Spring Security用户定义了url intercepter

时间:2016-12-26 11:13:11

标签: java spring-security

我已经在我的webapp中实现了spring security。

以下是我的安全保密文件:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/admin**" access="Admin" />

        <!-- access denied page -->
    <access-denied-handler error-page="/403" />
        <form-login 
            login-page="/login" 
            default-target-url="/welcome" 
            authentication-failure-url="/login?error" 
            username-parameter="mobileno"
            password-parameter="staffpwd" />
        <logout logout-success-url="/login?logout"  />
      <csrf/>
    </http>

    <authentication-manager>
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
          users-by-username-query=
            "select username,password, enabled from users where username=?"
          authorities-by-username-query=
            "select username, role from user_roles where username =?  " />
        </authentication-provider>
    </authentication-manager>

</beans:beans>

现在在拦截网址中/ admin url仅允许管理员角色用户使用。现在我必须添加一条新规则,如果某人未经过验证或被阻止,则该用户不得访问该网址。基于db表计算的业务逻辑很少。那么如何配置这些用户定义的url拦截器。

这是我第一次做春季保安,请告诉我如何完成这项工作。

由于

1 个答案:

答案 0 :(得分:0)

<http auto-config="true" use-expressions="true">
    <!-- static resource -->
    <intercept-url pattern="/403" access="permitAll" />
    <intercept-url pattern="/login" access="permitAll" />

    <!-- only user with Admin role can access -->
    <intercept-url pattern="/admin**" access="hasRole('Admin')" />

    <!-- other urls should be authenticated -->
    <intercept-url pattern="/**" access="isFullyAuthenticated()" />

    <!-- access denied page -->
    <access-denied-handler error-page="/403" />
    <form-login 
        login-page="/login" 
        default-target-url="/welcome" 
        authentication-failure-url="/login?error" 
        username-parameter="mobileno"
        password-parameter="staffpwd" />
    <logout logout-success-url="/login?logout"  />
    <csrf/>
</http>
  

现在我必须添加一条新规则,如果某人未经过验证或被阻止,那么该用户就不能访问该网址。基于数据库表计算,还有更多的业务逻辑

如果您需要实施更复杂的业务,则应实施自己的UserDetailsServiceAuthenticationProvider

相关问题
最新问题