针对“SpringMVC实现注解式权限验证的实例”的完整攻略,我们可以按照以下步骤进行:
1. 添加依赖
在 pom.xml 中添加以下依赖:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring-security.version}</version>
</dependency>
2. 配置Spring Security
在 SpringMVC 中配置 Spring Security,主要有以下步骤:
2.1 添加 Spring Security 配置
在 WEB-INF 文件夹下创建一个 spring-security.xml 配置文件,并添加以下内容:
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/user/**" access="hasRole('ROLE_USER')"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN,ROLE_USER"/>
<user name="user" password="user" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
这里的配置实现的是拦截 /admin/ 和 /user/ 两个 URL,只有拥有 ROLE_ADMIN 和 ROLE_USER 权限的用户才能访问 /admin/ 和 /user/。
2.2 配置Spring Security过滤器
配置Spring Security过滤器,让其在Spring中有效地工作。在 SpringMVC 的配置文件 applicationContext.xml 中添加以下内容:
<bean id="delegatingFilterProxy" class="org.springframework.web.filter.DelegatingFilterProxy">
<property name="targetBeanName" value="springSecurityFilterChain"/>
</bean>
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/admin/**" filters="securityFilter"/>
<security:filter-chain pattern="/user/**" filters="securityFilter"/>
</security:filter-chain-map>
</bean>
<bean id="securityFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<security:expression-based-filter-invocation-security-metadata-source>
<security:filter-attribute-expression>
<security:attribute name="access" expression="@myAccessDecisionManager.decide(#this, request, response)"/>
</security:filter-attribute-expression>
</security:expression-based-filter-invocation-security-metadata-source>
</property>
</bean>
<bean id="accessDecisionManager" class="com.example.myAccessDecisionManager"/>
这里配置的是使用 SpringSecurity 的过滤链,通过拦截的 URL 来配置权限管理过滤器,最后还一定需要一个访问决策管理器来处理权限决策。
3. 编写MyAccessDecisionManager
在 com.example 包下创建一个名为 MyAccessDecisionManager 的 Class,并实现 Spring Security 的 AccessDecisionManager 接口。可以像如下方式实现:
public class MyAccessDecisionManager implements AccessDecisionManager {
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
throws AccessDeniedException, InsufficientAuthenticationException {
HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
HttpServletResponse response = ((FilterInvocation) object).getHttpResponse();
// 获取需要的权限
List<String> permissions = new ArrayList<>();
for (ConfigAttribute configAttribute : configAttributes) {
permissions.add(configAttribute.toString());
}
// 判断是否持有指定权限
boolean isAuthorized = false;
for (String permission : permissions) {
if (authentication.getAuthorities().contains(new SimpleGrantedAuthority(permission))) {
isAuthorized = true;
break;
}
}
if (isAuthorized) {
return;
} else {
throw new AccessDeniedException("Access denied");
}
}
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
}
这里通过重写 AccessDecisionManager 接口中的 decide 方法来实现权限判断,并在需要权限控制的方法上添加 @Secured 注解进行权限控制。
4. 添加权限验证的注解
在需要进行权限验证的方法上添加 @Secured 注解,示例代码如下:
@Controller
@RequestMapping("/admin")
public class AdminController {
@RequestMapping(value = "/hello", method = RequestMethod.GET)
@Secured("ROLE_ADMIN")
public ModelAndView helloAdmin() {
ModelAndView mav = new ModelAndView("admin/hello");
mav.addObject("message", "Hello, Admin!");
return mav;
}
}
通过新增注解 @Secured,Spring Security 会读取方法上的注解和我们的配置文件,并在必要的时候进行权限验证。
以上就是“SpringMVC实现注解式权限验证的实例”的完整攻略,其中涉及到权限验证的配置、过滤器的配置以及需要进行权限控制的方法上添加 @Secured 注解等。
本站文章如无特殊说明,均为本站原创,如若转载,请注明出处:SpringMVC实现注解式权限验证的实例 - Python技术站