spring实战-Spring-security权限认证白名单

第九篇：spring实战-Spring-security权限认证白名单

当我们为程序设置权限认证时，主要是希望能够保护需要保护的功能，并不是说所有的功能都需要被保护起来，比如说系统主页，帮助中心等等

此时我们可以通过白名单的方式，让某些功能对未登录用户公开，Spring-security提供了对固定路径，或者模糊匹配路径的保护

1，在SecurityConfig中重载configure函数

package com.halfworlders.idat.config;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.core.io.ClassPathResource;import org.springframework.core.io.Resource;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl;import com.halfworlders.idat.security.IdatUserDetailsService;import com.halfworlders.idat.security.SecurityWhitelistHandler;import com.halfworlders.idat.service.Userservice;@Configuration@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate Userservice userservice;@Autowiredprivate SecurityWhitelistHandler whitelistHandler;@Beanpublic static Resource securityWhitelistResource() {return new ClassPathResource("/security_whitelist.properties");}@Overrideprotected void configure(HttpSecurity http) throws Exception {// 通过requiresChannel()来设置请求是否需要安全通道// 如果request后面使用requiresSecure()，spring// security回视为请求需要安全通道，并自动把请求重定向到https上// 如果request后面使用requiresInsecure()，spring security回视为请求不需要安全http通道// http.requiresChannel().anyRequest().requiresSecure();whitelistHandler.handle(http).authorizeRequests().anyRequest().authenticated()  .and().formLogin();}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {/* * 最好的是基于UserDetailService的接口方式，这样spring-security并不知道系统通过什么样的方式来实现用户数据验证 * 开发人员可以在接口内以任意方式实现，增加了系统的灵活性 */auth.userDetailsService(new IdatUserDetailsService(userservice));}}

用来定义如何保护路径的配置方法有：

2，构建白名单操作类

package com.halfworlders.idat.security;import java.util.Collection;import java.util.Properties;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.core.io.Resource;import org.springframework.core.io.support.PropertiesLoaderUtils;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.stereotype.Component;@Componentpublic class SecurityWhitelistHandler {@Autowiredprivate Resource securityWhitelistResource;public HttpSecurity handle(HttpSecurity http) throws Exception {Properties props = PropertiesLoaderUtils.loadProperties(securityWhitelistResource);Collection<Object> values = props.values();String[] liString = new String[values.size()];values.toArray(liString);return http.authorizeRequests().regexMatchers(liString).permitAll().and();}}

3，白名单配置文件security_whitelist.properties

home=/homelogin=/home/login*regist=/home/regist*help=/help

此时，就可以保证/home，/home/login*，/home/regis*，/help页面不需要登录，就可以访问