spring security method security
参考
Spring Security 官方文档
http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security
方法调用安全
对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方
@EnableGlobalMethodSecurity(prePostEnabled = true)
使用的Voter
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter
有俩对对应的注解
@PreAuthorize 决定方法是否可以被调用
@PostAuthorize 决定方法是否可以返回该值
@PreFilter
@PostFilter
如下:
package com.jiangchong.methodsecurity; import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize; public interface IBookService
{
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void addBook(Book book); // PostAuthorize,决定这个值是否可以被返回,使用returnObject
/*
* Less commonly, you may wish to perform an access-control check after the
* method has been invoked. This can be achieved using the @PostAuthorize
* annotation. To access the return value from a method, use the built-in
* name returnObject in the expression.
*/
@PostAuthorize("returnObject.owner == authentication.name")
public Book getBook(); // PreAuthorize,决定这个方法是否可以被调用
/*
* @P单个参数的方法
*/
@PreAuthorize("#b.owner == authentication.name")
public void deleteBook(@P("b") Book book);
/*
* @Param放在至少有一个参数的方法的上
*
* @PreAuthorize("#n == authentication.name") Contact
* findContactByName(@Param("n") String name)
*/
// springEL
/*
* @PreAuthorize("#contact.name == authentication.name") public void
* doSomething(Contact contact);
*/ }
测试的Demo,基于Spring Boot
Pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion> <groupId>com.jiangchong</groupId>
<artifactId>methodsecurity</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging> <name>methodsecurity</name>
<url>http://maven.apache.org</url> <properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.2.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
</dependencies>
</project>
App.class
package com.jiangchong.methodsecurity; import java.util.Map; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController; /**
*
*/
@RestController
@SpringBootApplication
public class App
{
@Autowired
public IBookService bookService; public static void main(String[] args)
{
SpringApplication.run(App.class, args);
} @RequestMapping("/")
public Map<String, String> test()
{
Book b1 = new Book("A", "admin");
bookService.addBook(b1);
bookService.getBook();
System.out.println("user return");
Book b2 = new Book("B", "user");
bookService.deleteBook(b2);
return null;
}
/*
* @RequestMapping("/admin") public Map<String, String> testAdmin() {
* Map<String, String> map = new HashMap<>(); map.put("admin", "admin");
* return map; }
*
* @RequestMapping("/user") public Map<String, String> testUser(String name)
* { Map<String, String> map = new HashMap<>(); map.put("user", "user");
* return map; }
*
* @RequestMapping("/resource/test") public Map<String, String>
* testResouce() { Map<String, String> map = new HashMap<>();
* map.put("test", "resource"); return map; }
*/
}
Book.class
package com.jiangchong.methodsecurity; public class Book
{
private String name;
private String owner; public Book(String name, String owner)
{
this.name = name;
this.owner = owner;
} public String getName()
{
return name;
} public void setName(String name)
{
this.name = name;
} public String getOwner()
{
return owner;
} public void setOwner(String owner)
{
this.owner = owner;
}
}
BookService.class
package com.jiangchong.methodsecurity; import org.springframework.stereotype.Service; @Service
public class BookService implements IBookService
{
@Override
public void addBook(Book book)
{
System.out.println("You have successfully added book.");
} @Override
public Book getBook()
{
Book book = new Book("B", "user");
System.out.println("return " + book.getOwner());
return book;
} @Override
public void deleteBook(Book book)
{
System.out.println("Books deleted");
} }
IBookService
package com.jiangchong.methodsecurity; import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize; public interface IBookService
{
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void addBook(Book book); // PostAuthorize,决定这个值是否可以被返回,使用returnObject
/*
* Less commonly, you may wish to perform an access-control check after the
* method has been invoked. This can be achieved using the @PostAuthorize
* annotation. To access the return value from a method, use the built-in
* name returnObject in the expression.
*/
@PostAuthorize("returnObject.owner == authentication.name")
public Book getBook(); // PreAuthorize,决定这个方法是否可以被调用
/*
* @P单个参数的方法
*/
@PreAuthorize("#b.owner == authentication.name")
public void deleteBook(@P("b") Book book);
/*
* @Param放在至少有一个参数的方法的上
*
* @PreAuthorize("#n == authentication.name") Contact
* findContactByName(@Param("n") String name)
*/
// springEL
/*
* @PreAuthorize("#contact.name == authentication.name") public void
* doSomething(Contact contact);
*/ }
MethodSecurityConfig
package com.jiangchong.methodsecurity; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration
{
protected void configure(AuthenticationManagerBuilder auth)
throws Exception
{
auth.inMemoryAuthentication();
} }
WebSecurityConfig
package com.jiangchong.methodsecurity; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests().anyRequest().authenticated().and().formLogin()
.loginProcessingUrl("/login").permitAll();
} public void configure(WebSecurity web) throws Exception
{
web.ignoring().antMatchers("/resource/**");
} protected void configure(AuthenticationManagerBuilder auth)
throws Exception
{
auth.inMemoryAuthentication().withUser("admin").password("admin")
.roles("ADMIN").and().withUser("user").password("user")
.roles("USER");
} }
Book b1 = new Book("A", "admin");
bookService.addBook(b1);
bookService.getBook();
System.out.println("user return");
Book b2 = new Book("B", "user");
bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用
spring security method security的更多相关文章
- Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转
原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...
- 初识Spring security-添加security
请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...
- Spring Security(二十二):6.4 Method Security
From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...
- Spring Security(十七):5.8 Method Security
From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...
- Spring boot Security Disable security
When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...
- 41.4 Method Security方法安全性
41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...
- spring boot + thymeleaf +security自定义规则 的简单使用
1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...
- 【JavaEE】SSH+Spring Security自定义Security的部分处理策略
本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...
- Spring Cloud:Security OAuth2 自定义异常响应
对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...
随机推荐
- 从c开始,小小感悟
c语言是众多编程小白进入编程大门的钥匙,不过许多人在学习一段时间以后就渐渐产生了困惑,枯燥的黑色界面渐渐让他们失去了"渴望",---我还不能制作出一款像样的软件,我还是只是在算数学 ...
- SqlServer性能优化:创建性能监视器(二)
添加三个选项: 下一步就可以了 Sql跟踪的模板: 跟踪Sql 语句的执行情况: 使用刚才的新建的模板: 用到的Sql语句: select * from [Sales].[SalesOrderDeta ...
- 搜索栏会消失 uisearchbar 狂点消失的问题解决
经过反复试验和错误很多,我发现当searchdisplaycontroller结束搜索,搜索栏会消失,所以我重新插入到搜索栏表头和它为我工作. - (void)searchDisplayControl ...
- java项目部署在服务器环境配置以及命令的编写
在往项目上部署java项目(即打成的jar包),要为相应的项目配置环境变量,即项目运行所需要的jar或其他第三方的jar包,java -cp derivativeAccording.jar:lib/c ...
- IOS网络开发(一)
1 简易的聊天工具 1.1 问题 Socket的英文原义是孔或者插座的意思,通常也称作套接字,用于描述IP地址和端口,是一个通信链的句柄,本案例使用第三方Socket编程框架AsyncSocket框架 ...
- Spark 个人实战系列(1)--Spark 集群安装
前言: CDH4不带yarn和spark, 因此需要自己搭建spark集群. 这边简单描述spark集群的安装过程, 并讲述spark的standalone模式, 以及对相关的脚本进行简单的分析. s ...
- Jena Fuseki 102
Version Fuseki v1 Fuseki v2 since Jena 2.13.0 Both v1 and v2 are active and maintained.[2015/06/29] ...
- C语言解决八皇后问题
#include <stdio.h> #include <stdlib.h> /* this code is used to cope with the problem of ...
- Do It Wrong, Get It Right
Do It Wrong, Get It Right Time Limit: 5000ms, Special Time Limit:12500ms, Memory Limit:65536KB Total ...
- hiho一下122周 后缀数组三·重复旋律
后缀数组三·重复旋律3 时间限制:5000ms 单点时限:1000ms 内存限制:256MB 描述 小Hi平时的一大兴趣爱好就是演奏钢琴.我们知道一个音乐旋律被表示为长度为 N 的数构成的数列.小Hi ...