国产xxxx99真实实拍_久久不雅视频_高清韩国a级特黄毛片_嗯老师别我我受不了了小说

資訊專欄INFORMATION COLUMN

聊聊SwitchUserFilter的使用

amuqiao / 2050人閱讀

摘要:序本文就來介紹一下如何使用進行賬戶切換順序內置的各種可以看到是提供的里頭順序在最后的一個。前面講到了主要用來進行鑒權處理,而是用來做賬戶切換的,把它放在之后,是要求對切換用戶的功能進行鑒權,否則任何人都可以隨意切換用戶,那就安全故障了。

本文就來介紹一下如何使用SwitchUserFilter進行賬戶切換

filter順序

spring security內置的各種filter:

Alias Filter Class Namespace Element or Attribute
CHANNEL_FILTER ChannelProcessingFilter http/intercept-url@requires-channel
SECURITY_CONTEXT_FILTER SecurityContextPersistenceFilter http
CONCURRENT_SESSION_FILTER ConcurrentSessionFilter session-management/concurrency-control
HEADERS_FILTER HeaderWriterFilter http/headers
CSRF_FILTER CsrfFilter http/csrf
LOGOUT_FILTER LogoutFilter http/logout
X509_FILTER X509AuthenticationFilter http/x509
PRE_AUTH_FILTER AbstractPreAuthenticatedProcessingFilter Subclasses N/A
CAS_FILTER CasAuthenticationFilter N/A
FORM_LOGIN_FILTER UsernamePasswordAuthenticationFilter http/form-login
BASIC_AUTH_FILTER BasicAuthenticationFilter http/http-basic
SERVLET_API_SUPPORT_FILTER SecurityContextHolderAwareRequestFilter http/@servlet-api-provision
JAAS_API_SUPPORT_FILTER JaasApiIntegrationFilter http/@jaas-api-provision
REMEMBER_ME_FILTER RememberMeAuthenticationFilter http/remember-me
ANONYMOUS_FILTER AnonymousAuthenticationFilter http/anonymous
SESSION_MANAGEMENT_FILTER SessionManagementFilter session-management
EXCEPTION_TRANSLATION_FILTER ExceptionTranslationFilter http
FILTER_SECURITY_INTERCEPTOR FilterSecurityInterceptor http
SWITCH_USER_FILTER SwitchUserFilter N/A
可以看到SwitchUserFilter是spring security提供的filter里頭order順序在最后的一個。

前面講到了FilterSecurityInterceptor主要用來進行鑒權處理,而SwitchUserFilter是用來做賬戶切換的,把它放在FilterSecurityInterceptor之后,是要求對切換用戶的功能進行鑒權,否則任何人都可以隨意切換用戶,那就安全故障了。

config
@EnableWebSecurity
@EnableGlobalMethodSecurity(
        securedEnabled = true,
        jsr250Enabled = true,
        prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public SwitchUserFilter switchUserFilter(UserDetailsService userDetailsService) throws Exception {
        SwitchUserFilter switchUserFilter = new SwitchUserFilter();
        switchUserFilter.setUserDetailsService(userDetailsService);
        switchUserFilter.setTargetUrl("/session");
        return switchUserFilter;
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //Each  namespace block always creates an SecurityContextPersistenceFilter, an ExceptionTranslationFilter and a FilterSecurityInterceptor. These are fixed and cannot be replaced with alternatives.
        http
                .addFilterAfter(switchUserFilter(userDetailsService()),FilterSecurityInterceptor.class)
                .exceptionHandling().authenticationEntryPoint(new UnauthorizedEntryPoint())
                .and()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/login","/css/**", "/js/**","/fonts/**").permitAll()
                .antMatchers("/session").authenticated()
                .antMatchers("/login/impersonate").hasAuthority("ROLE_ADMIN")
                .antMatchers("/logout/impersonate").hasAuthority(SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR)
                .and()
                .formLogin()
                .permitAll()
                .and()
                .logout()
                .deleteCookies("JSESSIONID")
                .permitAll();
    }

    @Bean
    @Override
    protected UserDetailsService userDetailsService(){
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(User.withUsername("demoUser1").password("123456")
                .authorities("ROLE_USER","read_x").build());
        manager.createUser(User.withUsername("admin").password("123456")
                .authorities("ROLE_ADMIN").build());
        return manager;
    }
}
SwitchUserFilter默認的切換賬號的url為/login/impersonate,默認注銷切換賬號的url為/logout/impersonate,默認的賬號參數為username
使用

上面的配置為了方便驗證,把切換完用戶的targetUrl設置為/session,其代碼如下

@RestController
@RequestMapping("/session")
public class SessionController {

    @GetMapping("")
    public Object getCurrentUser(){
        return SecurityContextHolder.getContext().getAuthentication();
    }
}

首先用普通用戶登錄,訪問http://localhost:8080/login/impersonate?username=admin,發現返回403

注銷,使用管理員登錄,訪問http://localhost:8080/login/impersonate?username=demoUser1,發現成功并跳轉到session

{
  "authorities": [
    {
      "authority": "ROLE_USER"
    },
    {
      "authority": "read_x"
    },
    {
      "source": {
        "authorities": [
          {
            "authority": "ROLE_ADMIN"
          }
        ],
        "details": {
          "remoteAddress": "0:0:0:0:0:0:0:1",
          "sessionId": null
        },
        "authenticated": true,
        "principal": {
          "password": null,
          "username": "admin",
          "authorities": [
            {
              "authority": "ROLE_ADMIN"
            }
          ],
          "accountNonExpired": true,
          "accountNonLocked": true,
          "credentialsNonExpired": true,
          "enabled": true
        },
        "credentials": null,
        "name": "admin"
      },
      "authority": "ROLE_PREVIOUS_ADMINISTRATOR"
    }
  ],
  "details": {
    "remoteAddress": "0:0:0:0:0:0:0:1",
    "sessionId": "1BF3D6F40A6F488EFD3ABE8F80E52872"
  },
  "authenticated": true,
  "principal": {
    "password": "123456",
    "username": "demoUser1",
    "authorities": [
      {
        "authority": "ROLE_USER"
      },
      {
        "authority": "read_x"
      }
    ],
    "accountNonExpired": true,
    "accountNonLocked": true,
    "credentialsNonExpired": true,
    "enabled": true
  },
  "credentials": "123456",
  "name": "demoUser1"
}
可以發現有成功切換

之后再切換回來
http://localhost:8080/logout/impersonate?username=demoUser1

{
  "authorities": [
    {
      "authority": "ROLE_ADMIN"
    }
  ],
  "details": {
    "remoteAddress": "0:0:0:0:0:0:0:1",
    "sessionId": null
  },
  "authenticated": true,
  "principal": {
    "password": null,
    "username": "admin",
    "authorities": [
      {
        "authority": "ROLE_ADMIN"
      }
    ],
    "accountNonExpired": true,
    "accountNonLocked": true,
    "credentialsNonExpired": true,
    "enabled": true
  },
  "credentials": null,
  "name": "admin"
}
可以發現切換回來了,是不是非常神奇,太強大了,以后線上排查問題之類的,非常方便,爽歪歪了簡直

異常情況

如果你切換了不存在的用戶,則報

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Sat Dec 16 14:36:28 CST 2017
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: demoUser2
小結

SwitchUserFilter是個強大的filter,非常方便測試環境進行調試、測試,甚至可以用來進行上線問題排查。

文章版權歸作者所有,未經允許請勿轉載,若此文章存在違規行為,您可以聯系管理員刪除。

轉載請注明本文地址:http://specialneedsforspecialkids.com/yun/11321.html

相關文章

  • spring security ajax登錄及返回

    摘要:返回總共需要處理個地方,一個是異常的處理,需要兼容請求,一個是成功返回的處理,一個是失敗返回的處理。這里就是攔截,獲取提交的參數,然后交給去認證。之后就是走后續的,如果成功,則會進行相應的配置。動態配置權限筆記自定義 序 本文講述一下如何自定義spring security的登錄頁,網上給的資料大多過時,而且是基于后端模板技術的,講的不是太清晰,本文給出一個采用ajax的登錄及返回的前...

    ideaa 評論0 收藏0
  • 聊聊mongodb》系列三 了解一下MongoDB插入文檔操作~

    摘要:布爾類型,表示文檔是否按照有序或者無序插入,默認是返回參數返回了含有操作狀態的對象插入文檔成功返回如下對象字段指明了插入文檔的總數如果該操作遇到了錯誤對象將包含該錯誤信息例子四其它可以向集合中添加文檔的方法和選項一起使用的。 上一節介紹了MongoDB的基本的命令,以及結構的了解,這一節的主題是介紹一下MongoDB的插入文檔的操作的基礎命令的使用,MongoDB當中文檔的數據結構和j...

    ityouknow 評論0 收藏0
  • 【小家Spring】聊聊Spring中數據綁定 --- DataBinder本尊(源碼分析)

    摘要:對中的數據綁定場景,小伙伴們就再熟悉不過了。比如包下大名鼎鼎的源碼分析的源碼相對來說還是頗為復雜的,它提供的能力非常強大,也注定了它的方法非常多屬性也非常多。并且備注入群字樣,會手動邀請入群 每篇一句 唯有熱愛和堅持,才能讓你在程序人生中屹立不倒,切忌跟風什么語言或就學什么去~ 相關閱讀 【小家Spring】聊聊Spring中的數據綁定 --- 屬性訪問器PropertyAccesso...

    charles_paul 評論0 收藏0

發表評論

0條評論

amuqiao

|高級講師

TA的文章

閱讀更多
最新活動
閱讀需要支付1元查看
<