Spring安全检查用户是否可以访问提到的url
[英]Spring security check if user has access to mentioned url
问题描述
I have started using spring security, and after a lot of research I am not able to find an answer for: 
我已经开始使用spring security,经过大量研究后我无法找到答案:
If I explicitly want to check if user A have access to stuff B. I can check this with JSP tag support Spring Security - check if web url is secure / protected like 如果我明确要检查用户A是否可以访问东西B.我可以使用JSP标记支持Spring Security检查 - 检查web url是否安全/受保护
<sec:authorize url="stuff/B">
But what if I want to check the same thing in the controller(java class). 但是如果我想在控制器(java类)中检查相同的东西呢。 I am not finding any spring function here to check if a login user has access to mentioned url( https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html ) 我在这里找不到任何弹簧函数来检查登录用户是否可以访问提到的URL( https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html )
6 个解决方案
解决方案1
15 已采纳
Hint from the javadoc : 来自javadoc的提示:
to use this tag there must also be an instance of
WebInvocationPrivilegeEvaluatorin your application context.WebInvocationPrivilegeEvaluator实例。 If you are using the namespace, one will automatically be registered.DefaultWebInvocationPrivilegeEvaluator,"DefaultWebInvocationPrivilegeEvaluator一个实例,“
And in the javadoc of DefaultWebInvocationPrivilegeEvaluator , we can see a isAllowed method that should do the job: 在DefaultWebInvocationPrivilegeEvaluator的javadoc中,我们可以看到应该执行该作业的isAllowed方法:
// privilegeEvaluator is a WebInvocationPrivilegeEvaluator "autowired"
boolean allowed = privilegeEvaluator.isAllowed("/stuff/B", yourAuthentication);
解决方案2
0 2017-09-15 13:48:23
Why not to use annotations like this: 为什么不使用这样的注释:
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact);
Annotations are standard way for Spring 3+ 注释是Spring 3+的标准方法
解决方案3
0 2017-09-18 06:38:54
You are looking at the right place, the link you attached mentions what you need. 您正在查找正确的位置,您附加的链接提到您需要的内容。 Since you want access-control on your controller and check per user (not role) you can use the '@PreAuthorize' annotation with "hasPermission" expression or similar. 由于您希望在控制器上进行访问控制并按用户(而非角色)进行检查,因此可以使用带有“hasPermission”表达式的“@PreAuthorize”注释或类似方法。
You could check here for expression-based access control and here for examples of custom security expression example in case you want to customize the solution. 您可以在此处查看基于表达式的访问控制, 此处还可以查看自定义安全表达式示例,以便您自定义解决方案。
解决方案4
0 2017-09-19 05:16:50
1) First we need to know whether the user may enter the URL at all. 1)首先我们需要知道用户是否可以输入URL。 This can be very easily achieved using WebInvocationPrivilegeEvaluator. 使用WebInvocationPrivilegeEvaluator可以非常轻松地实现这一点。
privilegeEvaluator.isAllowed(contextPath, url, "GET", currentUser);
2) Now we need to identifying whether the user may access the handler method 2)现在我们需要确定用户是否可以访问处理程序方法
private boolean isAllowedByAnnotation(Authentication currentUser, HandlerMethod method) {
PreInvocationAuthorizationAdvice advice = new ExpressionBasedPreInvocationAdvice();
PreInvocationAuthorizationAdviceVoter voter = new PreInvocationAuthorizationAdviceVoter(advice);
MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
PrePostInvocationAttributeFactory factory = new ExpressionBasedAnnotationAttributeFactory(expressionHandler);
PrePostAnnotationSecurityMetadataSource metadataSource = new PrePostAnnotationSecurityMetadataSource(factory);
Class<?> controller = method.getBeanType();
MethodInvocation mi = MethodInvocationUtils.createFromClass(controller, method.getMethod().getName());
Collection<ConfigAttribute> attributes = metadataSource.getAttributes(method.getMethod(), controller);
return PreInvocationAuthorizationAdviceVoter.ACCESS_GRANTED == voter.vote(currentUser, mi, attributes);
}
解决方案5
0 2017-09-19 09:41:03
We can create a custom PermissionEvaluator and use 我们可以创建一个自定义的PermissionEvaluator并使用
hasPermission(Authentication authentication, Object domainObject, Object permission). hasPermission(身份验证身份验证,对象domainObject,对象权限)。
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
final DefaultMethodSecurityExpressionHandler expressionHandler =
new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new AclPermissionEvaluator(aclService()));
return expressionHandler;
}
@Bean
public aclServiceImpl aclService() {
final AclServiceImpl mutableAclService = new AclServiceImpl
(authorizationStrategy(), grantingStrategy());
return mutableAclService;
}
AclServiceImpl is the implementation of MutableAclService AclServiceImpl是MutableAclService的实现
解决方案6
0 2017-09-19 10:54:59
The most obviously useful annotation is @PreAuthorize which decides whether a method can actually be invoked or not. 最明显有用的注释是@PreAuthorize ,它决定是否可以实际调用方法。 For example (from the"Contacts" sample application) 例如(来自“Contacts”示例应用程序)
@PreAuthorize("hasRole('USER')")
public void create(Contact contact);
which means that access will only be allowed for users with the role "ROLE_USER ". 这意味着只有角色为“ROLE_USER ”的用户才能访问。 Obviously the same thing could easily be achieved using a traditional configuration and a simple configuration attribute for the required role. 显然,使用传统配置和所需角色的简单配置属性可以轻松实现相同的目标。 But what about: 但是关于:
@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid recipient, Permission permission);
Here we're actually using a method argument as part of the expression to decide whether the current user has the "admin"permission for the given contact. 这里我们实际上使用方法参数作为表达式的一部分来决定当前用户是否具有给定联系人的“admin”权限。 The built-in hasPermission() expression is linked into the Spring Security ACL module through the application context. 内置的hasPermission()表达式通过应用程序上下文链接到Spring Security ACL模块。
For More Detailed Explanation please refer this Link 有关详细说明,请参阅此链接
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.