如何动态地决定&LT;拦截的URL&GT;在Spring Security的访问属性值? [英] How to dynamically decide <intercept-url> access attribute value in Spring Security?
问题描述
在春季安全,我们使用拦截的URL标签定义如下的URL访问:
In Spring Security we use the intercept-url tag to define the access for URLs as below:
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<intercept-url pattern="/student" access="ROLE_STUDENT" />
这是的applicationContext-security.xml文件硬codeD。我想从一个数据库表中读取访问值来代替。我定义我自己的的UserDetailsService ,我读了记录在从数据库用户的角色。我如何在运行时将这些角色分配给URL模式?
This is hard coded in applicationContext-security.xml. I want to read the access values from a database table instead. I have defined my own UserDetailsService and I read the roles for the logged in user from the database. How do I assign these roles to the URL patterns during runtime?
推荐答案
在春季安全(尝试按Ctrl / Cmd的+ Shift + T键与源$ C $ C STS)的FilterInvocationSecurityMetadataSourceParser类解析拦截的URL标记和创建前pressionBasedFilterInvocationSecurityMetadataSource,扩展DefaultFilterInvocationSecurityMetadataSource实现FilterInvocationSecurityMetadataSource扩展SecurityMetadataSource的实例。
The FilterInvocationSecurityMetadataSourceParser class in Spring-security (try Ctrl/Cmd+Shift+T in STS with the source code) parses the intercept-url tags and creates instances of ExpressionBasedFilterInvocationSecurityMetadataSource, that extends DefaultFilterInvocationSecurityMetadataSource that implements FilterInvocationSecurityMetadataSource that extends SecurityMetadataSource.
我所做的是创建一个实现FilterInvocationSecurityMetadataSource的自定义类, OptionsFromDataBaseFilterInvocationSecurityMetadataSource 。我用DefaultFilterInvocationSecurityMetadataSource作为基地使用urlMatcher,实施支持()方法和类似的东西。
What I did is to create a custom class that implements FilterInvocationSecurityMetadataSource, OptionsFromDataBaseFilterInvocationSecurityMetadataSource. I used DefaultFilterInvocationSecurityMetadataSource as base to use urlMatcher, to implement the support() method and something like that.
然后您必须实现这些方法:
Then you must to implement these methods:
-
收藏的getAttributes(Object对象),在那里你可以访问数据库,搜索的对象被固定(通常是URL访问),以获得允许的ConfigAttribute的(通常是角色的)
Collection getAttributes(Object object), where you can access to database, searching for the 'object' being secured (normally the URL to access) to obtain the allowed ConfigAttribute's (normally the ROLE's)
布尔支持(类clazz所)
boolean supports(Class clazz)
收藏getAllConfigAttributes()
Collection getAllConfigAttributes()
小心了后来,因为它被称为在启动时,也许没有很好地在这个时候进行配置(我的意思是,与自动装配的数据源或持久化上下文,这取决于你在使用的)。在网络环境下的解决方案是在web.xml配置contextConfigLocation的ApplicationContext的-security.xml文件之前,加载的applicationContext.xml
Be careful with the later, because it's called at startup and maybe is not well configured at this time (I mean, with the datasources or persistence context autowired, depending on what are you using). The solution in a web environment is to configure the contextConfigLocation in the web.xml to load the applicationContext.xml before the applicationContext-security.xml
最后一步是定制ApplicationContext的-security.xml文件来加载这个bean。
The final step is to customize the applicationContext-security.xml to load this bean.
有关这样做,我经常用豆这个文件,而不是安全命名空间:
For doing that, I used regular beans in this file instead of the security namespace:
<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/images/*" filters="none" />
<filter-chain pattern="/resources/**" filters="none" />
<filter-chain pattern="/**" filters="
securityContextPersistenceFilter,
logoutFilter,
basicAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor"
/>
</filter-chain-map>
</beans:bean>
您必须定义所有相关的豆类。例如:
You have to define all the related beans. For instance:
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
<beans:property name="accessDecisionManager" ref="affirmativeBased"></beans:property>
<beans:property name="securityMetadataSource" ref="optionsFromDataBaseFilterInvocationSecurityMetadataSource"></beans:property>
<beans:property name="validateConfigAttributes" value="true"/></beans:bean>
我知道这是不是一个很好的解释的答案,但现在看来,这并不困难。
I know that is not a well explained answer, but it's not as difficult as it seems.
只需使用春源为基础,你会得到你想要的。
Just use the spring source as base and you will obtain what you want.
调试与数据库中的数据,将帮助你很多。
Debugging with the data in your database, will help you a lot.
这篇关于如何动态地决定&LT;拦截的URL&GT;在Spring Security的访问属性值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
