spring security method security
生活随笔
收集整理的這篇文章主要介紹了
spring security method security
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
spring security method security
這些調(diào)用序列,只要有一個不滿足權(quán)限,后面的方法不會再調(diào)用
posted on 2016-02-22 01:35 好吧,就是菜菜 閱讀(...) 評論(...) 編輯 收藏
參考
Spring Security 官方文檔
http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security
方法調(diào)用安全
對應(yīng)的注解@EnableGlobalMethodSecurity,該注解放在GlobalMethodSecurityConfiguration的子類上方
@EnableGlobalMethodSecurity(prePostEnabled = true)
使用的Voter
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter
有倆對對應(yīng)的注解
@PreAuthorize 決定方法是否可以被調(diào)用
@PostAuthorize 決定方法是否可以返回該值
@PreFilter
@PostFilter
如下:
package com.jiangchong.methodsecurity;import org.springframework.security.access.method.P; import org.springframework.security.access.prepost.PostAuthorize; import org.springframework.security.access.prepost.PreAuthorize;public interface IBookService {@PreAuthorize("hasRole('ROLE_ADMIN')")public void addBook(Book book);// PostAuthorize,決定這個值是否可以被返回,使用returnObject/** Less commonly, you may wish to perform an access-control check after the* method has been invoked. This can be achieved using the @PostAuthorize* annotation. To access the return value from a method, use the built-in* name returnObject in the expression.*/@PostAuthorize("returnObject.owner == authentication.name")public Book getBook();// PreAuthorize,決定這個方法是否可以被調(diào)用/** @P單個參數(shù)的方法*/@PreAuthorize("#b.owner == authentication.name")public void deleteBook(@P("b") Book book);/** @Param放在至少有一個參數(shù)的方法的上* * @PreAuthorize("#n == authentication.name") Contact* findContactByName(@Param("n") String name)*/// springEL/** @PreAuthorize("#contact.name == authentication.name") public void* doSomething(Contact contact);*/}測試的Demo,基于Spring Boot
Pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.jiangchong</groupId><artifactId>methodsecurity</artifactId><version>0.0.1-SNAPSHOT</version><packaging>war</packaging><name>methodsecurity</name><url>http://maven.apache.org</url><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding></properties><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.3.2.RELEASE</version></parent><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId><scope>compile</scope></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter</artifactId></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-core</artifactId></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-web</artifactId><scope>compile</scope></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-config</artifactId></dependency></dependencies> </project>App.class
package com.jiangchong.methodsecurity;import java.util.Map;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController;/****/ @RestController @SpringBootApplication public class App {@Autowiredpublic IBookService bookService;public static void main(String[] args){SpringApplication.run(App.class, args);}@RequestMapping("/")public Map<String, String> test(){Book b1 = new Book("A", "admin");bookService.addBook(b1);bookService.getBook();System.out.println("user return");Book b2 = new Book("B", "user");bookService.deleteBook(b2);return null;}/** @RequestMapping("/admin") public Map<String, String> testAdmin() {* Map<String, String> map = new HashMap<>(); map.put("admin", "admin");* return map; }* * @RequestMapping("/user") public Map<String, String> testUser(String name)* { Map<String, String> map = new HashMap<>(); map.put("user", "user");* return map; }* * @RequestMapping("/resource/test") public Map<String, String>* testResouce() { Map<String, String> map = new HashMap<>();* map.put("test", "resource"); return map; }*/ }Book.class
package com.jiangchong.methodsecurity;public class Book {private String name;private String owner;public Book(String name, String owner){this.name = name;this.owner = owner;}public String getName(){return name;}public void setName(String name){this.name = name;}public String getOwner(){return owner;}public void setOwner(String owner){this.owner = owner;} }BookService.class
package com.jiangchong.methodsecurity;import org.springframework.stereotype.Service;@Service public class BookService implements IBookService {@Overridepublic void addBook(Book book){System.out.println("You have successfully added book.");}@Overridepublic Book getBook(){Book book = new Book("B", "user");System.out.println("return " + book.getOwner());return book;}@Overridepublic void deleteBook(Book book){System.out.println("Books deleted");}}IBookService
package com.jiangchong.methodsecurity;import org.springframework.security.access.method.P; import org.springframework.security.access.prepost.PostAuthorize; import org.springframework.security.access.prepost.PreAuthorize;public interface IBookService {@PreAuthorize("hasRole('ROLE_ADMIN')")public void addBook(Book book);// PostAuthorize,決定這個值是否可以被返回,使用returnObject/** Less commonly, you may wish to perform an access-control check after the* method has been invoked. This can be achieved using the @PostAuthorize* annotation. To access the return value from a method, use the built-in* name returnObject in the expression.*/@PostAuthorize("returnObject.owner == authentication.name")public Book getBook();// PreAuthorize,決定這個方法是否可以被調(diào)用/** @P單個參數(shù)的方法*/@PreAuthorize("#b.owner == authentication.name")public void deleteBook(@P("b") Book book);/** @Param放在至少有一個參數(shù)的方法的上* * @PreAuthorize("#n == authentication.name") Contact* findContactByName(@Param("n") String name)*/// springEL/** @PreAuthorize("#contact.name == authentication.name") public void* doSomething(Contact contact);*/}MethodSecurityConfig
package com.jiangchong.methodsecurity;import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {protected void configure(AuthenticationManagerBuilder auth)throws Exception{auth.inMemoryAuthentication();}}WebSecurityConfig
package com.jiangchong.methodsecurity;import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {protected void configure(HttpSecurity http) throws Exception{http.authorizeRequests().anyRequest().authenticated().and().formLogin().loginProcessingUrl("/login").permitAll();}public void configure(WebSecurity web) throws Exception{web.ignoring().antMatchers("/resource/**");}protected void configure(AuthenticationManagerBuilder auth)throws Exception{auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN").and().withUser("user").password("user").roles("USER");}} Book b1 = new Book("A", "admin");bookService.addBook(b1);bookService.getBook();System.out.println("user return");Book b2 = new Book("B", "user");bookService.deleteBook(b2);這些調(diào)用序列,只要有一個不滿足權(quán)限,后面的方法不會再調(diào)用
posted on 2016-02-22 01:35 好吧,就是菜菜 閱讀(...) 評論(...) 編輯 收藏
轉(zhuǎn)載于:https://www.cnblogs.com/shuiyonglewodezzzzz/p/5206000.html
總結(jié)
以上是生活随笔為你收集整理的spring security method security的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 为什么总是梦到老公跟别人好
- 下一篇: JQuery常用知识点汇总