Spring Security(十四):5.4 Authorize Requests
Our examples have only required users to be authenticated and have done so for every URL in our application. We can specify custom requirements for our URLs by adding multiple children to our http.authorizeRequests() method. For example:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests() 1
.antMatchers("/resources/**", "/signup", "/about").permitAll() 2
.antMatchers("/admin/**").hasRole("ADMIN") 3
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") 4
.anyRequest().authenticated() 5
.and()
// ...
.formLogin();
}
1、There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.
2、We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".
3、Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.
4、Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the hasRole expression we do not need to specify the "ROLE_" prefix.
5、Any URL that has not already been matched on only requires that the user be authenticated
5.5 Handling Logouts 处理注销
When using the WebSecurityConfigurerAdapter, logout capabilities are automatically applied. The default is that accessing the URL /logout will log the user out by:
- Invalidating the HTTP Session
- 使HTTP会话无效
- Cleaning up any RememberMe authentication that was configured
- 清理已配置的任何RememberMe身份验证
- Clearing the
SecurityContextHolder - 清除SecurityContextHolder
- Redirect to
/login?logout - 重定向到/ login?logout
Similar to configuring login capabilities, however, you also have various options to further customize your logout requirements:
protected void configure(HttpSecurity http) throws Exception {
http
.logout() 1
.logoutUrl("/my/logout") 2
.logoutSuccessUrl("/my/index") 3
.logoutSuccessHandler(logoutSuccessHandler) 4
.invalidateHttpSession(true) 5
.addLogoutHandler(logoutHandler) 6
.deleteCookies(cookieNamesToClear) 7
.and()
...
}
1、Provides logout support. This is automatically applied when using WebSecurityConfigurerAdapter.
2、The URL that triggers log out to occur (default is /logout). If CSRF protection is enabled (default), then the request must also be a POST. For more information, please consult the JavaDoc.
3、The URL to redirect to after logout has occurred. The default is /login?logout. For more information, please consult the JavaDoc.
4、Let’s you specify a custom LogoutSuccessHandler. If this is specified, logoutSuccessUrl() is ignored. For more information, please consult the JavaDoc.
5、Specify whether to invalidate the HttpSession at the time of logout. This is true by default. Configures the SecurityContextLogoutHandler under the covers. For more information, please consult the JavaDoc.
6、Adds a LogoutHandler. SecurityContextLogoutHandler is added as the last LogoutHandler by default.
7、Allows specifying the names of cookies to be removed on logout success. This is a shortcut for adding a CookieClearingLogoutHandler explicitly.
LogoutHandler and/or LogoutSuccessHandler implementations. For many common scenarios, these handlers are applied under the covers when using the fluent API.5.5.1 LogoutHandler (登出处理)
Generally, LogoutHandler implementations indicate classes that are able to participate in logout handling. They are expected to be invoked to perform necessary clean-up. As such they should not throw exceptions. Various implementations are provided:
- PersistentTokenBasedRememberMeServices
- TokenBasedRememberMeServices
- CookieClearingLogoutHandler
- CsrfLogoutHandler
- SecurityContextLogoutHandler
Please see Section 17.4, “Remember-Me Interfaces and Implementations” for details.
LogoutHandler implementations directly, the fluent API also provides shortcuts that provide the respective LogoutHandler implementations under the covers. E.g. deleteCookies() allows specifying the names of one or more cookies to be removed on logout success. This is a shortcut compared to adding aCookieClearingLogoutHandler.- SimpleUrlLogoutSuccessHandler
- HttpStatusReturningLogoutSuccessHandler
As mentioned above, you don’t need to specify the SimpleUrlLogoutSuccessHandler directly. Instead, the fluent API provides a shortcut by setting the logoutSuccessUrl(). This will setup the SimpleUrlLogoutSuccessHandler under the covers. The provided URL will be redirected to after a logout has occurred. The default is /login?logout.
5.5.3 Further Logout-Related References
- Logout Handling
- Testing Logout
- HttpServletRequest.logout()
- Section 17.4, “Remember-Me Interfaces and Implementations”
- Logging Out in section CSRF Caveats
- Section Single Logout (CAS protocol)
- Documentation for the logout element in the Spring Security XML Namespace section
Spring Security(十四):5.4 Authorize Requests的更多相关文章
- Spring Boot(十四):spring boot整合shiro-登录认证和权限管理
Spring Boot(十四):spring boot整合shiro-登录认证和权限管理 使用Spring Boot集成Apache Shiro.安全应该是互联网公司的一道生命线,几乎任何的公司都会涉 ...
- Spring Security 解析(四) ——短信登录开发
Spring Security 解析(四) -- 短信登录开发 在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决定先把Spring Security ...
- Spring 学习十四 Spring security安全
Spring security: 我用过的安全机制: oauth2, filter, secured方法保护 9.2 保护web请求: 9.2.1 代理Servlet过滤器: Delegat ...
- Spring Security(四):2.1 Introduction What is Spring Security?
Spring Security provides comprehensive security services for Java EE-based enterprise software appli ...
- 【Spring Security】四、自定义页面
在前面例子中,登陆页面都是用的Spring Security自己提供的,这明显不符合实际开发场景,同时也没有退出和注销按钮,因此在每次测试的时候都要通过关闭浏览器来注销达到清除session的效果. ...
- Spring Security教程(四):自定义登录页
在前面的例子中,登陆页面都是用的Spring Security自己提供的,这明显不符合实际开发场景,同时也没有退出和注销按钮,因此在每次测试的时候都要通过关闭浏览器来注销达到清除session的效果. ...
- Spring Security教程(四)
在前面三个博客的例子中,登陆页面都是用的Spring Security自己提供的,这明显不符合实际开发场景,同时也没有退出和注销按钮,因此在每次测试的时候都要通过关闭浏览器来注销达到清除session ...
- (转)Spring Boot (十四): Spring Boot 整合 Shiro-登录认证和权限管理
http://www.ityouknow.com/springboot/2017/06/26/spring-boot-shiro.html 这篇文章我们来学习如何使用 Spring Boot 集成 A ...
- spring boot(十四)shiro登录认证与权限管理
这篇文章我们来学习如何使用Spring Boot集成Apache Shiro.安全应该是互联网公司的一道生命线,几乎任何的公司都会涉及到这方面的需求.在Java领域一般有Spring Security ...
- Spring Boot (十四): Spring Boot 整合 Shiro-登录认证和权限管理
这篇文章我们来学习如何使用 Spring Boot 集成 Apache Shiro .安全应该是互联网公司的一道生命线,几乎任何的公司都会涉及到这方面的需求.在 Java 领域一般有 Spring S ...
随机推荐
- angular ng-click防止重复提交
方法一:点击后,让button的状态变为disable js指令: .directive('clickAndDisable', function() { return { scope: { click ...
- blfs(systemd版本)学习笔记-构建gnome桌面系统
我的邮箱地址:zytrenren@163.com欢迎大家交流学习纠错! 大概思路: lfs(系统)+xorg(驱动)+gnome(桌面组件) 链接: lfs(systemd版本)学习笔记系列:http ...
- iPhone X手机投屏电脑无线连接教程
iPhone X手机是一款非常有气场的手机,独特的设计,展现手机的独特魅力,手机外观让人一眼就爱上,手感也是超级的舒适,真的是堪称完美,但是iPhone X手机投屏电脑怎么无线连接呢? 使用工具: 电 ...
- Android 底部导航栏实现一 Fragment-replace
[效果](这里下载的软件收费的试用有水印) [推荐]这里推荐一个图标网http://iconfont.cn/.以上图标来自此图标网 [项目结构] [步骤] ①创建布局文件,写底部导航栏 <?xm ...
- Play 2D games on Nexus 6P running Android N7.1.1 with Daydream View VR headset
http://files.cnblogs.com/files/we-hjb/N6P_Android7_SBS_SF.rar
- WPF:解决DataGrid横向滚动条无法显示的问题
DataGrid的最后一列的宽度设置为“Width=”auto””即可. 如果显示指定长度或者设置为“*”,那么不管怎么拖动列头,或者不管行里面的内容有没有超过DataGrid的显示区域,DataGr ...
- 电脑端支付宝支付 -前端获取支付宝返回的form 以及submit 调用支付扫码页面
前端调取支付宝支付接口(后台进行封装,没有直接调取支付宝接口),调用返回的数据中,将会有一串的form表单数据返回,我们需要将此表单在当前调用页面submit下,以跳转到支付扫码页: 支付宝返回的fo ...
- Python 套接字socketserver网络编程
为什么使用socketserver 虽然Python内置的socket和threading模块能实现简单的多线程服务器,在非正式环境,随便用用还是可以的,但是如果要在生产环境中使用,那是万万不够的. ...
- 新闻思考-阿里进军游戏产业,苹果发力ARM芯片
2018.04.03 大家好,这是我开通博客的第一篇文章,我希望在这里分享我的知识,也学习更多的知识,希望大家学习愉快. 阿里进军游戏产业,拿下旅行青蛙的代理权.腾讯一直在进攻阿里的核心业务:电商和支 ...
- [20180819]关于父子游标问题(11g).txt
[20180819]关于父子游标问题(11g).txt --//sql语句存在父子游标,子游标堆6在父游标堆0里面.--//如果存在许多子游标的情况下,父游标堆0是否大小是发生变化呢.测试看看.--/ ...