spring security method security
参考
Spring Security 官方文档
http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security
方法调用安全
对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方
@EnableGlobalMethodSecurity(prePostEnabled = true)
使用的Voter
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter
有俩对对应的注解
@PreAuthorize 决定方法是否可以被调用
@PostAuthorize 决定方法是否可以返回该值
@PreFilter
@PostFilter
如下:
package com.jiangchong.methodsecurity; import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize; public interface IBookService
{
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void addBook(Book book); // PostAuthorize,决定这个值是否可以被返回,使用returnObject
/*
* Less commonly, you may wish to perform an access-control check after the
* method has been invoked. This can be achieved using the @PostAuthorize
* annotation. To access the return value from a method, use the built-in
* name returnObject in the expression.
*/
@PostAuthorize("returnObject.owner == authentication.name")
public Book getBook(); // PreAuthorize,决定这个方法是否可以被调用
/*
* @P单个参数的方法
*/
@PreAuthorize("#b.owner == authentication.name")
public void deleteBook(@P("b") Book book);
/*
* @Param放在至少有一个参数的方法的上
*
* @PreAuthorize("#n == authentication.name") Contact
* findContactByName(@Param("n") String name)
*/
// springEL
/*
* @PreAuthorize("#contact.name == authentication.name") public void
* doSomething(Contact contact);
*/ }
测试的Demo,基于Spring Boot
Pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion> <groupId>com.jiangchong</groupId>
<artifactId>methodsecurity</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging> <name>methodsecurity</name>
<url>http://maven.apache.org</url> <properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.2.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
</dependencies>
</project>
App.class
package com.jiangchong.methodsecurity; import java.util.Map; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController; /**
*
*/
@RestController
@SpringBootApplication
public class App
{
@Autowired
public IBookService bookService; public static void main(String[] args)
{
SpringApplication.run(App.class, args);
} @RequestMapping("/")
public Map<String, String> test()
{
Book b1 = new Book("A", "admin");
bookService.addBook(b1);
bookService.getBook();
System.out.println("user return");
Book b2 = new Book("B", "user");
bookService.deleteBook(b2);
return null;
}
/*
* @RequestMapping("/admin") public Map<String, String> testAdmin() {
* Map<String, String> map = new HashMap<>(); map.put("admin", "admin");
* return map; }
*
* @RequestMapping("/user") public Map<String, String> testUser(String name)
* { Map<String, String> map = new HashMap<>(); map.put("user", "user");
* return map; }
*
* @RequestMapping("/resource/test") public Map<String, String>
* testResouce() { Map<String, String> map = new HashMap<>();
* map.put("test", "resource"); return map; }
*/
}
Book.class
package com.jiangchong.methodsecurity; public class Book
{
private String name;
private String owner; public Book(String name, String owner)
{
this.name = name;
this.owner = owner;
} public String getName()
{
return name;
} public void setName(String name)
{
this.name = name;
} public String getOwner()
{
return owner;
} public void setOwner(String owner)
{
this.owner = owner;
}
}
BookService.class
package com.jiangchong.methodsecurity; import org.springframework.stereotype.Service; @Service
public class BookService implements IBookService
{
@Override
public void addBook(Book book)
{
System.out.println("You have successfully added book.");
} @Override
public Book getBook()
{
Book book = new Book("B", "user");
System.out.println("return " + book.getOwner());
return book;
} @Override
public void deleteBook(Book book)
{
System.out.println("Books deleted");
} }
IBookService
package com.jiangchong.methodsecurity; import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize; public interface IBookService
{
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void addBook(Book book); // PostAuthorize,决定这个值是否可以被返回,使用returnObject
/*
* Less commonly, you may wish to perform an access-control check after the
* method has been invoked. This can be achieved using the @PostAuthorize
* annotation. To access the return value from a method, use the built-in
* name returnObject in the expression.
*/
@PostAuthorize("returnObject.owner == authentication.name")
public Book getBook(); // PreAuthorize,决定这个方法是否可以被调用
/*
* @P单个参数的方法
*/
@PreAuthorize("#b.owner == authentication.name")
public void deleteBook(@P("b") Book book);
/*
* @Param放在至少有一个参数的方法的上
*
* @PreAuthorize("#n == authentication.name") Contact
* findContactByName(@Param("n") String name)
*/
// springEL
/*
* @PreAuthorize("#contact.name == authentication.name") public void
* doSomething(Contact contact);
*/ }
MethodSecurityConfig
package com.jiangchong.methodsecurity; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration
{
protected void configure(AuthenticationManagerBuilder auth)
throws Exception
{
auth.inMemoryAuthentication();
} }
WebSecurityConfig
package com.jiangchong.methodsecurity; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests().anyRequest().authenticated().and().formLogin()
.loginProcessingUrl("/login").permitAll();
} public void configure(WebSecurity web) throws Exception
{
web.ignoring().antMatchers("/resource/**");
} protected void configure(AuthenticationManagerBuilder auth)
throws Exception
{
auth.inMemoryAuthentication().withUser("admin").password("admin")
.roles("ADMIN").and().withUser("user").password("user")
.roles("USER");
} }
Book b1 = new Book("A", "admin");
bookService.addBook(b1);
bookService.getBook();
System.out.println("user return");
Book b2 = new Book("B", "user");
bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用
spring security method security的更多相关文章
- Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转
原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...
- 初识Spring security-添加security
请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...
- Spring Security(二十二):6.4 Method Security
From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...
- Spring Security(十七):5.8 Method Security
From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...
- Spring boot Security Disable security
When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...
- 41.4 Method Security方法安全性
41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...
- spring boot + thymeleaf +security自定义规则 的简单使用
1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...
- 【JavaEE】SSH+Spring Security自定义Security的部分处理策略
本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...
- Spring Cloud:Security OAuth2 自定义异常响应
对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...
随机推荐
- 大公司的Java面试题集
找工作要面试,有面试就有对付面试的办法.以下一些题目来自我和我朋友痛苦的面试经历,提这些问题的公司包括IBM, E*Trade, Siebel, Motorola, SUN, 以及其它大小公司. 面试 ...
- Linq一 基础知识
1.什么是Linq 他是VS2008(.net framework 3.5)之后一项重大的突破 全程Lnaguage Integrated Query,可以成为数据迭代器. 主要有以下5大块组成: L ...
- 10-20日 && 抽签问题
Ants # include <cstdio> #include <algorithm> ; int L, n, x[MAX_N]; void solve() { ; ; i ...
- Android Performance Optimization
1.zipalign 2.ui优化 3.package size 4.RenderScript 5.Resource Shrinking & Code Shrinking 6.java cod ...
- OSI模型
1.物理层 •设备间接收或发送比特流 •说明电压.线速和线缆等 例子: EIA/TIA-232 V.35 2. 数据链路层 •将比特组合成字节进而组合成帧 •用MAC地址访问介质 •错误发现但不能纠正 ...
- Term_Application
1 CRM(Customer Relationship Management)客户关系管理: (对ERP下游管理不足的补充) 是一个获取.保持和增加可获利客户的方法和过程. 市场营销.销售管理.客户关 ...
- java中Timer的使用
// 第一种方法:设定指定任务task在指定时间time执行后执行TimerTask方法(执行一次) public static void timer1(){ Timer timer = new Ti ...
- App.config/Web.config 中特殊字符的处理
我们知道在应用程序中嵌入连接字符串可能导致安全漏洞和维护问题.使用 Ildasm.exe(MSIL 反汇编程序) 工具可以查看编译到应用程序源代码中的未加密连接字符串.此外,如果连接字符串发生更改,则 ...
- python学习之路(一)屌丝逆袭之路
变量 ...
- Artificial-Intelligence BOOKs
All of Statistics: A Concise Course in Statistical Inference The Elements of Statistical Learning:Da ...