springsecurity 授权

springsecurity 授权就是控制访问请求，通俗说就是控制url

具体做了些什么？

1、认证失败会跳转到登录页面

2、根据权限访问

3、根据角色访问

4、没有权限的页面展示

授权

    //授权：针对url的设置
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/test/**").hasAuthority("part")
                .antMatchers("/admin/**").hasAuthority("admin")
                .anyRequest().authenticated()
        .and().formLogin();
    }

HttpSecurity对象的方法

http.formLogin()//操作登录相关
http.authorizeRequests()//操作请求相关
http.exceptionHandling()//异常相关
http.logout()//注销相关
http.rememberMe()//记住我

HttpSesurity对象方法之间可以使用.and()衔接

http.formLogin().and().logout().and().authorizeRequests()........

formLogin　　

.loginPage("")　　//登录页面
.failureForwardUrl("") //登录提交失败后，转发地址
.successForwardUrl("") //登录提交成功后，转发地址
.loginProcessingUrl("")//登录提交处理地址
.defaultSuccessUrl("")//登录提交成功后，跳转地址
.passwordParameter("pwd") //密码对应key
.usernameParameter("uname") //用户名对应key

http.formLogin()
                        //自定义登录页面
                        .loginPage("/login.html")
                        //必须和表单提交的接口一样，会去执行自定义登录逻辑
                        .loginProcessingUrl("/login")

                        //访问不存在的请求
                        //1、会跳转到登录页面
                        //2、登录成功，正常会跳转到提示请求不存在页面
                        // alwaysUse:true,会跳转到main.html
                        .defaultSuccessUrl("/main.html",true)
                        .defaultSuccessUrl("/toMain",true)
                        //不限制请求方式GET、POST都可以访问
                        //.defaultSuccessUrl("/main.html")

                        // 会报There was an unexpected error (type=Method Not Allowed, status=405).
                        //.successForwardUrl("/main.html")
                        //登录成功或转发的页面，只允许POST请求
                        .successForwardUrl("/toMain")
                        .failureForwardUrl("/toError");
                        //调用自定义Handler
//                      .successHandler(new MyAuthenticationSuccessHandler())
//                      .failureHandler(new MyAuthenticationFailureHandler())

.loginProcessingUrl("/login")与form标签的action属性值一致

<form action="/login" method="post">
    用户名：<input type="text" name="username"/> //默认登录key：username  通过usernameParameter方法修改默认值
    密 码：<input type="password" name="password"/> //默认密码key:password  通过passwordParameter方法修改默认值
    <button type="submit" >submit</button>
</form>

.defaultSuccessUrl("/main.html",true)、.defaultSuccessUrl("/tomain",true)：不限制请求方式

    public final T defaultSuccessUrl(String defaultSuccessUrl, boolean alwaysUse) {
        SavedRequestAwareAuthenticationSuccessHandler handler = new SavedRequestAwareAuthenticationSuccessHandler();
        handler.setDefaultTargetUrl(defaultSuccessUrl);
        handler.setAlwaysUseDefaultTargetUrl(alwaysUse);
        this.defaultSuccessHandler = handler;
        return successHandler(handler);
    }

.successForwardUrl("/toMain")、.failureForwardUrl("/toError")：只允许POST请求

    public FormLoginConfigurer<H> failureForwardUrl(String forwardUrl) {
        failureHandler(new ForwardAuthenticationFailureHandler(forwardUrl));
        return this;
    }

.successHandler(new MyAuthenticationSuccessHandler("Url"))、.failureHandler(new MyAuthenticationFailureHandler("Url"))：调用自定义Handler

public class xxxxHandler implements AuthenticationFailureHandler {

    private final String forwardUrl;

    /**
     * @param forwardUrl
     */
    public ForwardAuthenticationFailureHandler(String forwardUrl) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(forwardUrl), () -> "'" + forwardUrl + "' is not a valid forward URL");
        this.forwardUrl = forwardUrl;
    }

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
        request.getRequestDispatcher(this.forwardUrl).forward(request, response);
    }

}

authorizeRequests 

.anyRequest()//任何请求
.antMatchers("")//指定请求 　
对请求指定访问范围
　　.permitAll() // 不做任何限制连登录校验都不做
   .hasIpAddress()//指定ip访问
   .fullyAuthenticated()
   .denyAll()//拒绝所有权限/角色的访问
   .access("") //所有的访问控制方法都是基于access，permitAll()等价于access("permitAll"),hasRole("abc") 等价于 access("hasRole('abc')")
   .authenticated()//需要登录
   .hasAuthority(String)//指定权限允许访问
   .hasAnyAuthority(String ...)//包含指定权限允许访问
   .hasAnyRole(String ...)//包含指定角色允许访问
   .hasRole(String)//指定角色允许访问

注意：hasRole、hasAnyRole方法

    private static String hasRole(String role) {
        Assert.notNull(role, "role cannot be null");
        Assert.isTrue(!role.startsWith("ROLE_"),
                () -> "role should not start with 'ROLE_' since it is automatically inserted. Got '" + role + "'");
        return "hasRole('ROLE_" + role + "')";
    }

角色前添加前缀，所以我们在认证设置角色时也必须添加ROLE前缀

    //授权：针对url的设置
    @Override
    protected void configure(HttpSecurity http) throws Exception {

                http.authorizeRequests()
                .antMatchers("/test/**").hasRole("guest")
                .antMatchers("/admin/**").hasRole("admin")
                .anyRequest().authenticated()
                .and().formLogin();
    }

自定义access

@Component
public class MyAccessImpl implements MyAccess {
    @Override
    public boolean hasPermission(HttpServletRequest request, Authentication authentication) {
        //获取用户
        Object principal =  authentication.getPrincipal();

        if(principal instanceof UserDetails) {
            UserDetails userDetails = (UserDetails) principal;
            Collection<? extends GrantedAuthority> authorities = userDetails.getAuthorities();
            //request.getRequestURI() => /xxx.html
            //权限是否包含/xxx.html
            //查看认证时有没有设置对应权限.authorities(AuthorityUtils.commaSeparatedStringToAuthorityList("admin,normal"));
            return authorities.contains(new SimpleGrantedAuthority(request.getRequestURI()));
        }
        return false;
    }
}

调用自定义access方法

.anyRequest().access("@myAccessImpl.hasPermission(request,authentication)");//.authenticated();

exceptionHandling 

.accessDeniedPage("")//指定没有权限访问页面 

    public ExceptionHandlingConfigurer<H> accessDeniedPage(String accessDeniedUrl) {
        AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl();
        accessDeniedHandler.setErrorPage(accessDeniedUrl);
        return accessDeniedHandler(accessDeniedHandler);
    }

自定义403处理

public class myAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        response.setStatus(HttpServletResponse.SC_ACCEPTED);

        response.setHeader("Content-Type","application/json;charset=utf-8");
        PrintWriter writer = response.getWriter();
        writer.write("{"status":"error"}");
        writer.flush();
        writer.close();
    }
}

使用自定义

http.exceptionHandling().accessDeniedHandler(new myAccessDeniedHandler());

编辑授权（基于IP   request.getRemoteAddr()）

http.authorizeRequests()
                .antMatchers("/login.html").permitAll()
                .antMatchers("/add.html").hasIpAddress("127.0.0.1")
                .anyRequest().authenticated();

效果：localhost访问

127.0.0.1访问