如何提供访问权限(Spring 安全)
How to provide access (Spring Security)
如何设置权限,以便只有管理员可以使用他的用户名和密码访问 JSP 页面。假设一个页面 (allStudents.jsp) 只对管理员可用,为此他必须输入他的用户名和密码
如何设置权限,以便只有管理员可以使用他的用户名和密码访问 JSP 页面。假设一个页面 (allStudents.jsp) 只对管理员可用,为此他必须输入他的用户名和密码
package adil.java.schoolmaven.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.stereotype.Component;
@Order(1)
@Configuration
@EnableWebSecurity
@Component
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private MyBasicAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder().encode("1234"))
.authorities("ROLE_ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/securityNone").permitAll() //??????
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
enter image description here
我正在更改代码,请查看此代码
@Order(1)
@Configuration
@EnableWebSecurity
@Component
public class СostumWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private MyBasicAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder().encode("1234"))
.authorities("ROLE_ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/allStudents").hasRole("ADMIN");
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
整页授权示例
With expressions enabled for the http element, an URL pattern can be
secured as follows:
@Configuration
@EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/allStudents").hasRole("ROLE_ADMIN"); // assuming this is your endpoint/controller for allStudents.jsp page
}
}
方法级授权示例 – @PreAuthorize
Security Expressions can be used to secure business functionality at
the method level as well, by using annotations.
The annotations @PreAuthorize and @PostAuthorize (as well as
@PreFilter and @PostFilter) support Spring Expression Language (SpEL)
and provide expression-based access control.
First, in order to use method level security, we need to enable this
in the security configuration using @EnableGlobalMethodSecurity:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
}
Then, we can secure methods using the Spring @PreAuthorize annotation:
@Service
public class FooService {
@PreAuthorize("hasRole('ROLE_ADMIN')")
public List<Foo> findAll() { ... }
...
}
关于这个例子更深入的解释,你可以参考这个link
如何设置权限,以便只有管理员可以使用他的用户名和密码访问 JSP 页面。假设一个页面 (allStudents.jsp) 只对管理员可用,为此他必须输入他的用户名和密码
如何设置权限,以便只有管理员可以使用他的用户名和密码访问 JSP 页面。假设一个页面 (allStudents.jsp) 只对管理员可用,为此他必须输入他的用户名和密码
package adil.java.schoolmaven.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.stereotype.Component;
@Order(1)
@Configuration
@EnableWebSecurity
@Component
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private MyBasicAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder().encode("1234"))
.authorities("ROLE_ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/securityNone").permitAll() //??????
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
enter image description here
我正在更改代码,请查看此代码
@Order(1)
@Configuration
@EnableWebSecurity
@Component
public class СostumWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private MyBasicAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder().encode("1234"))
.authorities("ROLE_ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/allStudents").hasRole("ADMIN");
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
整页授权示例
With expressions enabled for the http element, an URL pattern can be secured as follows:
@Configuration
@EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/allStudents").hasRole("ROLE_ADMIN"); // assuming this is your endpoint/controller for allStudents.jsp page
}
}
方法级授权示例 – @PreAuthorize
Security Expressions can be used to secure business functionality at the method level as well, by using annotations.
The annotations @PreAuthorize and @PostAuthorize (as well as @PreFilter and @PostFilter) support Spring Expression Language (SpEL) and provide expression-based access control.
First, in order to use method level security, we need to enable this in the security configuration using @EnableGlobalMethodSecurity:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
}
Then, we can secure methods using the Spring @PreAuthorize annotation:
@Service
public class FooService {
@PreAuthorize("hasRole('ROLE_ADMIN')")
public List<Foo> findAll() { ... }
...
}
关于这个例子更深入的解释,你可以参考这个link