基于Spring安全角色的URL
答
+1
请在您提供的链接中提供信息摘要,以防将来的链接断开。 http://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers – GSee 2012-07-15 23:00:03
答
基于由mmounirou提供的链接我刚才复制的链接,我用来建立的情况下,基于角色的重定向的链接变为无效的内容:
public class RoleBasedAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private Map<String, String> roleUrlMap;
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
if (authentication.getPrincipal() instanceof UserDetails) {
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
String role = userDetails.getAuthorities().isEmpty() ? null : userDetails.getAuthorities().toArray()[0]
.toString();
response.sendRedirect(request.getContextPath() + roleUrlMap.get(role));
}
}
public void setRoleUrlMap(Map<String, String> roleUrlMap) {
this.roleUrlMap = roleUrlMap;
}
}
豆初始化这取决于哪个角色应该重定向其中:
<beans:bean id="redirectRoleStrategy" class="dk.amfibia....security.RoleBasedAuthenticationSuccessHandler">
<beans:property name="roleUrlMap">
<beans:map>
<beans:entry key="ROLE_SYSTEM" value="/system/index.htm"/>
<beans:entry key="ROLE_ADMIN" value="/admin/index.htm"/>
<beans:entry key="ROLE_USER" value="/index.htm"/>
</beans:map>
</beans:property>
</beans:bean>
最后,我们需要告诉春季安全使用此redirectRoleStrategy。在表单登录标签中,设置此属性: authentication-success-handler-ref =“redirectRoleStrategy”。
答
由于是基于角色的URL的例子:
RoleBasedUrlHandler.java
@Component
public class RoleBaseUrlHandler extends SimpleUrlAuthenticationSuccessHandler {
//provide redirection logic
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
protected RedirectStrategy getRedirectStrategy() {
return redirectStrategy;
}
/**
* Invokes the configured RedirectStrategy with the URL returned by the
* determineTargetUrl method.
* */
@Override
protected void handle(HttpServletRequest request,
HttpServletResponse response,
Authentication authentication)throws IOException {
String targetUrl = determineTargetUrl(authentication);
if (response.isCommitted()) {
return;
}
redirectStrategy.sendRedirect(request, response, targetUrl);
}
/**
* Builds the target URL according to the logic defined
* This method extracts the roles of currently logged-in user and returns
* appropriate URL according to his/her role.
*/
protected String determineTargetUrl(Authentication authentication) {
String url = "";
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
List<String> roles = new ArrayList<String>();
for (GrantedAuthority a : authorities) {
roles.add(a.getAuthority());
}
if (isUser(roles)) {
url = "/user";
} else if (isAdmin(roles)) {
url = "/admin";
} else {
url = "/accessDenied";
}
return url;
}
private boolean isUser(List<String> roles) {
if (roles.contains("ROLE_User")) {
return true;
}
return false;
}
private boolean isAdmin(List<String> roles) {
if (roles.contains("ROLE_Admin")) {
return true;
}
return false;
}
}
SpringSecurityConfig.java
@EnableWebSecurity
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
RoleBaseUrlHandler urlHandler;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth)throws Exception {
auth.inMemoryAuthentication()
.withUser("Patel")
.password("Patel")
.authorities("ROLE_Admin")
.and()
.withUser("Shah")
.password("Shah")
.authorities("ROLE_User");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin").hasRole("Admin")
.antMatchers("/user").hasAnyRole("User","Admin")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").successHandler(urlHandler).permitAll()
.failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/accessDenied")
.and()
.csrf()
.and()
.httpBasic();
}
}
DemoSecurity.java
@Controller
public class DemoSecurity {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String loginPage(
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout,
Model model) {
if (error != null) {
model.addAttribute("error", "Invalid Credentials provided.");
}
if (logout != null) {
model.addAttribute("message", "Logged out successfully.");
}
return "login";
}
@RequestMapping(value="/logout", method = RequestMethod.POST)
public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
return "redirect:/login?logout";
}
@RequestMapping(value = { "/admin" }, method = RequestMethod.GET)
public String adminPage(Model model) {
model.addAttribute("user", getPrincipal());
return "admin";
}
@RequestMapping(value = { "/user" }, method = RequestMethod.GET)
public String employeePage(Model model) {
model.addAttribute("user", getPrincipal());
return "user";
}
@RequestMapping(value = { "/accessDenied" }, method = RequestMethod.GET)
public String accessDenied(Model model) {
model.addAttribute("user", getPrincipal());
return "accessDenied";
}
private String getPrincipal(){
String userName = null;
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (principal instanceof UserDetails) {
userName = ((UserDetails)principal).getUsername();
} else {
userName = principal.toString();
}
return userName;
}
}
您使用的这些弹簧安全的版本? – sourcedelica 2011-05-28 12:30:38