摘要:序本文就來介紹一下如何使用進行賬戶切換順序內置的各種可以看到是提供的里頭順序在最后的一個。前面講到了主要用來進行鑒權處理,而是用來做賬戶切換的,把它放在之后,是要求對切換用戶的功能進行鑒權,否則任何人都可以隨意切換用戶,那就安全故障了。
序
本文就來介紹一下如何使用SwitchUserFilter進行賬戶切換
filter順序spring security內置的各種filter:
Alias | Filter Class | Namespace Element or Attribute |
---|---|---|
CHANNEL_FILTER | ChannelProcessingFilter | http/intercept-url@requires-channel |
SECURITY_CONTEXT_FILTER | SecurityContextPersistenceFilter | http |
CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter | session-management/concurrency-control |
HEADERS_FILTER | HeaderWriterFilter | http/headers |
CSRF_FILTER | CsrfFilter | http/csrf |
LOGOUT_FILTER | LogoutFilter | http/logout |
X509_FILTER | X509AuthenticationFilter | http/x509 |
PRE_AUTH_FILTER | AbstractPreAuthenticatedProcessingFilter Subclasses | N/A |
CAS_FILTER | CasAuthenticationFilter | N/A |
FORM_LOGIN_FILTER | UsernamePasswordAuthenticationFilter | http/form-login |
BASIC_AUTH_FILTER | BasicAuthenticationFilter | http/http-basic |
SERVLET_API_SUPPORT_FILTER | SecurityContextHolderAwareRequestFilter | http/@servlet-api-provision |
JAAS_API_SUPPORT_FILTER | JaasApiIntegrationFilter | http/@jaas-api-provision |
REMEMBER_ME_FILTER | RememberMeAuthenticationFilter | http/remember-me |
ANONYMOUS_FILTER | AnonymousAuthenticationFilter | http/anonymous |
SESSION_MANAGEMENT_FILTER | SessionManagementFilter | session-management |
EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter | http |
FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor | http |
SWITCH_USER_FILTER | SwitchUserFilter | N/A |
可以看到SwitchUserFilter是spring security提供的filter里頭order順序在最后的一個。config前面講到了FilterSecurityInterceptor主要用來進行鑒權處理,而SwitchUserFilter是用來做賬戶切換的,把它放在FilterSecurityInterceptor之后,是要求對切換用戶的功能進行鑒權,否則任何人都可以隨意切換用戶,那就安全故障了。
@EnableWebSecurity @EnableGlobalMethodSecurity( securedEnabled = true, jsr250Enabled = true, prePostEnabled = true ) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Bean public SwitchUserFilter switchUserFilter(UserDetailsService userDetailsService) throws Exception { SwitchUserFilter switchUserFilter = new SwitchUserFilter(); switchUserFilter.setUserDetailsService(userDetailsService); switchUserFilter.setTargetUrl("/session"); return switchUserFilter; } @Override protected void configure(HttpSecurity http) throws Exception { //Eachnamespace block always creates an SecurityContextPersistenceFilter, an ExceptionTranslationFilter and a FilterSecurityInterceptor. These are fixed and cannot be replaced with alternatives. http .addFilterAfter(switchUserFilter(userDetailsService()),FilterSecurityInterceptor.class) .exceptionHandling().authenticationEntryPoint(new UnauthorizedEntryPoint()) .and() .csrf().disable() .authorizeRequests() .antMatchers("/login","/css/**", "/js/**","/fonts/**").permitAll() .antMatchers("/session").authenticated() .antMatchers("/login/impersonate").hasAuthority("ROLE_ADMIN") .antMatchers("/logout/impersonate").hasAuthority(SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR) .and() .formLogin() .permitAll() .and() .logout() .deleteCookies("JSESSIONID") .permitAll(); } @Bean @Override protected UserDetailsService userDetailsService(){ InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); manager.createUser(User.withUsername("demoUser1").password("123456") .authorities("ROLE_USER","read_x").build()); manager.createUser(User.withUsername("admin").password("123456") .authorities("ROLE_ADMIN").build()); return manager; } }
SwitchUserFilter默認的切換賬號的url為/login/impersonate,默認注銷切換賬號的url為/logout/impersonate,默認的賬號參數為username使用
上面的配置為了方便驗證,把切換完用戶的targetUrl設置為/session,其代碼如下
@RestController @RequestMapping("/session") public class SessionController { @GetMapping("") public Object getCurrentUser(){ return SecurityContextHolder.getContext().getAuthentication(); } }
首先用普通用戶登錄,訪問http://localhost:8080/login/impersonate?username=admin,發現返回403
注銷,使用管理員登錄,訪問http://localhost:8080/login/impersonate?username=demoUser1,發現成功并跳轉到session
{ "authorities": [ { "authority": "ROLE_USER" }, { "authority": "read_x" }, { "source": { "authorities": [ { "authority": "ROLE_ADMIN" } ], "details": { "remoteAddress": "0:0:0:0:0:0:0:1", "sessionId": null }, "authenticated": true, "principal": { "password": null, "username": "admin", "authorities": [ { "authority": "ROLE_ADMIN" } ], "accountNonExpired": true, "accountNonLocked": true, "credentialsNonExpired": true, "enabled": true }, "credentials": null, "name": "admin" }, "authority": "ROLE_PREVIOUS_ADMINISTRATOR" } ], "details": { "remoteAddress": "0:0:0:0:0:0:0:1", "sessionId": "1BF3D6F40A6F488EFD3ABE8F80E52872" }, "authenticated": true, "principal": { "password": "123456", "username": "demoUser1", "authorities": [ { "authority": "ROLE_USER" }, { "authority": "read_x" } ], "accountNonExpired": true, "accountNonLocked": true, "credentialsNonExpired": true, "enabled": true }, "credentials": "123456", "name": "demoUser1" }
可以發現有成功切換
之后再切換回來
http://localhost:8080/logout/impersonate?username=demoUser1
{ "authorities": [ { "authority": "ROLE_ADMIN" } ], "details": { "remoteAddress": "0:0:0:0:0:0:0:1", "sessionId": null }, "authenticated": true, "principal": { "password": null, "username": "admin", "authorities": [ { "authority": "ROLE_ADMIN" } ], "accountNonExpired": true, "accountNonLocked": true, "credentialsNonExpired": true, "enabled": true }, "credentials": null, "name": "admin" }
可以發現切換回來了,是不是非常神奇,太強大了,以后線上排查問題之類的,非常方便,爽歪歪了簡直
異常情況
如果你切換了不存在的用戶,則報
This application has no explicit mapping for /error, so you are seeing this as a fallback. Sat Dec 16 14:36:28 CST 2017 There was an unexpected error (type=Unauthorized, status=401). Authentication Failed: demoUser2小結
SwitchUserFilter是個強大的filter,非常方便測試環境進行調試、測試,甚至可以用來進行上線問題排查。
文章版權歸作者所有,未經允許請勿轉載,若此文章存在違規行為,您可以聯系管理員刪除。
轉載請注明本文地址:http://specialneedsforspecialkids.com/yun/11321.html
摘要:返回總共需要處理個地方,一個是異常的處理,需要兼容請求,一個是成功返回的處理,一個是失敗返回的處理。這里就是攔截,獲取提交的參數,然后交給去認證。之后就是走后續的,如果成功,則會進行相應的配置。動態配置權限筆記自定義 序 本文講述一下如何自定義spring security的登錄頁,網上給的資料大多過時,而且是基于后端模板技術的,講的不是太清晰,本文給出一個采用ajax的登錄及返回的前...
摘要:布爾類型,表示文檔是否按照有序或者無序插入,默認是返回參數返回了含有操作狀態的對象插入文檔成功返回如下對象字段指明了插入文檔的總數如果該操作遇到了錯誤對象將包含該錯誤信息例子四其它可以向集合中添加文檔的方法和選項一起使用的。 上一節介紹了MongoDB的基本的命令,以及結構的了解,這一節的主題是介紹一下MongoDB的插入文檔的操作的基礎命令的使用,MongoDB當中文檔的數據結構和j...
摘要:對中的數據綁定場景,小伙伴們就再熟悉不過了。比如包下大名鼎鼎的源碼分析的源碼相對來說還是頗為復雜的,它提供的能力非常強大,也注定了它的方法非常多屬性也非常多。并且備注入群字樣,會手動邀請入群 每篇一句 唯有熱愛和堅持,才能讓你在程序人生中屹立不倒,切忌跟風什么語言或就學什么去~ 相關閱讀 【小家Spring】聊聊Spring中的數據綁定 --- 屬性訪問器PropertyAccesso...
閱讀 1711·2021-11-22 12:09
閱讀 1452·2019-08-30 13:22
閱讀 2083·2019-08-29 17:00
閱讀 2635·2019-08-29 16:28
閱讀 2945·2019-08-26 13:51
閱讀 1174·2019-08-26 13:25
閱讀 3238·2019-08-26 12:14
閱讀 3007·2019-08-26 12:14