First, expression judgment
- The underlying implementation is called access(expression).
/**
* Allows specifying that URLs are secured by an arbitrary expression
* @param attribute the expression to secure the URLs (i.e. "hasRole('ROLE_USER')
* and hasRole('ROLE_SUPER')")
* @return the {@link ExpressionUrlAuthorizationConfigurer} for further
* customization
*/
public ExpressionInterceptUrlRegistry access(String attribute) {
if (this.not) {
attribute = "!" + attribute;
}
interceptUrl(this.requestMatchers, SecurityConfig.createList(attribute));
return ExpressionUrlAuthorizationConfigurer.this.REGISTRY;
}
Copy the code
- Access (expression)
1.1 Use the Access () method
- The methods in access() are the same as those in the table above
- For example,.antMatchers(“/xxx.html”).access(“hasRole(‘xxx’)”)The parameters to access inantMatchers(“/xxx.html”)The following method name is placed in the expression
- .antMatchers(“/xxx.html”).hasRole(“xxx”)
- .antMatchers(“/xxx.html”).hasAnyRole(“xxx, xxx”)
- .antMatchers(“/xxx.html”).hasAuthority(“xxx”)
- .antMatchers(“/xxx.html”).hasAnyAuthority(“xxx, xxx”)
- .antMatchers(“/xxx.html”).hasIpAddress(“xxx”)
http.authorizeRequests().antMatchers("/root.html").access("hasAuthority('ROLE_ADMIN')");
http.authorizeRequests().antMatchers("/admin.html").access("hasAnyAuthority('ROLE_ADMIN', 'ROLE_USER')");
http.authorizeRequests().antMatchers("/root.html").access("hasRole('ADMIN')");
http.authorizeRequests().antMatchers("/admin.html").access("hasAnyRole('ADMIN', 'USER')");
http.authorizeRequests().antMatchers("/ip.html").access("HasIpAddress (' 127.0.0.1)");
Copy the code
- Access according to the previous way, the permission is normal control, recommended to use the method name directly call way, convenient adjustment and IDE can check whether the method name is wrong
1.2 Custom processing methods
- All of the above are handled using built-in methods. You can specify custom methods for handling
- Custom authorization processor interface
import org.springframework.security.core.Authentication;
import javax.servlet.http.HttpServletRequest;
public interface CustomAuthenticationHandler {
/** * Check whether the corresponding permission ** is available@paramRequest Request information *@paramThe authentication authorization *@returnHasPermission Indicates whether the permission is */
boolean hasPermission(HttpServletRequest request, Authentication authentication);
}
Copy the code
- Implement a custom authorization processor interface
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;
import javax.servlet.http.HttpServletRequest;
@Service
@Slf4j
public class AdvanceCustomAuthenticationHandler implements CustomAuthenticationHandler {
/** * Has the access permission. You can obtain */ from the database
private static final String ACCESS_ROLE = "ROLE_ADMIN";
@Override
public boolean hasPermission(HttpServletRequest request, Authentication authentication) {
Object principal = authentication.getPrincipal();
if (principal instanceof UserDetails) {
UserDetails userDetails = (UserDetails) principal;
System.out.println(String.format("Obtain authorization information [{%s}], JsonUtil.toJson(userDetails)));
return userDetails.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.anyMatch(authority -> authority.equals(ACCESS_ROLE));
}
return false; }}Copy the code
- inhttp.authorizeRequests()Specifies the processor that corresponds to the matching rule
- Called with @
.
- HttpServletRequest Request, Authentication Authentication is automatically injected when called
- Called with @
http.authorizeRequests().antMatchers("/advance.html")
.access("@advanceCustomAuthenticationHandler.hasPermission(request, authentication)")
Copy the code
- If the user logs in as admin, 403 is reported. If the user logs in as root, 403 is reported