1. 首頁
  2. 問答
  3. 春季安全用戶角色和訪問jsp

春季安全用戶角色和訪問jsp

2013-11-29 125 views
0

我是彈簧安全新手。我有兩個用戶角色,例如Admin和Common Users。我想訪問管理員用戶只能訪問一些jsp,但問題是一旦用戶註銷,他/她仍然可以訪問我在Spring安全配置中限制的jsp頁面。春季安全用戶角色和訪問jsp

讓我知道我在這裏做的是正確與否?

謝謝

spring_security.xml 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security.xsd"> 

    <http auto-config="true"> 
     <intercept-url pattern="/admin/**" access="ROLE_ADMIN" /> 
     <intercept-url pattern="/user/**" access="ROLE_USER" /> 

     <form-login login-page="/login" default-target-url="/welcome" 
      authentication-failure-url="/loginfailed" /> 
     <logout logout-success-url="/logout" /> 
    </http> 


    <beans:bean id="customUserDetailsService" 
     class="com.nikunj.javabrains.services.CustomUserDetailsService"></beans:bean> 

    <authentication-manager> 
     <authentication-provider user-service-ref="customUserDetailsService"> 
     </authentication-provider> 
    </authentication-manager>

// ------------------------------ 控制器

package com.nikunj.javabrains.controller; 

import java.security.Principal; 

import javax.servlet.http.HttpServletRequest; 

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.security.access.annotation.Secured; 
import org.springframework.stereotype.Controller; 
import org.springframework.ui.ModelMap; 
import org.springframework.validation.BindingResult; 
import org.springframework.web.bind.annotation.ModelAttribute; 
import org.springframework.web.bind.annotation.RequestMapping; 
import org.springframework.web.bind.annotation.RequestMethod; 

import com.nikunj.javabrains.domain.User; 
import com.nikunj.javabrains.services.UserService; 

@Controller 
public class UserController { 

    @Autowired 
    private UserService userService; 

    @RequestMapping(value = "/welcome", method = RequestMethod.GET) 
    public String printWelcome(ModelMap model, Principal principal, 
      HttpServletRequest request) { 

     String name = principal.getName(); // get logged in username 
     model.addAttribute("username", name); 
     model.addAttribute("message", 
       "Spring Security login + database example"); 

     if (request.isUserInRole("ROLE_ADMIN")) { 
      return "admin_page"; 
     } 
     return "common_page"; 

    } 

    @RequestMapping(value = "/login", method = RequestMethod.GET) 
    public String login(ModelMap model) { 

     return "login"; 

    } 

    @RequestMapping(value = "/loginfailed", method = RequestMethod.GET) 
    public String loginerror(ModelMap model) { 

     model.addAttribute("error", "true"); 
     return "login"; 

    } 

    @RequestMapping(value = "/logout", method = RequestMethod.GET) 
    public String logout(ModelMap model) { 

     return "login"; 

    } 

    @RequestMapping("/regiPage") 
    public String regiPage(@ModelAttribute("user") User user, 
      BindingResult result) { 

     return "registration"; 
    } 

    @RequestMapping(value = "/saveUser", method = RequestMethod.POST) 
    public String saveUserData(@ModelAttribute("user") User user, 
      BindingResult result) { 

     userService.addUser(user); 
     return "login"; 

    } 

} 



    </beans:beans>

// ------------------------

CustomServiceClass

import com.nikunj.javabrains.dao.UserDao; 
import java.util.ArrayList; 
import java.util.Collection; 
import java.util.List; 

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.security.core.GrantedAuthority; 
import org.springframework.security.core.authority.SimpleGrantedAuthority; 
import org.springframework.security.core.userdetails.User; 
import org.springframework.security.core.userdetails.UserDetails; 
import org.springframework.security.core.userdetails.UserDetailsService; 
import org.springframework.security.core.userdetails.UsernameNotFoundException; 
import org.springframework.stereotype.Service; 
import org.springframework.transaction.annotation.Transactional; 

@Service 
@Transactional(readOnly=true) 
public class CustomUserDetailsService implements UserDetailsService { 

    @Autowired 
    private UserDao userDAO;  

    public UserDetails loadUserByUsername(String username) 
      throws UsernameNotFoundException { 

     com.nikunj.javabrains.domain.User domainUser = userDAO.getUser(username); 

     boolean enabled = true; 
     boolean accountNonExpired = true; 
     boolean credentialsNonExpired = true; 
     boolean accountNonLocked = true; 

     System.out.println("*************************************"); 
     System.out.println(domainUser.getId()); 

     return new User(
       domainUser.getUsername(), 
       domainUser.getPassword(), 
       enabled, 
       accountNonExpired, 
       credentialsNonExpired, 
       accountNonLocked, 
       getAuthorities(domainUser.getId()) 


     ); 



    } 

    public Collection<? extends GrantedAuthority> getAuthorities(Integer role) { 
     List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(role)); 
     return authList; 
    } 

    public List<String> getRoles(Integer role) { 

     List<String> roles = new ArrayList<String>(); 

     if (role.intValue() == 1) { 
      roles.add("ROLE_ADMIN"); 
     } else { 
      roles.add("ROLE_USER"); 
     } 
     return roles; 
    } 

    public static List<GrantedAuthority> getGrantedAuthorities(List<String> roles) { 
     List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); 

     for (String role : roles) { 
      authorities.add(new SimpleGrantedAuthority(role)); 
     } 
     return authorities; 
    } 

}

// ---------------------------

@Controller 
public class AdminController { 

    @Autowired 
    private UserService userService; 

    @RequestMapping(value = "/admininput", method = RequestMethod.GET) 
    public String login(ModelMap model) { 
     System.out.println("*************************"); 
     return "admininputpage"; 
    } 

}

來源

2013-11-29 Nik

+0

您如何測試?最初(甚至在登錄之前)用戶必須登錄?當用戶點擊/選擇註銷時,您要調用哪個URL? –

+0

我使用" > Logout url來註銷和登錄。 – Nik

+0

你如何測試用戶仍然可以訪問頁面? –

回答

1

好了,按你最後的評論,網址/admininput是被所有人訪問。

這是我期望的行爲,因爲沒有爲此URL模式定義安全規則。

在您的安全配置可以定義下列規則:

<intercept-url pattern="/admin/**" access="ROLE_ADMIN" /> 
<intercept-url pattern="/user/**" access="ROLE_USER" />

這個配置需要與URL模式/管理所有資源/ **要與角色ROLE_ADMIN與URL模式的所有資源記錄在/用戶/ **以角色ROLE_USER登錄。所有其他URL模式將是permitAll。

如果您想要限制該URL,您需要更改URL模式或添加截取規則。例如。

變化URL從/ admininput到/admin/input/admin/admininput

備選地,添加顯式截距規則(或另一圖案基於規則)以覆蓋該URL:

<intercept-url pattern="/admininput" access="ROLE_ADMIN" />

(儘管不是一個好想法爲每個URL都有明確的攔截規則!所以如果可能的話,更改URL可能會更好,因爲您已經定義了這個約定)

來源

2013-12-03 17:17:04 rhinds

+0

謝謝先生:-) – Nik

+0

或'pattern =「/ admin *」'? – FaithReaper

1

您可以在url中使用唯一的會話ID .if銷燬會話a退出登錄或通過複製網址,URL不能在沒有登錄URL的情況下訪問。

來源

2014-01-30 17:27:52

相關問題

 相關問題