Shulou(Shulou.com)06/02 Report--

This article shows you what the four access control methods in Spring Security are, which are concise and easy to understand, which can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Spring Security has provided a lot of access control by default, but a good framework must have good extensibility. Coincidentally, the scalability of Spring Security is very good. We can not only use the way provided by Spring Security to do authorization, but also customize the authorization logic. In a word, you can play whatever you want!

Today, I will introduce to you four common access control methods in Spring Security.

Expressions control URL path permissions

Expression controls method permissions

Use filtering comments

Dynamic permission

There are four ways, let's look at them separately.

1. Expressions control URL path permissions

First of all, let's look at the first one, which is to control URL path permissions through expressions. Brother Song actually talked to you in the previous article, so let's review it a little bit here.

Spring Security supports the use of SpEL expressions in URL and method permission control. If the expression returns a value of true, the corresponding permissions are required, otherwise the corresponding permissions are not required. The class that provides the expression is SecurityExpressionRoot:

As you can see, SecurityExpressionRoot has two implementation classes, which represent the extensions made to SpEL when dealing with URL permission control and response method permission control, such as adding the hasIpAddress option when doing permission control based on URL path.

Let's take a look at the most basic SpEL defined in the SecurityExpressionRoot class:

As you can see, these are the corresponding expressions of this class. Let me explain these expressions a little bit:

This is the most basic, in its inheritance class, there are some extensions, I will not repeat this.

If the permission is controlled through URL, then we only need to configure it as follows:

Protected void configure (HttpSecurity http) throws Exception {http.authorizeRequests () .antMatrices ("/ admin/**"). HasRole ("admin") .antMatrices ("/ user/**"). HasAnyRole ("admin", "user") .anyRequest (). Authenticated () .and ().}

This means that the admin role is required to access the path in / admin/** format, and the admin or user role is required to access the path in / user/** format.

two。 Expression controls method permissions

Of course, we can also control permissions by adding comments to the method.

To add annotation control permissions to the method, you need to enable the use of annotations first and add the following to the Spring Security configuration class:

@ Configuration @ EnableGlobalMethodSecurity (prePostEnabled = true,securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter {...}

This configuration enables three annotations, which are:

@ PreAuthorize: check permissions before method execution

@ PostAuthorize: permission check after method execution

@ Secured: similar to @ PreAuthorize

After the combination of these three SpEL, the use is very flexible, here to share a few Demo.

@ Service public class HelloService {@ PreAuthorize ("principal.username.equals ('javaboy')") public String hello () {return "hello";} @ PreAuthorize ("hasRole (' admin')") public String admin () {return "admin";} @ Secured ({"ROLE_user"}) public String user () {return "user" } @ PreAuthorize ("# age > 98") public String getAge (Integer age) {return String.valueOf (age);}}

Hongmeng official Strategic Cooperation to build HarmonyOS Technology Community

The first hello method, the constraint of the annotation is that only users with the currently logged-in user name javaboy can access the method.

The second admin method indicates that the user accessing the method must have the admin role.

The third user method represents the method that the user of this method must have the user role, but note that the user role needs to be prefixed with ROLE_.

The fourth getAge method indicates that the age parameter to access the method must be greater than 98, otherwise the request will not be passed.

As you can see, the expressions here are still very rich, and if you want to refer to the parameters of the method, you can add a # in front of it, which can refer to both basic type parameters and object parameters.

The default object, in addition to principal, also has authentication (see section 1).

3. Use filtering comments

There are also two filter functions in Spring Security, @ PreFilter and @ PostFilter, which automatically remove elements from the collection based on the given conditions.

@ PostFilter ("filterObject.lastIndexOf ('2')! =-1") public List getAllUser () {List users = new ArrayList (); for (int I = 0; I < 10; iTunes +) {users.add ("javaboy:" + I);} return users;} @ PreFilter (filterTarget = "ages", value = "filterObject%2==0") public void getAllAge (List ages,List users) {System.out.println ("ages =" + ages) System.out.println ("users =" + users);}

In the getAllUser method, the collection is filtered and only elements with the suffix 2 are returned, and filterObject represents the element object to be filtered.

In the getAllAge method, because there are two collections, filterTarget is used to specify the filter object.

What are the four access control methods in Spring Security? have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.