Spring Security OAuth2中怎么根據(jù)請求URI動態(tài)權(quán)限判斷

本篇內(nèi)容主要講解“Spring Security OAuth2中怎么根據(jù)請求URI動態(tài)權(quán)限判斷”，感興趣的朋友不妨來看看。本文介紹的方法操作簡單快捷，實(shí)用性強(qiáng)。下面就讓小編來帶大家學(xué)習(xí)“Spring Security OAuth2中怎么根據(jù)請求URI動態(tài)權(quán)限判斷”吧!

優(yōu)化內(nèi)容：先增加一級獲取uri然后判斷uri需要什么權(quán)限，可以多個(gè)并且的權(quán)限 等等然后 在經(jīng)過權(quán)限判斷器進(jìn)行攔截判斷

新建自定義的url權(quán)限判斷MyFilterInvocationSecurityMetadataSource 實(shí)現(xiàn)FilterInvocationSecurityMetadataSource

/**
 * @Description 根據(jù)url獲取 url需要訪問的權(quán)限
 * @Author wwz
 * @Date 2019/08/01
 * @Param
 * @Return
 */
@Component
public class MyFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

    private AntPathMatcher antPathMatcher = new AntPathMatcher(); // 模糊匹配 如何 auth/**   auth/auth

    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        Set<ConfigAttribute> set = new HashSet<>();

        String requestUrl = ((FilterInvocation) object).getRequest().getMethod() + ((FilterInvocation) object).getRequest().getRequestURI();
        System.out.println("requestUrl >> " + requestUrl);

        // 這里獲取對比數(shù)據(jù)可以從數(shù)據(jù)庫或者內(nèi)存 redis等等地方獲取 目前先寫死后面優(yōu)化
        String url = "GET/auth/**";
        if (antPathMatcher.match(url, requestUrl)) {
            SecurityConfig securityConfig = new SecurityConfig("ROLE_ADMIN");
            set.add(securityConfig);
        }
        if (ObjectUtils.isEmpty(set)) {
            return SecurityConfig.createList("ROLE_LOGIN");
        }
        return set;
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }
}

修改原來MySecurityAccessDecisionManager 的decide，從獲取到url 改成獲取到需要什么權(quán)限。其他判斷不變

    @Override
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {

        System.out.println("collection>>" + configAttributes);

        for (ConfigAttribute configAttribute : configAttributes) {
            // 當(dāng)前請求需要的權(quán)限
            String needRole = configAttribute.getAttribute();
            // 當(dāng)前用戶所具有的權(quán)限
            Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
            System.out.println("authorities=" + authorities);
            for (GrantedAuthority grantedAuthority : authorities) {
                if (grantedAuthority.getAuthority().equals(needRole)) {
                    return;
                }
                if (grantedAuthority.getAuthority().equals("ROLE_ADMIN")) {
                    return;
                }

            }
        }
        throw new AccessDeniedException("無訪問權(quán)限");
    }

把MyFilterInvocationSecurityMetadataSource 注冊到MySecurityResourceServerConfig的重寫方法

 public void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .exceptionHandling().authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) // 另外，如果不設(shè)置，那么在通過瀏覽器訪問被保護(hù)的任何資源時(shí)，每次是不同的SessionID，并且將每次請求的歷史都記錄在OAuth3Authentication的details的中
                .and()
                .authorizeRequests().antMatchers("/actuator/health").permitAll().anyRequest().authenticated()  // httpSecurity 放過健康檢查，其他都需要驗(yàn)證  設(shè)置了.anyRequest().authenticated()才回進(jìn)入自定義的權(quán)限判斷
                .and()
                .requestMatchers().antMatchers("/auth/**") // .requestMatchers().antMatchers(...) OAuth3設(shè)置對資源的保護(hù)如果是用 /**的話 會把上面的也攔截掉
                .and()
                .authorizeRequests()
                .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {       // 重寫做權(quán)限判斷
                    @Override
                    public <O extends FilterSecurityInterceptor> O postProcess(O o) {
                        o.setSecurityMetadataSource(filterInvocationSecurityMetadataSource); // 請求需要權(quán)限
                        o.setAccessDecisionManager(accessDecisionManager);      // 權(quán)限判斷
                        return o;
                    }
                })
                .and()
                .httpBasic();

        http.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
    }

嘗試并請求打印信息：

到此，相信大家對“Spring Security OAuth2中怎么根據(jù)請求URI動態(tài)權(quán)限判斷”有了更深的了解，不妨來實(shí)際操作一番吧！這里是億速云網(wǎng)站，更多相關(guān)內(nèi)容可以進(jìn)入相關(guān)頻道進(jìn)行查詢，關(guān)注我們，繼續(xù)學(xué)習(xí)！