目的是:系统内存在很多不同的用户,每个用户具有不同的资源访问权限,具体表现就是某个用户对于某个URL是无权限访问的。需要Spring Security忙我们过滤。
本文的很多命名都是参考链接博文的,最大的不同应该是本文是基于Spring boot,再次也向前人致敬!
由上一篇可知,FilterSecurityInterceptor是Spring Security进行URL权限判断的,FilterSecurityInterceptor又继承于AbstractSecurityInterceptor,由此可推测,我们可以新增一个Interceptor继承AbstractSecurityInterceptor,实现我们自己的权限校验逻辑。
查看父类及其代码逻辑,有几点必须要注意:
1、主要鉴权方法是调用父类中accessDecisionManager的decide值,所以我们需要自己实现一个accessDecisionManager
2、父类中存在抽象方法public abstract SecurityMetadataSource obtainSecurityMetadataSource();作用是获取URL及用户角色对应的关系。我们需要加入自己的实现。
以下是部分代码实现
主要拦截器JwtUrlSecurityInterceptor,需要在WebSecurityConfig(Spring Security配置)文件中注册
//这个拦截器用来实现按照用户权限,对所请求的url进行拦截@Beanpublic JwtUrlSecurityInterceptor jwtUrlSecurityInterceptorBean() throws Exception{return new JwtUrlSecurityInterceptor();}@Overrideprotected void configure(HttpSecurity httpSecurity) throws Exception {...httpSecurity.addFilterBefore(jwtUrlSecurityInterceptorBean(), FilterSecurityInterceptor.class);...}
实现自定义的accessDecisionManager
package org.zerhusen.security.dsuri;import org.springframework.security.access.AccessDecisionManager;import org.springframework.security.access.AccessDeniedException;import org.springframework.security.access.ConfigAttribute;import org.springframework.security.authentication.InsufficientAuthenticationException;import org.springframework.security.core.Authentication;import java.util.Collection;/*** Created by dingshuo on 2017/6/28.*/public class MyAccessDecisionManager implements AccessDecisionManager {@Overridepublic void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {System.out.println("自定义的接口");throw new AccessDeniedException("no right");}@Overridepublic boolean supports(ConfigAttribute attribute) {return true;}@Overridepublic boolean supports(Class<?> clazz) {return true;}}
实现自定义的资源SecurityMetadataSource
package org.zerhusen.security.dsuri;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.access.ConfigAttribute;import org.springframework.security.access.SecurityConfig;import org.springframework.security.web.FilterInvocation;import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;import java.util.*;/*** Created by dingshuo on 2017/6/28.*/public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {private static Map<String, Collection<ConfigAttribute>> resourceMap = null;@AutowiredUrlMatcher urlMatcher;public MyInvocationSecurityMetadataSource() {//这里可以查数据库实现//注入dao即可resourceMap = new HashMap<String, Collection<ConfigAttribute>>();Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();ConfigAttribute ca = new SecurityConfig("ROLE_USER1");atts.add(ca);resourceMap.put("/index.jsp", atts);Collection<ConfigAttribute> attsno =new ArrayList<ConfigAttribute>();ConfigAttribute cano = new SecurityConfig("ROLE_NO");attsno.add(cano);resourceMap.put("/other.jsp", attsno);}@Overridepublic Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {String url = ((FilterInvocation)object).getRequestUrl();Iterator<String> ite = resourceMap.keySet().iterator();while (ite.hasNext()) {String resURL = ite.next();if (url.equals("/protected")) {return resourceMap.get(resURL);}}return null;}@Overridepublic Collection<ConfigAttribute> getAllConfigAttributes() {return null;}@Overridepublic boolean supports(Class<?> clazz) {return true;}}
实现JwtUrlSecurityInterceptor
package org.zerhusen.security.dsuri;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.context.annotation.Bean;import org.springframework.security.access.AccessDecisionManager;import org.springframework.security.access.SecurityMetadataSource;import org.springframework.security.access.intercept.AbstractSecurityInterceptor;import org.springframework.security.access.intercept.InterceptorStatusToken;import org.springframework.security.authentication.AuthenticationManager;import org.springframework.security.web.FilterInvocation;import javax.servlet.*;import java.io.IOException;/*** Created by dingshuo on 2017/6/28.*/public class JwtUrlSecurityInterceptor extends AbstractSecurityInterceptor implementsFilter {@Autowiredpublic void setMyAccessDecisionManager(){super.setAccessDecisionManager(myAccessDecisionManagerBean());}@Beanpublic MyAccessDecisionManager myAccessDecisionManagerBean(){return new MyAccessDecisionManager();}@Beanpublic MyInvocationSecurityMetadataSource myInvocationSecurityMetadataSourceBean(){return new MyInvocationSecurityMetadataSource();}@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {FilterInvocation fi = new FilterInvocation(request, response, chain);invoke(fi);}@Overridepublic void destroy() {}@Overridepublic Class<?> getSecureObjectClass() {return FilterInvocation.class;}@Overridepublic SecurityMetadataSource obtainSecurityMetadataSource() {return this.myInvocationSecurityMetadataSourceBean();}public void invoke(FilterInvocation fi) throws IOException, ServletException {InterceptorStatusToken token = super.beforeInvocation(fi);try {fi.getChain().doFilter(fi.getRequest(), fi.getResponse());}finally {super.afterInvocation(token, null);}}}
如上是简单的URL权限控制