判断静态资源方法 if (isMatcherAllowedRequest(filterInvocation)) { System.out.println("我没有被拦截"+fullRequestUrl); return null; } //map 为null 就去数据库查 if(map ==null) { loadResourceDefine(); } //测试 先每次都查 //object 中包含用户请求的request 信息 HttpServletRequest request = filterInvocation.getHttpRequest(); AntPathRequestMatcher matcher; String resUrl; for(Iterator iter = map.keySet().iterator(); iter.hasNext(); ) { resUrl = iter.next(); matcher = new AntPathRequestMatcher(resUrl); if(matcher.matches(request)) { return map.get(resUrl); } } return null; } /** * 判断当前请求是否在允许请求的范围内 * @param fi 当前请求 * @return 是否在范围中 */ private boolean isMatcherAllowedRequest(FilterInvocation fi){ return allowedRequest().stream().map(AntPathRequestMatcher::new) .filter(requestMatcher -> requestMatcher.matches(fi.getHttpRequest())) .toArray().length > 0; } /** * @return 定义允许请求的列表 */ private List allowedRequest(){ return Arrays.asList("/login","/css/**","/fonts/**","/js/**","/scss/**","/img/**"); } @Override public Collection getAllConfigAttributes() { return null; } @Override public boolean supports(Class> clazz) { return true; } }
自定义UserDetailsService 。登录的时候根据用户名去数据库查询用户拥有的权限信息
package com.example.service; import com.example.dao.PermissionDao; import com.example.dao.UserDao; import com.example.domain.Permission; import com.example.domain.SysRole; import com.example.domain.SysUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import java.util.ArrayList; import java.util.List; /** * Created by yangyibo on 17/1/18. */ @Service public class CustomUserService implements UserDetailsService { //自定义UserDetailsService 接口 @Autowired UserDao userDao; @Autowired PermissionDao permissionDao; public UserDetails loadUserByUsername(String username) { SysUser user = userDao.findByUserName(username); for (SysRole role : user.getRoles()) { System.out.println(role.getName()); } if (user != null) { //根据用户id 去查找用户拥有的资源 Listpermissions = permissionDao.findByAdminUserId(user.getId()); List grantedAuthorities = new ArrayList <>(); for (Permission permission : permissions) { if (permission != null && permission.getName()!=null) { GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(permission.getName()); //1:此处将权限信息添加到 GrantedAuthority 对象中,在后面进行全权限验证时会使用GrantedAuthority 对象。 grantedAuthorities.add(grantedAuthority); } } return new User(user.getUsername(), user.getPassword(), grantedAuthorities); } else { throw new UsernameNotFoundException("admin: " + username + " do not exist!"); } } }
自定义AccessDecisionManager
package com.example.service; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.stereotype.Service; import java.util.Collection; import java.util.Iterator; @Service public class MyAccessDecisionManager implements AccessDecisionManager { // decide 方法是判定是否拥有权限的决策方法, //authentication 是释CustomUserService中循环添加到 GrantedAuthority 对象中的权限信息集合. //object 包含客户端发起的请求的requset信息,可转换为 HttpServletRequest request = ((FilterInvocation) object).getHttpRequest(); //configAttributes 为MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法返回的结果,此方法是为了判定用户请求的url 是否在权限表中,如果在权限表中,则返回给 decide 方法,用来判定用户是否有此权限。如果不在权限表中则放行。 @Override public void decide(Authentication authentication, Object o, CollectionconfigAttributes) throws AccessDeniedException, InsufficientAuthenticationException { if (null == configAttributes || configAttributes.size() <= 0 ) { return; } ConfigAttribute c; String needRole; for (Iterator iter = configAttributes.iterator(); iter.hasNext(); ) { c = iter.next(); needRole = c.getAttribute(); for (GrantedAuthority ga : authentication.getAuthorities()) { //authentication 为在注释1 中循环添加到 GrantedAuthority 对象中的权限信息集合 if (needRole.trim().equals(ga.getAuthority())) { return; } } } throw new AccessDeniedException("no right"); } @Override public boolean supports(ConfigAttribute configAttribute) { return true; } @Override public boolean supports(Class> aClass) { return true; } }
自定义拦截器
package com.example.service; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.SecurityMetadataSource; import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.access.intercept.InterceptorStatusToken; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import org.springframework.stereotype.Service; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import java.io.IOException; @Service public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter { @Autowired private FilterInvocationSecurityMetadataSource securityMetadataSource; @Autowired private void setMyAccessDecisionManager(MyAccessDecisionManager myAccessDecisionManager) { super.setAccessDecisionManager(myAccessDecisionManager); } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { FilterInvocation fi = new FilterInvocation(servletRequest, servletResponse, filterChain); invoke(fi); } public void invoke(FilterInvocation fi) throws IOException, ServletException { //fi里面有一个被拦截的url //里面调用MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限 //再调用MyAccessDecisionManager的decide方法来校验用户的权限是否足够 InterceptorStatusToken token = super.beforeInvocation(fi); try { //执行下一个拦截器 fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } finally { super.afterInvocation(token, null); } } @Override public void destroy() { } @Override public Class> getSecureObjectClass() { return FilterInvocation.class; } @Override public SecurityMetadataSource obtainSecurityMetadataSource() { return this.securityMetadataSource; } }
运行项目就实现了。去试试吧。
记得将自定义拦截器放进security的过滤器链中。
到此这篇关于SpringSecurity实现动态url拦截(基于rbac模型)的文章就介绍到这了,更多相关SpringSecurity 动态url拦截内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!