檢查URL是通過身份驗證的用戶

Question

訪問我設置一個spring-boot-1.5.3應用與spring-security-4.2.2和基於當局配置限制的路徑。這些限制類似於此：

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(securedEnabled = true) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
      .authorizeRequests() 
       .antMatchers("/accounts/**", "/roles/**") 
        .hasAuthority(ADMINISTRATOR) 
        .and() 
       .antMatchers("/**") 
        .hasAuthority(USER) 
        .and() 
      .formLogin() 
       .loginPage("/login") 
       .permitAll() 
       .and() 
      .logout() 
       .permitAll() 
       .and() 
      .csrf() 
       .disable(); 
    } 
} 

總之 - 我希望用戶有權力USER到能夠訪問我的整個Web應用程序，除了/accounts/**和/roles/**路徑。此配置工作正常，如果我嘗試訪問這些頁面而沒有相應的權限，則會收到預期的錯誤（403）。

對於具有USER權限的用戶，我想隱藏一些URL，以便它們不發出這些請求並獲得403錯誤。 我如何檢查是否允許用戶訪問的URL？

到目前爲止，我已經嘗試注入WebInvocationPrivilegeEvaluator並調用它的isAllowed方法，雖然這似乎並不奏效。例如：

// Helper class that returns authentication instance. 
Authentication auth = AuthUtils.getAuthentication(); 

// Don't have permission to access /users, expect to get false result. 
boolean res = webInvocationPrivilegeEvaluator.isAllowed("/users", auth); 

assert res == false; // fails 

Answer 1

我已經想出了一個通過訪問彈簧安全性的內部過濾器（看起來真的很危險，雖然它工作）的這個問題的解決方案。

首先我創建了一個輔助類來檢查，如果網址可以訪問：

public final class UrlAuthorization { 
    private static final Logger LOG = LoggerFactory.getLogger(UrlAuthorization.class); 

    private final FilterInvocationSecurityMetadataSource securityMetadataSource; 
    private final AccessDecisionManager accessDecisionManager; 

    public UrlAuthorization(FilterInvocationSecurityMetadataSource securityMetadataSource, 
          AccessDecisionManager accessDecisionManager) { 

     this.securityMetadataSource = securityMetadataSource; 
     this.accessDecisionManager = accessDecisionManager; 
    } 

    public boolean isAccessible(String url) { 
     Authentication authentication = AuthUtils.getAuthentication(); 

     FilterInvocation invocation = new FilterInvocation(null, url, HttpMethod.GET.name()); 
     Collection<ConfigAttribute> attributes = securityMetadataSource 
       .getAttributes(invocation); 

     try { 
      this.accessDecisionManager.decide(authentication, invocation, attributes); 

     } catch (AccessDeniedException e) { 
      LOG.trace("Not allowed to access URL: {}", url, e); 
      return false; 
     } 
     return true; 
    } 
} 

然後我說配置該類創建一個Bean：

@Configuration 
public class UrlAuthorizationConfiguration { 

    @Bean 
    public UrlAuthorization urlAuthorization(List<Filter> filters) { 
     FilterSecurityInterceptor interceptor = getInterceptor(filters) 
       .orElseThrow(() -> new BeanCreationException("Could not get security interceptor")); 

     return new UrlAuthorization(
       interceptor.getSecurityMetadataSource(), 
       interceptor.getAccessDecisionManager() 
     ); 
    } 

    private Optional<FilterSecurityInterceptor> getInterceptor(List<Filter> filters) { 
     for (Filter filter : filters) { 
      if (filter instanceof FilterChainProxy) { 
       for (SecurityFilterChain chain : ((FilterChainProxy) filter).getFilterChains()) { 
        for (Filter securityFilter : chain.getFilters()) { 
         if (securityFilter instanceof FilterSecurityInterceptor) { 
          return Optional.of(((FilterSecurityInterceptor) securityFilter)); 
         } 
        } 
       } 
      } 
     } 
     return Optional.empty(); 
    } 
} 

最後，我可以用它像這樣：

assert urlAuthorization.isAccessible("/accounts") == false; 
assert urlAuthorization.isAccessible("/") == true; 

Answer 2

而是使用方法來檢查用戶是否有權限。

SecurityContextHolderAwareRequestWrapper.isUserInRole(String role)