1. Configure permissions through the WebSecurityConfigurerAdapter configuration class
public void configure(HttpSecurity httpSecurity) throws Exception {
// httpSecurity.exceptionHandling().accessDeniedPage("/403"); /* 配置没有权限访问条状自定义页面 */
httpSecurity.authorizeRequests() /* 指定哪些url可以访问,那些不能访问 */
.antMatchers("/test/index","/user/login").permitAll() /* 设置那些路径不需要认证可以访问 */
.antMatchers("/test/hello").hasAnyRole("manager,monitor") /* 跟具已有角色判断是否可以访问这个页面 */
// .antMatchers("/test/hello").hasRole("manager") /* 跟具已有角色判断是否可以访问这个页面 */
// .antMatchers("/test/hello").hasAnyAuthority("admin","manager") /* 只要有拥有其中一个权限即可访问这个页面 */
// .antMatchers("/test/hello").hasAuthority("admin") /* 当前用户登录只有具有admin权限才可以访问这个路径 */
.anyRequest().authenticated(); /* 所有请求都可以访问 */
}
1), hasAnyRole("manager,monitor")
can be configured with multiple roles, as long as there is one of the roles to have access.
2), hasRole("manager")
can only configure one role, and judge whether you can access this page with the existing role
Note: When configuring the role, please pay attention to add ROLE_ before the role
3), hasAnyAuthority("admin","manager")
can configure multiple permissions, and you can access this page through one of them
4), hasAuthority ("admin")
can only be configured with one authority, and the directory can access this path only with this authority
2. Configure permissions through annotations
@Controller
@RequestMapping("/test")
@EnableGlobalMethodSecurity(securedEnabled=true,prePostEnabled=true) /* 开启security注解 */
public class TestController {
@Secured({
"ROLE_manage","ROLE_admin"}) /* 只要拥有manage或admin其中一个角色就可以使用这个方法 */
@RequestMapping("testSecured")
@ResponseBody
public String testSecured(){
System.out.println("testSecured.....");
return "testSecured ok";
}
@RequestMapping("testPreAuthorize")
@ResponseBody
@PreAuthorize("hasAnyAuthority('adminaaaa')") /* 在方法调用之前验证是否有admin权限,没有则无法调用该方法 */
public String testPreAuthorize(){
System.out.println("PreAuthorize......");
return "PreAuthorize ok";
}
@PostAuthorize("hasAnyAuthority('admin2')") /* 在方法执行后再进行权限验证,适合验证带有返回值的权限 */
@RequestMapping("testPostAuthorize")
@ResponseBody
public String testPostAuthorize(){
System.out.println("PostAuthorize......");
return "PostAuthorize ok";
}
@PreAuthorize("hasAnyAuthority('admin')")
@PostFilter("filterObject.username == 'zhansan'") /* 如果有权限满足条件则过滤响应结果 */
@ResponseBody
@RequestMapping("testPostFilter")
public List<Users> testPostFilter(){
List<Users> list = new ArrayList<>();
list.add(new Users(1,"zhansan","123"));
list.add(new Users(2,"lisi","123"));
System.out.println(list);
return list; //[{"id":1,"username":"zhansan","password":"123"}]
}
@RequestMapping("testPreFilter")
@PreAuthorize("hasAnyAuthority('admin')")
@PreFilter(value = "filterObject.id %2 == 0") /* 满足条件,对于参数数据进行过滤处理 */
@ResponseBody
public List<Users> testPreFilter(List<Users> list1){
List<Users> list2 = new ArrayList<>();
list2.add(new Users(10,"十","12345"));
list1.addAll(list2);
return list1;
}
}
1), @Secured({"ROLE_manage","ROLE_admin"})
must add ROLE_ before the role name when configuring the role, as long as you have one of the roles, you can use this method
2), @PreAuthorize("hasAnyAuthority('adminaaaa')")
before the method is called to verify whether the method or formula for calling the configuration authority is satisfied. If not, the method cannot be called
3), @PostAuthorize("hasAnyAuthority('admin2')")
After the method is executed, verify whether the method or formula for calling the configuration authority is satisfied. If not, the result cannot be returned to the 403 page, which is suitable for verifying the return value Authority
5), @PostFilter("filterObject.username =='zhansan'")
If you have permission, filter and return the response results that meet the conditions, generally used for processing collections
6), @PreFilter(value = "filterObject.id %2 == 0")
If you have permission, filter and pass in the parameters that meet the conditions, generally used to process the collection
Note: When using 1, 2, 3 annotations, be sure to use @EnableGlobalMethodSecurity(securedEnabled=true,prePostEnabled=true) annotations on the class