springboot 集成spring security后 url拦截问题
登录后,获取用户权限的所有url,通过url对比档次请求的url是否有权限,但是对比返回ACCESS_ABSTAIN后,请求仍然可以正常进入,没有拦截住,什么原因呢?``...
登录后,获取用户权限的所有url,通过url对比档次请求的url是否有权限,但是对比返回 ACCESS_ABSTAIN后,请求仍然可以正常进入,没有拦截住,什么原因呢?
```
public class RoleBasedVoter implements AccessDecisionVoter<Object> {
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
if(authentication == null) {
return ACCESS_DENIED;
}
Object principal = authentication.getPrincipal();
final HttpServletRequest request = ((FilterInvocation) object).getRequest();
int result = ACCESS_ABSTAIN;
if (principal instanceof SysUser) {
SysUser user = (SysUser) principal;
for (SysRole role : user.getRoles()) {
for (final SysFunction function : role.getFunctions()) {
if (function.getUrl() != null) {
if (new AntPathRequestMatcher(function.getUrl()).matches(request)) {
return ACCESS_GRANTED;
}
}
}
}
}
return ACCESS_ABSTAIN;
}
@Override
public boolean supports(Class clazz) {
return true;
}
}
``` 展开
```
public class RoleBasedVoter implements AccessDecisionVoter<Object> {
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
if(authentication == null) {
return ACCESS_DENIED;
}
Object principal = authentication.getPrincipal();
final HttpServletRequest request = ((FilterInvocation) object).getRequest();
int result = ACCESS_ABSTAIN;
if (principal instanceof SysUser) {
SysUser user = (SysUser) principal;
for (SysRole role : user.getRoles()) {
for (final SysFunction function : role.getFunctions()) {
if (function.getUrl() != null) {
if (new AntPathRequestMatcher(function.getUrl()).matches(request)) {
return ACCESS_GRANTED;
}
}
}
}
}
return ACCESS_ABSTAIN;
}
@Override
public boolean supports(Class clazz) {
return true;
}
}
``` 展开
1个回答
展开全部
AbstractAccessDecisionManager的子类使用了decide这个方法,你需要看AbstractAccessDecisionManager里面对于voter的结果如何处理的.
比如UnanimousBased.class
```
for (ConfigAttribute attribute : attributes) {
singleAttributeList.set(0, attribute);
for (AccessDecisionVoter voter : getDecisionVoters()) {
int result = voter.vote(authentication, object, singleAttributeList);
if (logger.isDebugEnabled()) {
logger.debug("Voter: " + voter + ", returned: " + result);
}
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(messages.getMessage(
"AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
default:
abstain++;
break;
}
}
}
// To get this far, there were no deny votes
if (grant > 0) {
return;
}
```
主要看这边处理的....
比如UnanimousBased.class
```
for (ConfigAttribute attribute : attributes) {
singleAttributeList.set(0, attribute);
for (AccessDecisionVoter voter : getDecisionVoters()) {
int result = voter.vote(authentication, object, singleAttributeList);
if (logger.isDebugEnabled()) {
logger.debug("Voter: " + voter + ", returned: " + result);
}
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(messages.getMessage(
"AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
default:
abstain++;
break;
}
}
}
// To get this far, there were no deny votes
if (grant > 0) {
return;
}
```
主要看这边处理的....
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
