spring security动态配置url权限的2种实现方法
缘起
标准的RABC,权限需要支持动态配置,springsecurity默认是在代码里约定好权限,真实的业务场景通常需要可以支持动态配置角色访问权限,即在运行时去配置url对应的访问角色。
基于springsecurity,如何实现这个需求呢?
最简单的方法就是自定义一个Filter去完成权限判断,但这脱离了springsecurity框架,如何基于springsecurity优雅的实现呢?
springsecurity授权回顾
springsecurity通过FilterChainProxy作为注册到web的filter,FilterChainProxy里面一次包含了内置的多个过滤器,我们首先需要了解springsecurity内置的各种filter:
Alias | FilterClass | NamespaceElementorAttribute |
---|---|---|
CHANNEL_FILTER | ChannelProcessingFilter | http/intercept-url@requires-channel |
SECURITY_CONTEXT_FILTER | SecurityContextPersistenceFilter | http |
CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter | session-management/concurrency-control |
HEADERS_FILTER | HeaderWriterFilter | http/headers |
CSRF_FILTER | CsrfFilter | http/csrf |
LOGOUT_FILTER | LogoutFilter | http/logout |
X509_FILTER | X509AuthenticationFilter | http/x509 |
PRE_AUTH_FILTER | AbstractPreAuthenticatedProcessingFilterSubclasses | N/A |
CAS_FILTER | CasAuthenticationFilter | N/A |
FORM_LOGIN_FILTER | UsernamePasswordAuthenticationFilter | http/form-login |
BASIC_AUTH_FILTER | BasicAuthenticationFilter | http/http-basic |
SERVLET_API_SUPPORT_FILTER | SecurityContextHolderAwareRequestFilter | http/@servlet-api-provision |
JAAS_API_SUPPORT_FILTER | JaasApiIntegrationFilter | http/@jaas-api-provision |
REMEMBER_ME_FILTER | RememberMeAuthenticationFilter | http/remember-me |
ANONYMOUS_FILTER | AnonymousAuthenticationFilter | http/anonymous |
SESSION_MANAGEMENT_FILTER | SessionManagementFilter | session-management |
EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter | http |
FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor | http |
SWITCH_USER_FILTER | SwitchUserFilter | N/A |
最重要的是FilterSecurityInterceptor,该过滤器实现了主要的鉴权逻辑,最核心的代码在这里:
protectedInterceptorStatusTokenbeforeInvocation(Objectobject){ //获取访问URL所需权限 Collectionattributes=this.obtainSecurityMetadataSource() .getAttributes(object); Authenticationauthenticated=authenticateIfRequired(); //通过accessDecisionManager鉴权 try{ this.accessDecisionManager.decide(authenticated,object,attributes); } catch(AccessDeniedExceptionaccessDeniedException){ publishEvent(newAuthorizationFailureEvent(object,attributes,authenticated, accessDeniedException)); throwaccessDeniedException; } if(debug){ logger.debug("Authorizationsuccessful"); } if(publishAuthorizationSuccess){ publishEvent(newAuthorizedEvent(object,attributes,authenticated)); } //Attempttorunasadifferentuser AuthenticationrunAs=this.runAsManager.buildRunAs(authenticated,object, attributes); if(runAs==null){ if(debug){ logger.debug("RunAsManagerdidnotchangeAuthenticationobject"); } //nofurtherworkpost-invocation returnnewInterceptorStatusToken(SecurityContextHolder.getContext(),false, attributes,object); } else{ if(debug){ logger.debug("SwitchingtoRunAsAuthentication:"+runAs); } SecurityContextorigCtx=SecurityContextHolder.getContext(); SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext()); SecurityContextHolder.getContext().setAuthentication(runAs); //needtoreverttotoken.Authenticatedpost-invocation returnnewInterceptorStatusToken(origCtx,true,attributes,object); } }
从上面可以看出,要实现动态鉴权,可以从两方面着手:
- 自定义SecurityMetadataSource,实现从数据库加载ConfigAttribute
- 另外就是可以自定义accessDecisionManager,官方的UnanimousBased其实足够使用,并且他是基于AccessDecisionVoter来实现权限认证的,因此我们只需要自定义一个AccessDecisionVoter就可以了
下面来看分别如何实现。
自定义AccessDecisionManager
官方的三个AccessDecisionManager都是基于AccessDecisionVoter来实现权限认证的,因此我们只需要自定义一个AccessDecisionVoter就可以了。
自定义主要是实现AccessDecisionVoter接口,我们可以仿照官方的RoleVoter实现一个:
publicclassRoleBasedVoterimplementsAccessDecisionVoter
如何加入动态权限呢?
vote(Authenticationauthentication,Objectobject,Collection
FilterInvocationfi=(FilterInvocation)object; Stringurl=fi.getRequestUrl();
因此这里扩展空间就大了,可以从DB动态加载,然后判断URL的ConfigAttribute就可以了。
如何使用这个RoleBasedVoter呢?在configure里使用accessDecisionManager方法自定义,我们还是使用官方的UnanimousBased,然后将自定义的RoleBasedVoter加入即可。
@EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled=true,securedEnabled=true) publicclassSecurityConfigurationextendsWebSecurityConfigurerAdapter{ @Override protectedvoidconfigure(HttpSecurityhttp)throwsException{ http .addFilterBefore(corsFilter,UsernamePasswordAuthenticationFilter.class) .exceptionHandling() .authenticationEntryPoint(problemSupport) .accessDeniedHandler(problemSupport) .and() .csrf() .disable() .headers() .frameOptions() .disable() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() //自定义accessDecisionManager .accessDecisionManager(accessDecisionManager()) .and() .apply(securityConfigurerAdapter()); } @Bean publicAccessDecisionManageraccessDecisionManager(){ List>decisionVoters =Arrays.asList( newWebExpressionVoter(), //newRoleVoter(), newRoleBasedVoter(), newAuthenticatedVoter()); returnnewUnanimousBased(decisionVoters); }
自定义SecurityMetadataSource
自定义FilterInvocationSecurityMetadataSource只要实现接口即可,在接口里从DB动态加载规则。
为了复用代码里的定义,我们可以将代码里生成的SecurityMetadataSource带上,在构造函数里传入默认的FilterInvocationSecurityMetadataSource。
publicclassAppFilterInvocationSecurityMetadataSourceimplementsorg.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource{ privateFilterInvocationSecurityMetadataSourcesuperMetadataSource; @Override publicCollectiongetAllConfigAttributes(){ returnnull; } publicAppFilterInvocationSecurityMetadataSource(FilterInvocationSecurityMetadataSourceexpressionBasedFilterInvocationSecurityMetadataSource){ this.superMetadataSource=expressionBasedFilterInvocationSecurityMetadataSource; //TODO从数据库加载权限配置 } privatefinalAntPathMatcherantPathMatcher=newAntPathMatcher(); //这里的需要从DB加载 privatefinalMap urlRoleMap=newHashMap (){{ put("/open/**","ROLE_ANONYMOUS"); put("/health","ROLE_ANONYMOUS"); put("/restart","ROLE_ADMIN"); put("/demo","ROLE_USER"); }}; @Override publicCollection getAttributes(Objectobject)throwsIllegalArgumentException{ FilterInvocationfi=(FilterInvocation)object; Stringurl=fi.getRequestUrl(); for(Map.Entry entry:urlRoleMap.entrySet()){ if(antPathMatcher.match(entry.getKey(),url)){ returnSecurityConfig.createList(entry.getValue()); } } //返回代码定义的默认配置 returnsuperMetadataSource.getAttributes(object); } @Override publicbooleansupports(Class>clazz){ returnFilterInvocation.class.isAssignableFrom(clazz); } }
怎么使用?和accessDecisionManager不一样,ExpressionUrlAuthorizationConfigurer并没有提供set方法设置FilterSecurityInterceptor的FilterInvocationSecurityMetadataSource,howtodo?
发现一个扩展方法withObjectPostProcessor,通过该方法自定义一个处理FilterSecurityInterceptor类型的ObjectPostProcessor就可以修改FilterSecurityInterceptor。
@EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled=true,securedEnabled=true) publicclassSecurityConfigurationextendsWebSecurityConfigurerAdapter{ @Override protectedvoidconfigure(HttpSecurityhttp)throwsException{ http .addFilterBefore(corsFilter,UsernamePasswordAuthenticationFilter.class) .exceptionHandling() .authenticationEntryPoint(problemSupport) .accessDeniedHandler(problemSupport) .and() .csrf() .disable() .headers() .frameOptions() .disable() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() //自定义FilterInvocationSecurityMetadataSource .withObjectPostProcessor(newObjectPostProcessor(){ @Override public OpostProcess( Ofsi){ fsi.setSecurityMetadataSource(mySecurityMetadataSource(fsi.getSecurityMetadataSource())); returnfsi; } }) .and() .apply(securityConfigurerAdapter()); } @Bean publicAppFilterInvocationSecurityMetadataSourcemySecurityMetadataSource(FilterInvocationSecurityMetadataSourcefilterInvocationSecurityMetadataSource){ AppFilterInvocationSecurityMetadataSourcesecurityMetadataSource=newAppFilterInvocationSecurityMetadataSource(filterInvocationSecurityMetadataSource); returnsecurityMetadataSource; }
小结
本文介绍了两种基于springsecurity实现动态权限的方法,一是自定义accessDecisionManager,二是自定义FilterInvocationSecurityMetadataSource。实际项目里可以根据需要灵活选择。
延伸阅读:
SpringSecurity架构与源码分析
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对毛票票的支持。