我是springMVC框架的初学者,我正在构建一个应用程序,在这个应用程序中,我有一个角色,角色在不同的屏幕上有不同的权限。比如:-在Dashboard上,用户有两个权限(读和写(,在第二个屏幕页面上,用户拥有(读、写和创建(权限。所以我只想知道,当我检查权限或其他方法以更有效的方式执行此过程时,我如何将此权限与会话放在一起,以在每个屏幕的屏幕类型中获取这些权限。
this my user validation code at login time:-
public String validate(String userName, String password, HttpServletResponse response, HttpServletRequest request,
Model model) {
logger.debug("Starting of the method validate");
System.out.println("validate");
Session session = null;
try {
AppConfig aapConfig = new AppConfig();
List<UsersTable> userList = aapConfig.findAll(UsersTable.class);
System.out.println("############userList length is " +userList.size());
if (!userList.isEmpty()) {
System.out.println("*****************UserList is not emptry");
Map<String, UsersTable> userMap = userList.stream().filter(e -> e.getUsername() != null)
.collect(Collectors.toMap(e -> e.getUsername(), e -> e, (x, y) -> x));
if (userMap.containsKey(userName)) {
UsersTable user = userMap.get(userName);
if (StringUtils.equals(EncryptDecryptPassword.decrypt(user.getUserpassword(), "AirtelSiva"),
password)) {
String userFullName = user.getUserfirstname();
String circleId = user.getUsercircle();
System.out.println("&&&&&&&&&& Circle ID is "+circleId);
HttpSession httpSession =request.getSession();
String id = httpSession.getId();
System.out.println(id);
httpSession.setAttribute("userFullName", userFullName);
httpSession.setAttribute("userName", userName);
httpSession.setAttribute("circleId", circleId);
// saving the userName with the unique session Id
UserSession userSession = new UserSession();
userSession.setUserName(userName);
userSession.setSessionId(id);
return"";
}
使用spring-security,您可以毫不费力地提供此授权。将所需的依赖项添加到POM并配置身份验证。请记住,在添加spring-security依赖项时,其版本应该与您正在使用的spring版本兼容。
您可以简单地提供类似的身份验证和授权
@Configuration
@EnableWebSecurity
public class DemoSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure( AuthenticationManagerBuilder auth ) throws Exception
{
// Using in-memory authentication
User.UserBuilder users = User.withDefaultPasswordEncoder();
auth.inMemoryAuthentication()
.withUser( users.username( "john" ).password( "john1234" ).roles( "READ", "WRITE" ) )
.withUser( users.username( "doe" ).password( "doe1234" ).roles( "READ", "WRITE", "CREATE" ) );
}
/**
* This allows adding custom login-form and add HTTP URL security
*
* @param http
* @throws Exception
*/
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http.authorizeRequests()
.antMatchers( "/" ).permitAll()
.antMatchers( "/dashboard" ).hasAnyRole( "READ","WRITE" )
.antMatchers( "/anotherPage" ).hasAnyRole( "READ","WRITE","CREATE" )
.anyRequest()
.authenticated()
.and()
.formLogin() // Add form login
.loginPage( "/showMyLoginPage" ) // Pointing to custom login form. This line is optional as spring by default provides a login page
.loginProcessingUrl( "/authenticateTheUser" ) // No coding needed. Just provide some endpoint. You need not implement this endpoint. Spring will take care of it.
.permitAll()
// Other necessary validations like CSRF or cookie policy
}
请在这里找到春季官方文档的教程。
一旦您使用Spring-security进行了授权。您可以询问您的模板引擎[是否支持]。根据登录用户的角色显示或隐藏页面的某些部分。
例如,以下是如何通过添加<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>之类的安全支持来隐藏JSP中基于用户角色的链接
在这里,只有具有角色ADMIN的用户才能看到此链接。
<security:authorize access="hasRole('ADMIN')">
<hr>
<p><a href="${pageContext.request.contextPath}/admin">Link to admin page</a> ( Only admin can see this )</p>
<hr>
</security:authorize>
此链接包含开始使用spring-security所需的所有详细信息。