从数据库或属性获取Spring Security拦截URL [英] Get Spring Security intercept urls from database or properties
问题描述
@Secured({ROLE_ADMIN})
或通过配置:
< security:intercept-url pattern =/ **access =ROLE_USER,ROLE_ADMIN,ROLE_SUPER_USER/>
我宁愿从数据库中获取认证规则,例如:
< security:intercept-url provider =authProvider/>
< bean id =authProviderclass =AuthProviderImpl>
< property name =userDetailsServiceref =userDetailsService/>
< / bean>
最糟糕的情况下,必须通过属性文件填充权限吗?...
/ admin / ** = ROLE_ADMIN
/ * * = ROLE_USER
< security:intercept-url props =classpath:urls.properties />
等。
请告诉我这个存在或我的大脑会爆炸! Grails弹簧安全插件随箱附带,因此我知道这个插件必须存在。请不要让我的大脑爆炸!!!
编辑:
想象出...
您必须提供自定义 org.springframework.security.intercept.web.FilterSecurityInterceptor
并提供 objectDefinitionSource
:
< bean id =filterSecurityInterceptorclass =org.springframework .security.intercept.web.FilterSecurityInterceptor>
< security:custom-filter before =FILTER_SECURITY_INTERCEPTOR/>
< property name =authenticationManagerref =authenticationManager/>
< property name =accessDecisionManagerref =accessDecisionManager/>
< property name =objectDefinitionSource>
<值>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**login.html=IS_AUTHENTICATED_ANONYMOUSLY
/ user / ** = ROLE_ADMIN
< / value>
< / property>
< / bean>
我想要使用FactoryBean:
public class RequestMappingFactoryBean实现FactoryBean {
private final static String EOL = System.getProperty(line.separator);
public Object getObject()throws Exception {
StringBuffer sb = new StringBuffer();
sb.append(CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON);
sb.append(EOL);
sb.append(PATTERN_TYPE_APACHE_ANT);
sb.append(EOL);
sb.append(/ ** login.html = IS_AUTHENTICATED_ANONYMOUSLY);
sb.append(EOL);
sb.append(/ user / ** = ROLE_ADMIN);
return sb.toString();
$ b $ @SuppressWarnings(unchecked)
public Class getObjectType(){
return String.class;
}
public boolean isSingleton(){
return true;
}
}
传递一个DAO等
< bean id =filterSecurityInterceptorclass =org.springframework.security.intercept.web.FilterSecurityInterceptor>
< security:custom-filter before =FILTER_SECURITY_INTERCEPTOR/>
< property name =authenticationManagerref =authenticationManager/>
< property name =accessDecisionManagerref =accessDecisionManager/>
< property name =objectDefinitionSourceref =requestMappings/>
< / bean>
< bean id =requestMappingsclass =RequestMappingFactoryBean/>
已经有一段时间了,但您可以创建一个Voter对象,它有助于决定是否允许访问URL。 Voter对象可以从数据库或文件加载数据,或者只是随机返回允许,拒绝或弃权。
Hopefully this is super simple, exists, and I'm overlooking something right under my nose. I know that I can restrict access via annotations:
@Secured({"ROLE_ADMIN"})
or via config:
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN, ROLE_SUPER_USER" />
I would prefer to obtain authentication rules from a database, something like:
<security:intercept-url provider="authProvider"/>
<bean id="authProvider" class="AuthProviderImpl">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
Worst case scenario, there has to be a way to populate via a properties file right?...
/admin/**=ROLE_ADMIN
/**=ROLE_USER
<security:intercept-url props="classpath:urls.properties"/>
etc.
Please tell me this exists or my brain will explode!!! The Grails spring-security plugin ships with this out of the box so I know this has to exist. Please don't let my brain explode!!!
EDIT:
Figured it out...
You have to provide a custom org.springframework.security.intercept.web.FilterSecurityInterceptor
and provide the objectDefinitionSource
:
<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**login.html=IS_AUTHENTICATED_ANONYMOUSLY
/user/**=ROLE_ADMIN
</value>
</property>
</bean>
And I think I'm going to use a FactoryBean:
public class RequestMappingFactoryBean implements FactoryBean {
private final static String EOL = System.getProperty("line.separator");
public Object getObject() throws Exception {
StringBuffer sb = new StringBuffer();
sb.append("CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON");
sb.append(EOL);
sb.append("PATTERN_TYPE_APACHE_ANT");
sb.append(EOL);
sb.append("/**login.html=IS_AUTHENTICATED_ANONYMOUSLY");
sb.append(EOL);
sb.append("/user/**=ROLE_ADMIN");
return sb.toString();
}
@SuppressWarnings("unchecked")
public Class getObjectType() {
return String.class;
}
public boolean isSingleton() {
return true;
}
}
Pass it a DAO, etc.
<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource" ref="requestMappings" />
</bean>
<bean id="requestMappings" class="RequestMappingFactoryBean" />
It's been a while, but you can create a Voter object which helps decide whether to allow access to a URL. The Voter object can load data from the database, or a file, or just randomly return Allow, Deny, or Abstain.
这篇关于从数据库或属性获取Spring Security拦截URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!