当前位置:theitroad>java 从数据库或属性中获取 Spring Security 拦截 url

java 从数据库或属性中获取 Spring Security 拦截 url

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/2315873/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-10-29 20:35:07  来源:igfitidea点击:

Get Spring Security intercept urls from database or properties

javaspringgrailsspring-mvcspring-security

提问by Droo

Hopefully this is super simple, exists, and I'm overlooking something right under my nose. I know that I can restrict access via annotations:

希望这是超级简单的,存在的,我正在俯瞰我眼皮底下的东西。我知道我可以通过注释限制访问:

@Secured({"ROLE_ADMIN"})

or via config:

或通过配置:

<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN, ROLE_SUPER_USER" />

I would prefer to obtain authentication rules from a database, something like:

我更愿意从数据库中获取身份验证规则,例如:

<security:intercept-url provider="authProvider"/>

<bean id="authProvider" class="AuthProviderImpl">
    <property name="userDetailsService" ref="userDetailsService"/>
</bean>

Worst case scenario, there has to be a way to populate via a properties file right?...

最坏的情况是,必须有一种方法可以通过属性文件进行填充,对吗?...

/admin/**=ROLE_ADMIN
/**=ROLE_USER

/admin/**=ROLE_ADMIN
/**=ROLE_USER

<security:intercept-url props="classpath:urls.properties"/>

etc.

等等。

Please tell me this exists or my brain will explode!!! The Grails spring-security plugin ships with this out of the box so I know this has to exist. Please don't let my brain explode!!!

请告诉我这是存在的,否则我的大脑会爆炸!!!Grails spring-security 插件随附开箱即用,所以我知道它必须存在。请不要让我的脑袋爆炸!!!

EDIT:

编辑:

Figured it out...

弄清楚了...

You have to provide a custom org.springframework.security.intercept.web.FilterSecurityInterceptorand provide the objectDefinitionSource:

您必须提供自定义org.springframework.security.intercept.web.FilterSecurityInterceptor并提供objectDefinitionSource

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /**login.html=IS_AUTHENTICATED_ANONYMOUSLY
            /user/**=ROLE_ADMIN
        </value>
    </property>
</bean>

And I think I'm going to use a FactoryBean:

我想我将使用 FactoryBean:

public class RequestMappingFactoryBean implements FactoryBean {

    private final static String EOL = System.getProperty("line.separator");

    public Object getObject() throws Exception {
        StringBuffer sb = new StringBuffer();
        sb.append("CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON");
        sb.append(EOL);
        sb.append("PATTERN_TYPE_APACHE_ANT");
        sb.append(EOL);
        sb.append("/**login.html=IS_AUTHENTICATED_ANONYMOUSLY");
        sb.append(EOL);
        sb.append("/user/**=ROLE_ADMIN");
        return sb.toString();
    }

    @SuppressWarnings("unchecked")
    public Class getObjectType() {
        return String.class;
    }

    public boolean isSingleton() {
        return true;
    }

}

Pass it a DAO, etc.

将它传递给 DAO 等。

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource" ref="requestMappings" />
</bean>

<bean id="requestMappings" class="RequestMappingFactoryBean" />

采纳答案by Chris Freeman

It's been a while, but you can create a Voter object which helps decide whether to allow access to a URL. The Voter object can load data from the database, or a file, or just randomly return Allow, Deny, or Abstain.

已经有一段时间了,但是您可以创建一个 Voter 对象来帮助决定是否允许访问 URL。Voter 对象可以从数据库或文件中加载数据,或者只是随机返回 Allow、Deny 或 Abstain。

回答by Michel

do you want to use something like this in you spring xml?

你想在你的spring xml中使用这样的东西吗?

<!-- Settings -->
<b:bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
    <b:property name="locations">
        <b:value>/WEB-INF/config.properties</b:value>
    </b:property>
</b:bean>

and then als in your Spring XML:

然后 als 在你的 Spring XML 中:

<http entry-point-ref="authenticationProcessingFilterEntryPoint">
        <intercept-url pattern='/custom/**' access="${roles.admin}"/>
</http>

相关推荐

java 仍然无法通过 VisualVM 远程连接 Tomcat 6

java 仍然无法通过 VisualVM 远程连接 Tomcat 6

java System.nanoTime() 在 C 中等效

java System.nanoTime() 在 C 中等效

java 在 J2SE 中“关闭”spring 上下文的正确方法

java 在 J2SE 中“关闭”spring 上下文的正确方法

用于将对象转换为数字(整数、长整数等)的 Java 库

用于将对象转换为数字(整数、长整数等)的 Java 库

相关推荐
最近更新
标签