Question

如何正确设置权限，以便只有管理员才能使用其用户名和密码转到JSP页面。假设只有管理员可以使用页面（allStudents.jsp），为此，他必须输入用户名和密码

package adil.java.schoolmaven.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.stereotype.Component;

@Order(1)
@Configuration
@EnableWebSecurity
@Component
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyBasicAuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
          .withUser("admin").password(passwordEncoder().encode("1234"))
          .authorities("ROLE_ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
          .antMatchers("/securityNone").permitAll() //??????
          .anyRequest().authenticated()
          .and()
          .httpBasic()
          .authenticationEntryPoint(authenticationEntryPoint);

        http.addFilterAfter(new CustomFilter(),
          BasicAuthenticationFilter.class);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

enter image description here

我已更改代码，请查看此代码

@Order(1)
@Configuration
@EnableWebSecurity
@Component
public class СostumWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyBasicAuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
          .withUser("admin").password(passwordEncoder().encode("1234"))
          .authorities("ROLE_ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
          .antMatchers("/allStudents").hasRole("ADMIN");
          .anyRequest().authenticated()
          .and()
          .httpBasic()
          .authenticationEntryPoint(authenticationEntryPoint);

        http.addFilterAfter(new CustomFilter(),
          BasicAuthenticationFilter.class);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Answer 1

整页授权示例

在为http元素启用表达式的情况下，可以使用以下网址格式安全性如下：

CURLOPT_RETURNTRANSFER

方法级别授权示例– @PreAuthorize

安全表达式可用于保护位于以下位置的业务功能   方法级别，也可以使用注释。

@PreAuthorize和@PostAuthorize注释（以及   @PreFilter和@PostFilter）支持Spring Expression Language（SpEL）   并提供基于表达式的访问控制。

首先，为了使用方法级安全性，我们需要启用此功能   在使用@EnableGlobalMethodSecurity的安全配置中：

@Configuration
@EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .authorizeRequests()
          .antMatchers("/allStudents").hasRole("ROLE_ADMIN"); // assuming this is your endpoint/controller for allStudents.jsp page
    }
}

然后，我们可以使用Spring @PreAuthorize批注来保护方法：

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
   ...
}

有关此示例的更多详细说明，您可以参考此link

如何提供访问权限（Spring Security）

1 个答案: