Security 退出登、权限控制

文章目录

Security 退出登、权限控制
底部

退出登陆

//@Configuration
public class LogoutSecurityConfig implements WebSecurityConfigurerAdapter {

    //TODO 重点and之前
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic()
                .and()
                .logout()
                .logoutUrl("/logout") //退出处理的 url
                .logoutSuccessUrl("/logout/page") //退出成功后，发起的请求，或跳转的页面
                //.logoutSuccessHandler(MyLogOutSuccessHandler) //也可以指定退出成功 处理器自定义退出成功逻辑
                .deleteCookies("deleteCookie") //感觉这步是不是不用写在这

                //TODO能拼接其他的
                .and();
    }
    /*
    默认的退出登陆URL 为 /logout 退出登陆后 spring Security 会有一下处理
    1. 当前sesion 失效
    2. 清楚与当前用户关联的RememberMe 记录
    3. 清空当前 SecurityContext
    4. 重定向到登陆页
     */
}

自定义退出成功处理器需要实现 LogoutSuccessHandler接口

替换.logoutSuccessUrl("/logout/page")

//注入到配置类
@Autowired
private MyLogOutSuccessHandler logOutSuccessHandler;

@Component
public class MyLogOutSuccessHandler implements LogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request,
                                HttpServletResponse response,
                                Authentication authentication) throws IOException, ServletException {
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        response.setContentType("application/json;charset=utf-8");
        response.getWriter().write("退出成功，请重新登录");
    }
}

权限控制

开启注解

xml 开启

顺序

@Secured
@RolesAllowed
SqEL : @PreAuthoreize 、 @PostAuthorize 、@PreFilter 、 @PostFilter

<global-method-security secured-annotations="enabled"/> 
<global-method-security jsr250-annotations="enabled"/>
<global-method-security pre-post-annotations="enabled"/>

注解开启方式

配置类中 @EnableGlobalMethodSecurity(prePostEnabled = true)

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {}

注解说明

@Secured

//需要拥有权限 role_admin 才能访问方法 
//权限是一个 String[]，只需要满足其中一个 就可以访问
@Secured("role_admin","..")
public void T(){}

@RolesAllowed

和@Secyred功能一样，只是缺少元注解@Inherited

SqEL

@PreAuthorize访问方法前对权限验证
@PreFilter 访问方法前对参数验证
@PostAuthorize 访问方法后验证权限
@PostFilter 方法返回参数验证

//user用户文字小于100。或 是vip
@PreAuthorize("hasRole()'role_user') and form.note.length()<= 100  or hasRole('role_vip')")
public void T(){}

//用户名 lf 才能访问
@PreAuthorize("#user.name.equals('lf')")
public void T(User user){}

//需要admin权限
@PreAuthorize("hasAuthorize('admin')")
public void T(){}

和@PreFilter中有一个filterObject表示集合中方的对象。

//只返回 偶数id 的结果
@PostFilter("filterObject.id%2==0")
public List<User> seleteAll(){}

多个对象时使用filterTarget来指定

//指定访问方法的参数
@PreFilter(filterTarget="ids",value="filterObjcet%2==0")
public void delete(List<User> ids,List<role> role){}

自定义权限不足处理器

实现AccessDeniedHandler接口

@Component
public class MyAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest request,
                       HttpServletResponse response,
                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
        response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
        response.setContentType("application/json;charset=utf-8");
        response.getWriter().write("很抱歉，您没有该访问权限");
    }
}

配置类设置

    @Autowired
    private MyAccessDeniedHandler accessDeniedHandler;


....
 http.exceptionHandling()
     .accessDeniedHandler(accessDeniedHandler);