如何限制对Spring MVC控制器的访问
我正在编写一个带有授权和注册表单的web服务。有两种类型的用户:普通用户和管理员用户。有一个控制器,它以给定的URL发送到管理员页面:如何限制对Spring MVC控制器的访问,spring,spring-mvc,access-control,Spring,Spring Mvc,Access Control,我正在编写一个带有授权和注册表单的web服务。有两种类型的用户:普通用户和管理员用户。有一个控制器,它以给定的URL发送到管理员页面: @Controller public class ViewPageController { @RequestMapping(value = "/admin", method = RequestMethod.GET) public String sendAdminPage(){ return "AdminPage"; } }
@Controller
public class ViewPageController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
return "AdminPage";
}
}
但普通用户也可以访问此页面。只有以管理员身份登录的用户才能进入管理员页面。对于如何组织,有多种选择?是否可以在会话中保存登录的用户?(最好没有Spring安全性)定义方面和注释的简单方法
@Inherited
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Authorize {
//
String[] value() default {};
}
@Authorize(value="needRight")
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
return "AdminPage";
}
@Slf4j
@Aspect
@Component
@RequiredArgsConstructor
public class AuthorizationAspect {
private final AuthorizationService authorizationService;
private final CacheUtil cacheUtil;
private static final String PRE = "AUTH";
@Before("@annotation(com.jin.learn.config.security.Authorize)")
public void checkPermission(JoinPoint joinPoint) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
Long accountId = JWTUtil.getUserIdFromRequest(request);
Set<String> authorization = cacheUtil.getAllSet(PRE + accountId);
if(authorization==null){
authorization = authorizationService.findByAccountId(accountId);
cacheUtil.save(PRE + accountId, authorization);
}
Authorize authorize = ((MethodSignature) joinPoint.getSignature()).getMethod().getAnnotation(Authorize.class);
String[] needAuthorization = authorize.value();
if (needAuthorization.length == 0) return;
if (authorization!=null && !authorization.isEmpty()) {
if (!authorization.containsAll(Arrays.asList(needAuthorization))){
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
} else {
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
}
}
此外,还有一些安全框架和定义方面和注释的简单方法
@Inherited
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Authorize {
//
String[] value() default {};
}
@Authorize(value="needRight")
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
return "AdminPage";
}
@Slf4j
@Aspect
@Component
@RequiredArgsConstructor
public class AuthorizationAspect {
private final AuthorizationService authorizationService;
private final CacheUtil cacheUtil;
private static final String PRE = "AUTH";
@Before("@annotation(com.jin.learn.config.security.Authorize)")
public void checkPermission(JoinPoint joinPoint) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
Long accountId = JWTUtil.getUserIdFromRequest(request);
Set<String> authorization = cacheUtil.getAllSet(PRE + accountId);
if(authorization==null){
authorization = authorizationService.findByAccountId(accountId);
cacheUtil.save(PRE + accountId, authorization);
}
Authorize authorize = ((MethodSignature) joinPoint.getSignature()).getMethod().getAnnotation(Authorize.class);
String[] needAuthorization = authorize.value();
if (needAuthorization.length == 0) return;
if (authorization!=null && !authorization.isEmpty()) {
if (!authorization.containsAll(Arrays.asList(needAuthorization))){
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
} else {
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
}
}
此外,还有一些安全框架,您可以使用Spring security进行身份验证和授权。您是否使用Spring security?如果是,您可以使用
@PreAuthorize@PreAuthorize(“hasRole('ROLE_ADMIN')”)@PreAuthorize@PreAuthorize(“hasRole('ROLE\u ADMIN')”)