spring實戰-Spring-security許可權認證白名單
阿新 • • 發佈:2018-11-04
第九篇:spring實戰-Spring-security許可權認證白名單
當我們為程式設定許可權認證時,主要是希望能夠保護需要保護的功能,並不是說所有的功能都需要被保護起來,比如說系統主頁,幫助中心等等
此時我們可以通過白名單的方式,讓某些功能對未登入使用者公開,Spring-security提供了對固定路徑,或者模糊匹配路徑的保護
1,在SecurityConfig中過載configure函式
package com.halfworlders.idat.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.Resource; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl; import com.halfworlders.idat.security.IdatUserDetailsService; import com.halfworlders.idat.security.SecurityWhitelistHandler; import com.halfworlders.idat.service.Userservice; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private Userservice userservice; @Autowired private SecurityWhitelistHandler whitelistHandler; @Bean public static Resource securityWhitelistResource() { return new ClassPathResource("/security_whitelist.properties"); } @Override protected void configure(HttpSecurity http) throws Exception { // 通過requiresChannel()來設定請求是否需要安全通道 // 如果request後面使用requiresSecure(),spring // security回視為請求需要安全通道,並自動把請求重定向到https上 // 如果request後面使用requiresInsecure(),spring security回視為請求不需要安全http通道 // http.requiresChannel().anyRequest().requiresSecure(); whitelistHandler.handle(http) .authorizeRequests().anyRequest().authenticated() .and() .formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { /* * 最好的是基於UserDetailService的介面方式,這樣spring-security並不知道系統通過什麼樣的方式來實現使用者資料驗證 * 開發人員可以在介面內以任意方式實現,增加了系統的靈活性 */ auth.userDetailsService(new IdatUserDetailsService(userservice)); } }
用來定義如何保護路徑的配置方法有:
2,構建白名單操作類
3,白名單配置檔案security_whitelist.propertiespackage com.halfworlders.idat.security; import java.util.Collection; import java.util.Properties; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.io.Resource; import org.springframework.core.io.support.PropertiesLoaderUtils; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.stereotype.Component; @Component public class SecurityWhitelistHandler { @Autowired private Resource securityWhitelistResource; public HttpSecurity handle(HttpSecurity http) throws Exception { Properties props = PropertiesLoaderUtils.loadProperties(securityWhitelistResource); Collection<Object> values = props.values(); String[] liString = new String[values.size()]; values.toArray(liString); return http .authorizeRequests() .regexMatchers(liString) .permitAll() .and(); } }
home=/home
login=/home/login*
regist=/home/regist*
help=/help此時,就可以保證/home,/home/login*,/home/regis*,/help頁面不需要登入,就可以訪問