Spring security 希望自定义ExpressionInterceptur动态管理对URL的访问
我们在URL上有需要用户访问权限的信息包,如下所示:Spring security 希望自定义ExpressionInterceptur动态管理对URL的访问,spring-security,Spring Security,我们在URL上有需要用户访问权限的信息包,如下所示: /InfoPacks/InfoPack1/ /InfoPacks/InfoPack2/ 等 用户需要角色\u INFOPACK1来访问/InfoPacks/INFOPACK1/和角色\u INFOPACK2来访问/InfoPacks/INFOPACK2/等 我们一直在添加包,因此将添加到WebSecurityConfig()的 .antMatchers(“/InfoPacks/InfoPack1/***”).hasAuthority(“角
- /InfoPacks/InfoPack1/
- /InfoPacks/InfoPack2/
- 等
任何指点都是非常受欢迎的。多亏了我的帮助,我把它弄明白了。 我的web安全配置现在看起来像:
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.frameOptions().sameOrigin()
.and()
.csrf().disable()
.exceptionHandling()
.and()
.authorizeRequests()
....
.antMatchers("/Infopacks/**/*").authenticated().accessDecisionManager(accessDecisionManager())
..... etc
}
@SuppressWarnings("unchecked")
@Bean
public AccessDecisionManager accessDecisionManager() {
System.out.println("Arrive AccessDecisionManager");
List<AccessDecisionVoter<? extends Object>> decisionVoters
= Arrays.asList(
new WebExpressionVoter(),
new RoleVoter(),
new AuthenticatedVoter(),
new DynamicVoter());
return new UnanimousBased(decisionVoters);
}
因此,用户授权系统只需添加infopack名称作为授权权限,即可允许用户访问infopack目录。您可以随意添加新的infopack目录,而无需更改代码
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.frameOptions().sameOrigin()
.and()
.csrf().disable()
.exceptionHandling()
.and()
.authorizeRequests()
....
.antMatchers("/Infopacks/**/*").authenticated().accessDecisionManager(accessDecisionManager())
..... etc
}
@SuppressWarnings("unchecked")
@Bean
public AccessDecisionManager accessDecisionManager() {
System.out.println("Arrive AccessDecisionManager");
List<AccessDecisionVoter<? extends Object>> decisionVoters
= Arrays.asList(
new WebExpressionVoter(),
new RoleVoter(),
new AuthenticatedVoter(),
new DynamicVoter());
return new UnanimousBased(decisionVoters);
}
@Override
public int vote(Authentication a, Object s, Collection clctn) {
String url = ((FilterInvocation) s).getRequestUrl();
int vote = ACCESS_ABSTAIN;
if (url.contains("/Infopack")) {
vote = ACCESS_DENIED;
for (GrantedAuthority ga:a.getAuthorities()) {
if (url.toUpperCase().contains(ga.getAuthority()) ) {
vote = ACCESS_GRANTED;
break;
}
}
}
return vote;
}