top.dcenter.ums.security.common.api.config

接口 HttpSecurityAware

public interface HttpSecurityAware

对 WebSecurityConfigurerAdapter 的扩展，使其能跨模块的灵活的添加 HttpSecurity 配置, WebSecurity 配置, AuthenticationManagerBuilder 配置.

注意：

1. 需要要在 WebSecurityConfigurerAdapter#configure(http) 方法中放在最后处理的配置。实现 postConfigure(HttpSecurity http) 方法。

2. 需要要在 WebSecurityConfigurerAdapter#configure(http) 方法中放在前面处理的配置。实现 preConfigure(HttpSecurity http) 方法。

3. authorizeRequests 配置时候要 authorizeRequests().anyRequest().authenticate 放到最后， 不然在之后配置的都不会生效。对 authorizeRequests 的配置通过实现 getAuthorizeRequestMap() 方法即可. 不需要配置 authorizeRequests().anyRequest().authenticate, 已在 SecurityCoreAutoConfigurer 中配置; 如需自定义 authorizeRequests().anyRequest() 的配置, 可以 通过 postConfigure(HttpSecurity) 覆盖 SecurityCoreAutoConfigurer 中的 authorizeRequests().anyRequest().authenticate 配置.

此接口的实现类, 最终通过：SecurityCoreAutoConfigurer 统一配置.

版本:

V1.0 Created by 2020/5/12 12:22

作者:

YongWu zheng

字段概要

字段

限定符和类型	字段和说明
static String	ACCESS
static String	ANONYMOUS
static String	AUTHENTICATED
static String	DENY_ALL
static String	FULLY_AUTHENTICATED
static String	HAS_ANY_AUTHORITY
static String	HAS_ANY_ROLE
static String	HAS_AUTHORITY
static String	HAS_IP_ADDRESS
static String	HAS_ROLE
static String	PERMIT_ALL
static String	REMEMBER_ME

方法概要

限定符和类型	方法和说明
void	configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth) Used by the default implementation of WebSecurityConfigurerAdapter#authenticationManager() to attempt to obtain an AuthenticationManager.
void	configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) Override this method to configure WebSecurity.
Map<String,Map<UriHttpMethodTuple,Set<String>>>	getAuthorizeRequestMap() 因为 authorizeRequests 配置时候要 authorizeRequests().anyRequest().authenticate 放到最后， 所以这里临时把 权限与 uri 放入 map 给主配置器处理.
default void	permitUrlFillingPermitAllMap(String permitUrl, Map<UriHttpMethodTuple,Set<String>> permitAllMap) permitUrl 注入到 permitAllMap
default void	permitUrlsFillingPermitAllMap(Set<String> permitUrls, Map<UriHttpMethodTuple,Set<String>> permitAllMap) permitUrls 注入到 permitAllMap
void	postConfigure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) 需要要在 WebSecurityConfigurerAdapter#configure(http) 方法中放在最后处理的配置。
void	preConfigure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) 需要要在 WebSecurityConfigurerAdapter#configure(http) 方法中放在前面处理的配置。

字段详细资料

PERMIT_ALL

static final String PERMIT_ALL

另请参阅:

常量字段值

DENY_ALL

static final String DENY_ALL

另请参阅:

常量字段值

ANONYMOUS

static final String ANONYMOUS

另请参阅:

常量字段值

AUTHENTICATED

static final String AUTHENTICATED

另请参阅:

常量字段值

FULLY_AUTHENTICATED

static final String FULLY_AUTHENTICATED

另请参阅:

常量字段值

REMEMBER_ME

static final String REMEMBER_ME

另请参阅:

常量字段值

ACCESS

static final String ACCESS

另请参阅:

常量字段值

HAS_ROLE

static final String HAS_ROLE

另请参阅:

常量字段值

HAS_ANY_ROLE

static final String HAS_ANY_ROLE

另请参阅:

常量字段值

HAS_AUTHORITY

static final String HAS_AUTHORITY

另请参阅:

常量字段值

HAS_ANY_AUTHORITY

static final String HAS_ANY_AUTHORITY

另请参阅:

常量字段值

HAS_IP_ADDRESS

static final String HAS_IP_ADDRESS

另请参阅:

常量字段值

方法详细资料

configure

void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)

Override this method to configure WebSecurity. For example, if you wish to ignore certain requests. Endpoints specified in this method will be ignored by Spring Security, meaning it will not protect them from CSRF, XSS, Clickjacking, and so on. Instead, if you want to protect endpoints against common vulnerabilities, then see WebSecurityConfigurerAdapter#configure(HttpSecurity) and the HttpSecurity.authorizeRequests() configuration method.

参数:

web - the WebSecurity to use

configure

void configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
        throws Exception

Used by the default implementation of WebSecurityConfigurerAdapter#authenticationManager() to attempt to obtain an AuthenticationManager. If overridden, the AuthenticationManagerBuilder should be used to specify the AuthenticationManager.

The WebSecurityConfigurerAdapter#authenticationManagerBean() method can be used to expose the resulting AuthenticationManager as a Bean. The WebSecurityConfigurerAdapter#userDetailsServiceBean() can be used to expose the last populated UserDetailsService that is created with the AuthenticationManagerBuilder as a Bean. The UserDetailsService will also automatically be populated on AbstractConfiguredSecurityBuilder.getSharedObject(Class) for use with other SecurityContextConfigurer (i.e. RememberMeConfigurer )

For example, the following configuration could be used to register in memory authentication that exposes an in memory UserDetailsService:

 @Override
 protected void configure(AuthenticationManagerBuilder auth) {
        auth
        // enable in memory based authentication with a user named
        // "user" and "admin"
        .inMemoryAuthentication().withUser("user").password("password").roles("USER").and()
                        .withUser("admin").password("password").roles("USER", "ADMIN");
 }

 // Expose the UserDetailsService as a Bean
 @Bean
 @Override
 public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
 }

 

参数:

auth - the AuthenticationManagerBuilder to use

抛出:

Exception - Exception

preConfigure

void preConfigure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
           throws Exception

需要要在 WebSecurityConfigurerAdapter#configure(http) 方法中放在前面处理的配置。

最终在：SecurityCoreAutoConfigurer 中配置, 注意: authorizeRequests().anyRequest().authenticate 已在：SecurityCoreAutoConfigurer 中配置. 如需更改, 在 postConfigure(HttpSecurity) 方法里覆盖.

参数:

http - HttpSecurity

抛出:

Exception - exception

postConfigure

void postConfigure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
            throws Exception

需要要在 WebSecurityConfigurerAdapter#configure(http) 方法中放在最后处理的配置。

如: 需自定义 authorizeRequests().anyRequest() 的配置, 可以 通过此方法覆盖 SecurityCoreAutoConfigurer 中的 authorizeRequests().anyRequest().authenticate 配置.

最终在：SecurityCoreAutoConfigurer 中配置

参数:

http - HttpSecurity

抛出:

Exception - exception

getAuthorizeRequestMap

Map<String,Map<UriHttpMethodTuple,Set<String>>> getAuthorizeRequestMap()

因为 authorizeRequests 配置时候要 authorizeRequests().anyRequest().authenticate 放到最后，
所以这里临时把 权限与 uri 放入 map 给主配置器处理.

最终在SecurityCoreAutoConfigurer 中 configure(HttpSecurity) 方法中配置, return 可以为 null 值.
示例:

 Map<String, Map<UriHttpMethodTuple, Set<String>>> resultMap = new HashMap<>(16);
 // PERMIT_ALL = "permitAll";
 // DENY_ALL = "denyAll";
 // ANONYMOUS = "anonymous";
 // AUTHENTICATED = "authenticated";
 // FULLY_AUTHENTICATED = "fullyAuthenticated";
 // REMEMBER_ME = "rememberMe";
 // 这里只对 PERMIT_ALL 进行示例, 其他类推.
 Map<UriHttpMethodTuple, Set<String>> permitAllMap = new HashMap<>(16);
 permitAllMap.put(UriHttpMethodTuple.tuple(HttpMethod.GET, "/login"), null);
 permitAllMap.put(UriHttpMethodTuple.tuple(POST, "/signUp"), null);
 resultMap.put(HttpSecurityAware.PERMIT_ALL, permitAllMap);
 // ACCESS = "access";
 // HAS_ROLE = "hasRole";
 // HAS_ANY_ROLE = "hasAnyRole";
 // HAS_AUTHORITY = "hasAuthority";
 // HAS_ANY_AUTHORITY = "hasAnyAuthority";
 // HAS_IP_ADDRESS = "hasIpAddress";
 // 这里只对 ACCESS/HAS_ROLE/HAS_AUTHORITY/HAS_IP_ADDRESS  进行示例, 其他类推.
 Map<UriHttpMethodTuple, Set<String>> accessMap = new HashMap<>(16);
 permitAllMap.put(UriHttpMethodTuple.tuple(HttpMethod.GET, "/user/**"), Sets.newHashSet("isAuthenticated()"));
 resultMap.put(HttpSecurityAware.ACCESS, accessMap);

 Map<UriHttpMethodTuple, Set<String>> hasRoleMap = new HashMap<>(16);
 permitAllMap.put(UriHttpMethodTuple.tuple(HttpMethod.GET, "/order/**"), Sets.newHashSet("USER", "MEMBER"));
 resultMap.put(HttpSecurityAware.HAS_ROLE, hasRoleMap);

 Map<UriHttpMethodTuple, Set<String>> authorityMap = new HashMap<>(16);
 permitAllMap.put(UriHttpMethodTuple.tuple(HttpMethod.GET, "/vip/**"), Sets.newHashSet("VIP", "SVIP"));
 resultMap.put(HttpSecurityAware.HAS_AUTHORITY, authorityMap);

 Map<UriHttpMethodTuple, Set<String>> hasIpMap = new HashMap<>(16);
 permitAllMap.put(UriHttpMethodTuple.tuple(HttpMethod.GET, "/cfg/**"), Sets.newHashSet("8.8.8.8"));
 resultMap.put(HttpSecurityAware.HAS_IP_ADDRESS, hasIpMap);

 return resultMap;
 

返回:

authorizeRequestMap(permissionType, Map(UriHttpMethodTuple, ip/authority/role/null))
==key== 为权限类型(PERMIT_ALL, DENY_ALL, ANONYMOUS,AUTHENTICATED, FULLY_AUTHENTICATED, REMEMBER_ME,ACCESS,HAS_ROLE,HAS_ANY_ROLE, HAS_AUTHORITY,HAS_ANY_AUTHORITY,HAS_IP_ADDRESS);
==value== 为Map(Map<String, Set<String>>)
Map(Map<String, Set<String>>)的
=key= 为 UriHttpMethodTuple,
=value= 为 role/authority/ip 的 Set; 当 authorizeRequestMap 的 ==key== 为 HAS_ROLE,HAS_ANY_ROLE/HAS_AUTHORITY/HAS_ANY_AUTHORITY/ HAS_IP_ADDRESS/ACCESS时, set 不为 null,
当 authorizeRequestMap 的 ==key== 为 PERMIT_ALL/ DENY_ALL/ ANONYMOUS/AUTHENTICATED/FULLY_AUTHENTICATED/REMEMBER_ME时, set 为 null).

permitUrlsFillingPermitAllMap

default void permitUrlsFillingPermitAllMap(@NonNull
                                           Set<String> permitUrls,
                                           @NonNull
                                           Map<UriHttpMethodTuple,Set<String>> permitAllMap)

permitUrls 注入到 permitAllMap

参数:

permitUrls - permitUrls 在 application.yml 配置文件上的 url(带 HttpMethod 后缀; 用 : 分隔)

permitAllMap - permitAllMap

permitUrlFillingPermitAllMap

default void permitUrlFillingPermitAllMap(@NonNull
                                          String permitUrl,
                                          @NonNull
                                          Map<UriHttpMethodTuple,Set<String>> permitAllMap)

permitUrl 注入到 permitAllMap

参数:

permitUrl - permitUrl 在 application.yml 配置文件上的 url(带 HttpMethod 后缀; 用 : 分隔)

permitAllMap - permitAllMap