这篇文章主要介绍了Spring security用户URL权限FilterSecurityInterceptor使用解析,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下
用户通过浏览器发送URL地址,由FilterSecurityInterceptor判断是否具有相应的访问权限。
对于用户请求的方法权限,例如注解@PreAuthorize("hasRole('ADMIN')"),由MethodSecurityInterceptor判断
两个拦截器都继承了AbstractSecurityInterceptor
代码如下
package org.springframework.security.web.access.intercept;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.security.access.SecuritymetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements
Filter {
// ~ Static fields/initializers
// =====================================================================================
private static final String FILTER_APPLIED = "__spring_security_filterSecurityInterceptor_filterApplied";
// ~ Instance fields
// ================================================================================================
private FilterInvocationSecuritymetadataSource securitymetadataSource;
private Boolean observeoncePerRequest = true;
// ~ Methods
// ========================================================================================================
public void init(FilterConfig arg0) throws ServletException {
}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
public FilterInvocationSecuritymetadataSource getSecuritymetadataSource() {
return this.securitymetadataSource;
}
public SecuritymetadataSource obtainSecuritymetadataSource() {
return this.securitymetadataSource;
}
public void setSecuritymetadataSource(FilterInvocationSecuritymetadataSource newSource) {
this.securitymetadataSource = newSource;
}
public Class getSecureObjectClass() {
return FilterInvocation.class;
}
public void invoke(FilterInvocation fi) throws IOException, ServletException {
//获取当前http请求的地址,比如说“/login”
if ((fi.getRequest() != null)
&& (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
&& observeOncePerRequest) {
// filter already applied to this request and user wants us to observe
// once-per-request handling, so don't re-do security checking
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} else {
// first time this request being called, so perform security checking
if (fi.getRequest() != null) {
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
}
//这里做主要URL比对,将当前URL与securitymetadataSource(我们自己配置)中的URL过滤条件进行比对
//首先判断当前URL是permit的还是需要验证的
//若需要验证,尝试加载保存在SecurityContextHolder.getContext()中的已登录信息
//调用AbstractSecurityInterceptor中的AccessDecisionManager对象的decide方法
//如果对于配置中需要登录才可访问的URL,已经查找到登录信息,则执行下一个Filter
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
}
finally {
super.finallyInvocation(token);
}
super.afterInvocation(token, null);
}
}
public Boolean isObserveoncePerRequest() {
return observeOncePerRequest;
}
public void setObserveoncePerRequest(Boolean observeOncePerRequest) {
this.observeoncePerRequest = observeOncePerRequest;
}
}
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持考高分网。
