使用SpringSecurity保护方法应用
(1)pom添加依赖
1 <dependency> 2 <groupId>org.springframework.security</groupId> 3 <artifactId>spring-security-core</artifactId> 4 <version>5.1.3.RELEASE</version> 5 </dependency>
(2)添加相应配置类
1 package cn.coreqi.config; 2 3 import org.springframework.context.annotation.Configuration; 4 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; 5 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; 6 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 7 import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; 8 9 @Configuration 10 @EnableGlobalMethodSecurity(securedEnabled = true,jsr250Enabled = true,prePostEnabled = true) //启用基于注解的方法安全性 11 public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { 12 /** 13 * 注册自定义的表达式处理器 14 * @return 15 */ 16 // @Override 17 // protected MethodSecurityExpressionHandler createExpressionHandler() { 18 // DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); 19 // expressionHandler.setPermissionEvaluator(new UserPermissionEvaluator()); 20 // return expressionHandler; 21 // } 22 }
(3)dao使用相应的注解
仅仅作为参考
1 package cn.coreqi.dao.redis; 2 3 import cn.coreqi.entities.User; 4 import org.springframework.security.access.annotation.Secured; 5 import org.springframework.security.access.prepost.PostAuthorize; 6 import org.springframework.security.access.prepost.PostFilter; 7 import org.springframework.security.access.prepost.PreAuthorize; 8 import org.springframework.security.access.prepost.PreFilter; 9 import org.springframework.stereotype.Repository; 10 11 import java.util.List; 12 13 @Repository 14 public class UserRedis { 15 16 @Secured("ROLE_ADMIN") //限制只有ROLE_ADMIN权限才可以调用此方法 17 public List<User> getAll(){ 18 return null; 19 } 20 21 @PostAuthorize("returnObject.UserName == principal.username") //方法返回时执行,根据表达式结果决定是否抛出安全性异常 22 public User getById(int Id){ 23 return null; 24 } 25 26 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_SYSTEM') and #user.UserName.length() <= 16") //在方法调用前执行,如果表达式不为true则阻止方法执行 27 public User modify(User user){ 28 return null; 29 } 30 31 public void delById(int Id){ 32 } 33 34 @PostFilter("hasRole('ROLE_ADMIN') && filterObject.Age < 18") //使用表达式计算该方法返回中的每一个成员,将计算结果为false的成员移除掉。 35 public List<User> findMeinv() 36 { 37 return null; 38 } 39 40 @PreFilter("hasRole('ROLE_ADMIN') && targetObject.Name == 'admin'") //在方法调用前对参数中的每一个元素进行过滤,只有满足表达式的元素才会保留到集合中 41 public void batchAdd(List<User> users){ 42 43 } 44 }
(4)*(不重要)自定义表达式处理器,如何注册参考(2)
1 package cn.coreqi.config; 2 3 import org.springframework.security.access.PermissionEvaluator; 4 import org.springframework.security.core.Authentication; 5 6 import java.io.Serializable; 7 8 /** 9 * 自定义表达式处理器 10 */ 11 public class UserPermissionEvaluator implements PermissionEvaluator { 12 @Override 13 public boolean hasPermission(Authentication authentication, Object o, Object o1) { 14 return false; 15 } 16 17 @Override 18 public boolean hasPermission(Authentication authentication, Serializable serializable, String s, Object o) { 19 return false; 20 } 21 }