spring - spring security,从表中获取方法和 url 并动态验证 authorizeRequests
问题描述
我有这个来验证方法、资源和角色,但我不敢相信这部分需要在代码中设置,存在查阅表格的方法吗?
例如
table: user_access <br>
campos: url , path <br>
method="HttpMethod.GET" <br>
path="/api/clientes/page/**"
我有这个代码:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
//implementar reglas de seguridad para los end points
//por el lado de oauth
@Override
public void configure(HttpSecurity http) throws Exception {
//reglas especificate al mas generico
**//I Dont like this part and i try to creat it dinamicly**
http.authorizeRequests().antMatchers(HttpMethod.GET,"/api/clientes","/api/clientes/page/*","/api/clientes/img/*","/images/**").permitAll()
.antMatchers(HttpMethod.GET,"/api/clientes/form/").hasAnyRole("ADMIN","SUPER_ADMIN")
.antMatchers(HttpMethod.POST,"/api/clientes/uploads").hasAnyRole("ADMIN","SUPER_ADMIN")
.antMatchers(HttpMethod.POST,"/api/clientes").hasAnyRole("ADMIN","SUPER_ADMIN")
.antMatchers(HttpMethod.DELETE,"/api/clientes/{id}").hasRole("SUPER_ADMIN")
.antMatchers(HttpMethod.GET,"/api/clientes/{id}").hasRole("SUPER_ADMIN")
.anyRequest().authenticated()
.and().cors().configurationSource(cousConfigurationSource()); //error en el cors con esto se arregla para la pagina de angular
}
//importante no tomar cors.reactive
@Bean
public CorsConfigurationSource cousConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(Arrays.asList("http://localhost:4200"));
config.setAllowedMethods(Arrays.asList("GET","POST","PUT","DELETE","OPTIONS")); //se podria poner * para todo
config.setAllowCredentials(true);
config.setAllowedHeaders(Arrays.asList("Content-Type","Autorization"));
UrlBasedCorsConfigurationSource source= new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
return source;
}
//filtro //seleccionar spring Framework
@Bean
public FilterRegistrationBean<CorsFilter> corsFilter(){
FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<CorsFilter>(new CorsFilter(cousConfigurationSource()));
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
有什么想法让它更有活力吗?
解决方案
希望下面会有所帮助,
您可以这样做,但它会在应用程序启动时工作,您可以创建一个表来保存所有必需的配置,并且当应用程序开始运行时,您可以编写代码来读取所有配置的值并使用它们来配置HttpSecurity
.
例子:
@Entity
public class UserAccessEntity{
@Id
private String url;
private String methodName;
private List<String> userRoles;
private boolean isPattern;
// setter and getter
}
public interface UserAccessRepository extends CrudRepository<UserAccessEntity,String> {}
然后在从数据库中获取记录后进行配置,如下所示:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
private final UserAccessRepository repository;
public ResourceServerConfig(UserAccessRepository repository){
this.repository = repository;
}
// Configure this as you need.
@Override
public void configure(HttpSecurity http) throws Exception {
repository.findAll().foreach(userAccess -> {
http.authorizeRequests()
.antMatchers(userAccess.getMethodName(),userAccess.getUrl())
.hasAnyRole(userAccess.getRoles())
});
}
}
唯一的限制是您可以在应用程序启动之前预先配置所有访问权限,如果您需要反映用户访问记录的任何更改,则必须重新启动服务器。
推荐阅读
- java - Spring 5 Java 配置设置默认配置文件
- machine-learning - 机器学习从一堆文件中提取文本
- spring-boot - 使用 Spring Boot 2.1.5、Spring Cloud Stream Greenwich.SR1 和 RocketMQ 0.9.0 无法停止 bean 'inputBindingLifecycle'
- c# - aud 如何声明 ROPC 访问令牌中设置的值
- vba - 根据表单上的两个日期值(如果存在)打开报表
- c++ - 将函数应用于犰狳矢量的部分
- apache-flink - 将 Elasticsearch 中的数据读入 Flink 聚合?
- mysql - 使用mysql的一组记录的IF条件
- python - 为 python3 更新 sklearn 不是最新版本
- localhost - 本地主机端口在 Mac (Chrome) 上关闭 - 需要让它工作