sec:authorize-url标签不生效问题
来源:互联网 发布:docker 外部数据库 编辑:程序博客网 时间:2024/05/23 11:13
问题描述:
我这里的项目使用spring cloud+thymeleaf+spring security,使用的thymeleaf和spring security整合的标签,网上的解决方法很多,很简单 sec:authorize="hasRole('ROLE_ADMIN')" 标签可以生效,但是我想控制button的显示与隐藏,
sec:authorize-url 无效,下面说一下解决方法,很简单,只是想不到。
解决方法:
1.继承DefaultWebInvocationPrivilegeEvaluator并重写方法
2.将DefaultWebInvocationPrivilegeEvaluator子类在WebSecurityConfigurerAdapter中进行注册
点击参考博客:
源码
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;import org.springframework.security.core.Authentication;import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;import org.springframework.stereotype.Component;@Componentpublic class CustomWebInvocationPrivilegeEvaluator extends DefaultWebInvocationPrivilegeEvaluator{ public CustomWebInvocationPrivilegeEvaluator(AbstractSecurityInterceptor securityInterceptor) { super(securityInterceptor); } @Override public boolean isAllowed(String uri, Authentication authentication) { return super.isAllowed(uri, authentication); } @Override public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { return super.isAllowed(contextPath, uri, method, authentication); }}import org.springframework.beans.factory.annotation.Autowired;import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;import org.springframework.boot.context.properties.EnableConfigurationProperties;import org.springframework.context.annotation.Configuration;import org.springframework.core.annotation.Order;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.builders.WebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;import org.springframework.security.web.csrf.CsrfFilter;import org.springframework.security.web.csrf.CsrfToken;import org.springframework.security.web.csrf.CsrfTokenRepository;import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;import org.springframework.web.filter.OncePerRequestFilter;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.util.ArrayList;import java.util.List;@Configuration@EnableOAuth2Sso@EnableConfigurationProperties(SecuritySettings.class)@Order(1)public class SecurityConfiguration extends WebSecurityConfigurerAdapter {@Autowiredprivate CustomFilterSecurityInterceptor customFilterSecurityInterceptor;@Autowiredprivate SecuritySettings settings;@Autowiredprivate CustomWebInvocationPrivilegeEvaluator webInvocationPrivilegeEvaluator;@Overridepublic void configure(HttpSecurity http) throws Exception {http.addFilterBefore(customFilterSecurityInterceptor, FilterSecurityInterceptor.class).authorizeRequests().anyRequest().authenticated().and().csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher()).csrfTokenRepository(csrfTokenRepository()).and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class).logout().logoutUrl("/logout").permitAll().logoutSuccessUrl(settings.getLogoutsuccssurl()).and().exceptionHandling().accessDeniedPage(settings.getDeniedpage());}@Overridepublic void configure(WebSecurity web) throws Exception {//web.securityInterceptor(customFilterSecurityInterceptor);web.privilegeEvaluator(webInvocationPrivilegeEvaluator);//在这里进行注册web.ignoring().antMatchers("/assets/**","/styles/**","/images/**");}private CsrfSecurityRequestMatcher csrfSecurityRequestMatcher() {CsrfSecurityRequestMatcher csrfSecurityRequestMatcher = new CsrfSecurityRequestMatcher();List<String> list = new ArrayList<String>();//此处绝对拦截//list.add("/assets/");//list.add("/styles/");//list.add("/");csrfSecurityRequestMatcher.setExecludeUrls(list);return csrfSecurityRequestMatcher;}private Filter csrfHeaderFilter() {return new OncePerRequestFilter() {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,FilterChain filterChain) throws ServletException, IOException {CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());if (csrf != null) {Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken());cookie.setPath("/");response.addCookie(cookie);}filterChain.doFilter(request, response);}};}private CsrfTokenRepository csrfTokenRepository() {HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();repository.setHeaderName("X-XSRF-TOKEN");return repository;}}
阅读全文
0 0
- sec:authorize-url标签不生效问题
- 【转】Spring security3 sec:authorize url 无效的问题
- html object 标签 高度不生效问题
- Spring Security入门篇——标签sec:authorize的使用
- Spring Security入门篇——标签sec:authorize的使用
- Spring Security入门篇——标签sec:authorize的使用
- spring security的权限页面标签可以根据 ifAnyGranted="ROLE_SYSTEM" 这个不同的权限觉得在<sec:authorize的作用不作用,就相当于c:if标签的作用
- inotify不生效问题
- gitignore 不生效问题
- inotify不生效问题
- setLayoutParams()不生效问题
- .gitignore不生效问题
- security authorize 标签
- spring security authorize 标签
- SpringMVC中url-parden配置的问题和SpringMVC中js、css不生效问题
- NGINX url rewrite 功能不生效
- <security:authorize url=''>标签不能控制控制是否显示的解决办法
- hosts配置不生效问题
- Android 开发最牛的图片轮播控件,基本什么都包含了。
- CUDA PTX ISA阅读笔记(二)
- 关于Mybatis的Dao动态代理多种传参方式
- OAuth 2.0协议 和1.0版译文汇总
- weblogic8.1部署的java项目在调用webservice时出现找不到方法的解决方案
- sec:authorize-url标签不生效问题
- 提高VS2010/VS2012编译速度
- 逆序输出正整数各位上数字
- php-fpm内存溢出
- 全排列算法
- 彻底理解java动态代理
- 前台页面验证码如何生成
- 判断当前编译器是大端存储还是小端存储
- 块级标签