Spring Security的声明式安全授权有两种方式,一种是以url模式匹配的方式,另一种是方法上使用注解声明权限,这里重点说第一种。
一、创建一个类继承WebSecurityConfigurerAdapter,并使用注解@EnableWebSecurity标注。这个类我之前写到过很多次,是配置CAS客户端和Spring Security的核心类。同时也是启动注解声明权限的入口。
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
AuthenticationManager authenticationManager;
// 这个方法名是随便起的
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
//暂时使用基于内存的AuthenticationProvider,在弹出的默认登陆页输入下边的用户名和密码
//auth.inMemoryAuthentication().withUser("user").password("1").roles("USER");
}
/**
* 这里是默认的配置相当于以下命名空间的配置
* <http>
* <intercept-url pattern="/**" access="authenticated"/>
* <form-login />
* <http-basic />
* </http>
*/
protected void configure(HttpSecurity http) throws Exception {
http
//Spring Security的filter默认再整个filter chain的最前边,因此需要把我们自己写的跨域的filter放在最前边
.addFilterBefore(myFilter, ChannelProcessingFilter.class)
.authorizeRequests()
// specified multiple URL patterns that any user can access.
// any user can access a request if the URL starts with "/resources/", equals "/login.html", or equals "/about".
.antMatchers("/resources/**", "/login.html", "/about").permitAll()
// Any URL that starts with "/admin/" will be resticted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.
.antMatchers("/admin/**").hasRole("ADMIN")
// Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA".
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
// Any URL that has not already been matched on only requires that the user be authenticated
.anyRequest().authenticated()
.and()
<span style="white-space:pre"> </span>// 登录认证例外处理入口为cas入口
<span style="white-space:pre"> </span>.exceptionHandling().authenticationEntryPoint(casEntryPoint())
.and()
<span style="white-space:pre"> </span>// 登录CAS认证过滤器
<span style="white-space:pre"> </span>.addFilter(casFilter());
<span style="white-space:pre"> </span>// Allows users to authenticate with form based login, otherwise no default log in page
<span style="white-space:pre"> </span>//.formLogin()
// specifies the location of the log in page
//.loginPage("http://127.0.0.1/web/login.html")
// grant all users access to our log in page
//.permitAll()
//.and()
// Allows users to authenticate with HTTP Basic authentication
.httpBasic();
}
<pre name="code" class="java"><pre name="code" class="java"> <span> </span>// WebSecurity是用来创建过滤器链的public void configure(WebSecurity web) throws Exception {
// 针对resource和image资源忽略认证
web.ignoring()
.antMatchers(HttpMethod.GET,"/rest/resource/**/*")
.antMatchers(HttpMethod.GET, "/rest/image/**/*");
}}
详细的讲解都写在注释里了,通过这种方式就可以非常方便的在url模式上控制访问权限。
版权声明:本文为luenxin原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。