Spring Security在intercept-url中获取模式的访问属性 [英] Spring Security getting the acess attributes of patterns in intercept-url

问题描述

我使用的是 Spring Security 3.0.7

I'm using Spring Security 3.0.7

如何使用 java 代码获取我在安全配置文件的 <intercept-url> 元素中定义的模式"的访问"属性?

How can I get with java code the "access" attributes of the "patterns" that I have defined in the <intercept-url> elements of my security configuration file?

我需要在我的自定义会话管理过滤器中获取它们，以便如果请求的 URL 需要匿名访问，我将跳过过滤器并且不检查会话超时.

I need to get them in my custom session management filter, so that if the requested URL has an ANONYMOUS access required, I skip the filter and don't check the session timeout.

现在我正在手动"执行此操作，通过将请求的 URL 与我知道它们需要匿名访问的那些模式进行比较.它有效，但不是一个好的解决方案，因为如果我更改 xml 配置文件，我必须更改 java 代码.

Now I'm doing it "manually", by comparing the requested URL with those patterns I know they have an ANONYMOUS access required. It works, but it's not a good solution because if I change the xml config file, I have to change the java code.

提前致谢.

推荐答案

我找到了解决方案.如果有人感兴趣，我会在这里解释.

I've found the solution. If someone's interested I explain it here.

我在会话管理过滤器的 doFilter 方法中添加了以下 Java 代码，用于检查是否允许用户(在本例中为匿名用户)访问请求的页面:

I added the following Java code to the doFilter method in my session management filter, for checking if the user (anonymous user in this case) is allowed to access the requested page:

...
private WebInvocationPrivilegeEvaluator webPrivilegeEvaluator;
...
// Before this I have checked that the session is invalid and that the invalidSessionUrl parameter isn't null
String uri = request.getRequestURI();
String cPath = request.getContextPath();
int longCPath = cPath.length();
String pagSolicitada = uri.substring(longCPath);
Authentication autenticacion = SecurityContextHolder.getContext().getAuthentication();
if ( !webPrivilegeEvaluator.isAllowed(pagSolicitada, autenticacion) ) {
     // Redirect to the invalidSessionUrl
     redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
     return;
}
// Do nothing, just skip this filter
chain.doFilter(request, response);
return;
...

webPrivilegeEvaluator 是我在 xml 配置文件中注入的会话管理过滤器的一个属性:

The webPrivilegeEvaluator is a property of the session management filter that I inject in the xml config file:

<beans:bean id="filtroGestionSesion" class="springSecurity.FiltroGestionSesion">
    <beans:constructor-arg name="securityContextRepository" ref="securityContextRepository" />
    <beans:property name="sessionAuthenticationStrategy" ref="sas" />   
    <beans:property name="invalidSessionUrl" value="/faces/paginas/autenticacion/login.xhtml?error=timeout" />
    <beans:property name="webPrivilegeEvaluator" ref="webPrivilegeEvaluator" /> 
</beans:bean>

而这个属性引用的bean是:

And the bean that this property references is:

<beans:bean id="webPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
    <beans:constructor-arg ref="filterSecurityInterceptor" />
</beans:bean>

最后，filterSecurityInterceptor 具有带有所需模式和访问权限的intercept-url 元素(您不要将这些intercept-url 放在NameSpace 的http 元素中，只需将它们放在这里即可):

Finally, the filterSecurityInterceptor has the intercept-url elements with the patterns and access required for them (you don't put these intercept-url in the http element of the NameSpace, just put them here):

<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <beans:property name="securityMetadataSource">
        <filter-security-metadata-source use-expressions="true">
        <!-- IMPORTANTE: Poner las URLs más específicas primero -->
        <intercept-url pattern="/" access="permitAll"/> <!-- Página inicio al arrancar la aplic (contextPath) -->
        <intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
        <intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
        <intercept-url pattern="/faces/paginas/autenticacion/**" access="isAuthenticated()"/>
        <intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
        <intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
        <intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
        <intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
        <intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
        <intercept-url pattern="/**" access="denyAll" />
        </filter-security-metadata-source>
    </beans:property>
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
    <beans:property name="observeOncePerRequest" value="false" />
</beans:bean>

这个过滤器必须被声明为过滤器链的最后一个，这样:

This filter has to be declared as the last one of the filter chain, this way:

<custom-filter position="LAST" ref="filterSecurityInterceptor" />

注意:我有意省略了其他 bean 的声明，以免这个答案太大.

这篇关于Spring Security在intercept-url中获取模式的访问属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！