您好,登錄后才能下訂單哦!
本篇內(nèi)容主要講解“Spring Security OAuth2中怎么根據(jù)請求URI動態(tài)權(quán)限判斷”,感興趣的朋友不妨來看看。本文介紹的方法操作簡單快捷,實(shí)用性強(qiáng)。下面就讓小編來帶大家學(xué)習(xí)“Spring Security OAuth2中怎么根據(jù)請求URI動態(tài)權(quán)限判斷”吧!
優(yōu)化內(nèi)容:先增加一級獲取uri然后判斷uri需要什么權(quán)限,可以多個(gè)并且的權(quán)限 等等然后 在經(jīng)過權(quán)限判斷器進(jìn)行攔截判斷
新建自定義的url權(quán)限判斷MyFilterInvocationSecurityMetadataSource 實(shí)現(xiàn)FilterInvocationSecurityMetadataSource
/** * @Description 根據(jù)url獲取 url需要訪問的權(quán)限 * @Author wwz * @Date 2019/08/01 * @Param * @Return */ @Component public class MyFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource { private AntPathMatcher antPathMatcher = new AntPathMatcher(); // 模糊匹配 如何 auth/** auth/auth @Override public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { Set<ConfigAttribute> set = new HashSet<>(); String requestUrl = ((FilterInvocation) object).getRequest().getMethod() + ((FilterInvocation) object).getRequest().getRequestURI(); System.out.println("requestUrl >> " + requestUrl); // 這里獲取對比數(shù)據(jù)可以從數(shù)據(jù)庫或者內(nèi)存 redis等等地方獲取 目前先寫死后面優(yōu)化 String url = "GET/auth/**"; if (antPathMatcher.match(url, requestUrl)) { SecurityConfig securityConfig = new SecurityConfig("ROLE_ADMIN"); set.add(securityConfig); } if (ObjectUtils.isEmpty(set)) { return SecurityConfig.createList("ROLE_LOGIN"); } return set; } @Override public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } @Override public boolean supports(Class<?> clazz) { return FilterInvocation.class.isAssignableFrom(clazz); } }
修改原來MySecurityAccessDecisionManager 的decide,從獲取到url 改成獲取到需要什么權(quán)限。其他判斷不變
@Override public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException { System.out.println("collection>>" + configAttributes); for (ConfigAttribute configAttribute : configAttributes) { // 當(dāng)前請求需要的權(quán)限 String needRole = configAttribute.getAttribute(); // 當(dāng)前用戶所具有的權(quán)限 Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities(); System.out.println("authorities=" + authorities); for (GrantedAuthority grantedAuthority : authorities) { if (grantedAuthority.getAuthority().equals(needRole)) { return; } if (grantedAuthority.getAuthority().equals("ROLE_ADMIN")) { return; } } } throw new AccessDeniedException("無訪問權(quán)限"); }
把MyFilterInvocationSecurityMetadataSource 注冊到MySecurityResourceServerConfig的重寫方法
public void configure(HttpSecurity http) throws Exception { http .csrf().disable() .exceptionHandling().authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) // 另外,如果不設(shè)置,那么在通過瀏覽器訪問被保護(hù)的任何資源時(shí),每次是不同的SessionID,并且將每次請求的歷史都記錄在OAuth3Authentication的details的中 .and() .authorizeRequests().antMatchers("/actuator/health").permitAll().anyRequest().authenticated() // httpSecurity 放過健康檢查,其他都需要驗(yàn)證 設(shè)置了.anyRequest().authenticated()才回進(jìn)入自定義的權(quán)限判斷 .and() .requestMatchers().antMatchers("/auth/**") // .requestMatchers().antMatchers(...) OAuth3設(shè)置對資源的保護(hù)如果是用 /**的話 會把上面的也攔截掉 .and() .authorizeRequests() .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() { // 重寫做權(quán)限判斷 @Override public <O extends FilterSecurityInterceptor> O postProcess(O o) { o.setSecurityMetadataSource(filterInvocationSecurityMetadataSource); // 請求需要權(quán)限 o.setAccessDecisionManager(accessDecisionManager); // 權(quán)限判斷 return o; } }) .and() .httpBasic(); http.exceptionHandling().accessDeniedHandler(accessDeniedHandler); }
嘗試并請求打印信息:
到此,相信大家對“Spring Security OAuth2中怎么根據(jù)請求URI動態(tài)權(quán)限判斷”有了更深的了解,不妨來實(shí)際操作一番吧!這里是億速云網(wǎng)站,更多相關(guān)內(nèi)容可以進(jìn)入相關(guān)頻道進(jìn)行查詢,關(guān)注我們,繼續(xù)學(xué)習(xí)!
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。