org.springframework.security.access.intercept.AbstractSecurityInterceptor类的使用及代码示例

x33g5p2x  于2022-01-16 转载在 其他  
字(16.1k)|赞(0)|评价(0)|浏览(482)

本文整理了Java中org.springframework.security.access.intercept.AbstractSecurityInterceptor类的一些代码示例,展示了AbstractSecurityInterceptor类的具体用法。这些代码示例主要来源于Github/Stackoverflow/Maven等平台,是从一些精选项目中提取出来的代码,具有较强的参考意义,能在一定程度帮忙到你。AbstractSecurityInterceptor类的具体详情如下:
包路径:org.springframework.security.access.intercept.AbstractSecurityInterceptor
类名称:AbstractSecurityInterceptor

AbstractSecurityInterceptor介绍

[英]Abstract class that implements security interception for secure objects.

The AbstractSecurityInterceptor will ensure the proper startup configuration of the security interceptor. It will also implement the proper handling of secure object invocations, namely:

  1. Obtain the Authentication object from the SecurityContextHolder.

  2. Determine if the request relates to a secured or public invocation by looking up the secure object request against the SecurityMetadataSource.

  3. For an invocation that is secured (there is a list of ConfigAttributes for the secure object invocation):

  4. If either the org.springframework.security.core.Authentication#isAuthenticated() returns false, or the #alwaysReauthenticate is true, authenticate the request against the configured AuthenticationManager. When authenticated, replace the Authentication object on the SecurityContextHolder with the returned value.

    1. Authorize the request against the configured AccessDecisionManager.
    2. Perform any run-as replacement via the configured RunAsManager.
    3. Pass control back to the concrete subclass, which will actually proceed with executing the object. A InterceptorStatusToken is returned so that after the subclass has finished proceeding with execution of the object, its finally clause can ensure the AbstractSecurityInterceptor is re-called and tidies up correctly using #finallyInvocation(InterceptorStatusToken).
    4. The concrete subclass will re-call the AbstractSecurityInterceptor via the #afterInvocation(InterceptorStatusToken,Object) method.
    5. If the RunAsManager replaced the Authentication object, return the SecurityContextHolder to the object that existed after the call to AuthenticationManager.
    6. If an AfterInvocationManager is defined, invoke the invocation manager and allow it to replace the object due to be returned to the caller.
  5. For an invocation that is public (there are no ConfigAttributes for the secure object invocation):

  6. As described above, the concrete subclass will be returned an InterceptorStatusToken which is subsequently re-presented to the AbstractSecurityInterceptor after the secure object has been executed. The AbstractSecurityInterceptor will take no further action when its #afterInvocation(InterceptorStatusToken,Object) is called.

  7. Control again returns to the concrete subclass, along with the Object that should be returned to the caller. The subclass will then return that result or exception to the original caller.
    [中]为安全对象实现安全拦截的抽象类。
    AbstractSecurityInterceptor将确保安全拦截器的正确启动配置。它还将实现对安全对象调用的正确处理,即:
    1.从SecurityContextHolder获取身份验证对象。
    1.通过对照SecurityMetadataSource查找安全对象请求,确定请求是否与安全调用或公共调用相关。
    1.对于安全的调用(安全对象调用有一个ConfigAttribute的列表):
    1.如果组织中的任何一方。springframework。安全果心身份验证#isAuthenticated()返回false,或#AlwaysResAuthenticate为true,根据配置的AuthenticationManager对请求进行身份验证。经过身份验证后,将SecurityContextHolder上的Authentication对象替换为返回值。
    1.针对配置的AccessDecisionManager授权请求。
    1.通过配置的RunAsManager执行任何运行方式更换。
    1.将控件传递回具体的子类,该子类将实际执行该对象。返回InterceptorStatusToken,这样子类完成对象的执行后,它的finally子句可以确保重新调用AbstractSecurityInterceptor,并使用#finallyInvoke(InterceptorStatusToken)正确整理。
    1.具体的子类将通过#afterInvocation(InterceptorStatusToken,Object)方法重新调用AbstractSecurityInterceptor
    1.如果RunAsManager替换了Authentication对象,则将SecurityContextHolder返回到调用AuthenticationManager后存在的对象。
    1.如果定义了AfterInvocationManager,则调用调用管理器并允许它替换将返回给调用方的对象。
    1.对于公共调用(安全对象调用没有ConfigAttributes):
    1.如上所述,具体子类将返回一个InterceptorStatusToken,在执行安全对象后,该子类将随后重新呈现给AbstractSecurityInterceptorAbstractSecurityInterceptor在调用其#afterInvocation(InterceptorStatusToken,Object)时不会采取进一步的操作。
    1.控件再次返回到具体的子类,以及应返回给调用方的Object。然后子类将结果或异常返回给原始调用方。

代码示例

代码示例来源:origin: 527515025/springBoot

public void invoke(FilterInvocation fi) throws IOException, ServletException {
  //fi里面有一个被拦截的url
  //里面调用UrlMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
  //再调用UrlAccessDecisionManager的decide方法来校验用户的权限是否足够
  InterceptorStatusToken token = super.beforeInvocation(fi);
  try {
    //执行下一个拦截器
    fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
  } finally {
    super.afterInvocation(token, null);
  }
}

代码示例来源:origin: 527515025/springBoot

@Autowired
public void setMyAccessDecisionManager(MyAccessDecisionManager myAccessDecisionManager) {
  super.setAccessDecisionManager(myAccessDecisionManager);
}

代码示例来源:origin: spring-projects/spring-security

/**
 * This method should be used to enforce security on a <code>MethodInvocation</code>.
 *
 * @param mi The method being invoked which requires a security decision
 *
 * @return The returned value from the method invocation (possibly modified by the
 * {@code AfterInvocationManager}).
 *
 * @throws Throwable if any error occurs
 */
public Object invoke(MethodInvocation mi) throws Throwable {
  InterceptorStatusToken token = super.beforeInvocation(mi);
  Object result;
  try {
    result = mi.proceed();
  }
  finally {
    super.finallyInvocation(token);
  }
  return super.afterInvocation(token, result);
}

代码示例来源:origin: spring-projects/spring-security

public void setSecurityInterceptor(AbstractSecurityInterceptor securityInterceptor) {
    Assert.notNull(securityInterceptor, "AbstractSecurityInterceptor cannot be null");
    Assert.isTrue(
        MethodInvocation.class.equals(securityInterceptor.getSecureObjectClass()),
        "AbstractSecurityInterceptor does not support MethodInvocations");
    Assert.notNull(securityInterceptor.getAccessDecisionManager(),
        "AbstractSecurityInterceptor must provide a non-null AccessDecisionManager");
    this.securityInterceptor = securityInterceptor;
  }
}

代码示例来源:origin: spring-projects/spring-security

final boolean debug = logger.isDebugEnabled();
if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
  throw new IllegalArgumentException(
      "Security invocation attempted for object "
          + object.getClass().getName()
          + " but AbstractSecurityInterceptor only configured to support secure objects of type: "
          + getSecureObjectClass());
Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
    .getAttributes(object);
  publishEvent(new PublicInvocationEvent(object));
  credentialsNotFound(messages.getMessage(
      "AbstractSecurityInterceptor.authenticationNotFound",
      "An Authentication object was not found in the SecurityContext"),
Authentication authenticated = authenticateIfRequired();
  publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,
      accessDeniedException));
  publishEvent(new AuthorizedEvent(object, attributes, authenticated));

代码示例来源:origin: spring-projects/spring-security

public boolean isAllowed(MethodInvocation mi, Authentication authentication) {
  Assert.notNull(mi, "MethodInvocation required");
  Assert.notNull(mi.getMethod(),
      "MethodInvocation must provide a non-null getMethod()");
  Collection<ConfigAttribute> attrs = securityInterceptor
      .obtainSecurityMetadataSource().getAttributes(mi);
  if (attrs == null) {
    if (securityInterceptor.isRejectPublicInvocations()) {
      return false;
    }
    return true;
  }
  if (authentication == null || authentication.getAuthorities().isEmpty()) {
    return false;
  }
  try {
    securityInterceptor.getAccessDecisionManager().decide(authentication, mi,
        attrs);
  }
  catch (AccessDeniedException unauthorized) {
    if (logger.isDebugEnabled()) {
      logger.debug(mi.toString() + " denied for " + authentication.toString(),
          unauthorized);
    }
    return false;
  }
  return true;
}

代码示例来源:origin: spring-projects/spring-security

public void afterPropertiesSet() throws Exception {
  Assert.notNull(getSecureObjectClass(),
      "Subclass must provide a non-null response to getSecureObjectClass()");
  Assert.notNull(this.messages, "A message source must be set");
  Assert.notNull(this.accessDecisionManager, "An AccessDecisionManager is required");
  Assert.notNull(this.runAsManager, "A RunAsManager is required");
  Assert.notNull(this.obtainSecurityMetadataSource(),
      "An SecurityMetadataSource is required");
  Assert.isTrue(this.obtainSecurityMetadataSource()
      .supports(getSecureObjectClass()),
      () -> "SecurityMetadataSource does not support secure object class: "
          + getSecureObjectClass());
  Assert.isTrue(this.runAsManager.supports(getSecureObjectClass()),
      () -> "RunAsManager does not support secure object class: "
          + getSecureObjectClass());
  Assert.isTrue(this.accessDecisionManager.supports(getSecureObjectClass()),
      () -> "AccessDecisionManager does not support secure object class: "
          + getSecureObjectClass());
    Assert.isTrue(this.afterInvocationManager.supports(getSecureObjectClass()),
        () -> "AfterInvocationManager does not support secure object class: "
            + getSecureObjectClass());
        .obtainSecurityMetadataSource().getAllConfigAttributes();

代码示例来源:origin: spring-projects/spring-security

finallyInvocation(token); // continue to clean in this method for passivity
            .getSecurityContext().getAuthentication(),
        accessDeniedException);
    publishEvent(event);

代码示例来源:origin: keets2012/Auth-service

@PostConstruct
public void init() {
  super.setAccessDecisionManager(decisionManager);
  super.setAuthenticationManager(authenticationManager);
}

代码示例来源:origin: org.springframework.security/spring-security-core

final boolean debug = logger.isDebugEnabled();
if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
  throw new IllegalArgumentException(
      "Security invocation attempted for object "
          + object.getClass().getName()
          + " but AbstractSecurityInterceptor only configured to support secure objects of type: "
          + getSecureObjectClass());
Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
    .getAttributes(object);
  publishEvent(new PublicInvocationEvent(object));
  credentialsNotFound(messages.getMessage(
      "AbstractSecurityInterceptor.authenticationNotFound",
      "An Authentication object was not found in the SecurityContext"),
Authentication authenticated = authenticateIfRequired();
  publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,
      accessDeniedException));
  publishEvent(new AuthorizedEvent(object, attributes, authenticated));

代码示例来源:origin: org.springframework.security/spring-security-core

public boolean isAllowed(MethodInvocation mi, Authentication authentication) {
  Assert.notNull(mi, "MethodInvocation required");
  Assert.notNull(mi.getMethod(),
      "MethodInvocation must provide a non-null getMethod()");
  Collection<ConfigAttribute> attrs = securityInterceptor
      .obtainSecurityMetadataSource().getAttributes(mi);
  if (attrs == null) {
    if (securityInterceptor.isRejectPublicInvocations()) {
      return false;
    }
    return true;
  }
  if (authentication == null || authentication.getAuthorities().isEmpty()) {
    return false;
  }
  try {
    securityInterceptor.getAccessDecisionManager().decide(authentication, mi,
        attrs);
  }
  catch (AccessDeniedException unauthorized) {
    if (logger.isDebugEnabled()) {
      logger.debug(mi.toString() + " denied for " + authentication.toString(),
          unauthorized);
    }
    return false;
  }
  return true;
}

代码示例来源:origin: org.springframework.security/spring-security-core

public void setSecurityInterceptor(AbstractSecurityInterceptor securityInterceptor) {
    Assert.notNull(securityInterceptor, "AbstractSecurityInterceptor cannot be null");
    Assert.isTrue(
        MethodInvocation.class.equals(securityInterceptor.getSecureObjectClass()),
        "AbstractSecurityInterceptor does not support MethodInvocations");
    Assert.notNull(securityInterceptor.getAccessDecisionManager(),
        "AbstractSecurityInterceptor must provide a non-null AccessDecisionManager");
    this.securityInterceptor = securityInterceptor;
  }
}

代码示例来源:origin: org.springframework.security/spring-security-core

public void afterPropertiesSet() throws Exception {
  Assert.notNull(getSecureObjectClass(),
      "Subclass must provide a non-null response to getSecureObjectClass()");
  Assert.notNull(this.messages, "A message source must be set");
  Assert.notNull(this.accessDecisionManager, "An AccessDecisionManager is required");
  Assert.notNull(this.runAsManager, "A RunAsManager is required");
  Assert.notNull(this.obtainSecurityMetadataSource(),
      "An SecurityMetadataSource is required");
  Assert.isTrue(this.obtainSecurityMetadataSource()
      .supports(getSecureObjectClass()),
      () -> "SecurityMetadataSource does not support secure object class: "
          + getSecureObjectClass());
  Assert.isTrue(this.runAsManager.supports(getSecureObjectClass()),
      () -> "RunAsManager does not support secure object class: "
          + getSecureObjectClass());
  Assert.isTrue(this.accessDecisionManager.supports(getSecureObjectClass()),
      () -> "AccessDecisionManager does not support secure object class: "
          + getSecureObjectClass());
    Assert.isTrue(this.afterInvocationManager.supports(getSecureObjectClass()),
        () -> "AfterInvocationManager does not support secure object class: "
            + getSecureObjectClass());
        .obtainSecurityMetadataSource().getAllConfigAttributes();

代码示例来源:origin: org.springframework.security/spring-security-core

finallyInvocation(token); // continue to clean in this method for passivity
            .getSecurityContext().getAuthentication(),
        accessDeniedException);
    publishEvent(event);

代码示例来源:origin: keets2012/microservice-integration

@PostConstruct
public void init() {
  super.setAccessDecisionManager(decisionManager);
  super.setAuthenticationManager(authenticationManager);
}

代码示例来源:origin: 527515025/springBoot

public void invoke(FilterInvocation fi) throws IOException, ServletException {
//fi里面有一个被拦截的url
//里面调用MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
//再调用MyAccessDecisionManager的decide方法来校验用户的权限是否足够
    InterceptorStatusToken token = super.beforeInvocation(fi);
    try {
//执行下一个拦截器
      fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
    } finally {
      super.afterInvocation(token, null);
    }
  }

代码示例来源:origin: org.springframework.security/spring-security-core

/**
 * This method should be used to enforce security on a <code>MethodInvocation</code>.
 *
 * @param mi The method being invoked which requires a security decision
 *
 * @return The returned value from the method invocation (possibly modified by the
 * {@code AfterInvocationManager}).
 *
 * @throws Throwable if any error occurs
 */
public Object invoke(MethodInvocation mi) throws Throwable {
  InterceptorStatusToken token = super.beforeInvocation(mi);
  Object result;
  try {
    result = mi.proceed();
  }
  finally {
    super.finallyInvocation(token);
  }
  return super.afterInvocation(token, result);
}

代码示例来源:origin: org.springframework.security/org.springframework.security.core

final boolean debug = logger.isDebugEnabled();
if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
  throw new IllegalArgumentException("Security invocation attempted for object "
      + object.getClass().getName()
      + " but AbstractSecurityInterceptor only configured to support secure objects of type: "
      + getSecureObjectClass());
Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
  publishEvent(new PublicInvocationEvent(object));
  credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound",
      "An Authentication object was not found in the SecurityContext"), object, attributes);
Authentication authenticated = authenticateIfRequired();
  publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated, accessDeniedException));
  publishEvent(new AuthorizedEvent(object, attributes, authenticated));

代码示例来源:origin: org.springframework.security/org.springframework.security.core

public boolean isAllowed(MethodInvocation mi, Authentication authentication) {
  Assert.notNull(mi, "MethodInvocation required");
  Assert.notNull(mi.getMethod(), "MethodInvocation must provide a non-null getMethod()");
  Collection<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(mi);
  if (attrs == null) {
    if (securityInterceptor.isRejectPublicInvocations()) {
      return false;
    }
    return true;
  }
  if (authentication == null || authentication.getAuthorities().isEmpty()) {
    return false;
  }
  try {
    securityInterceptor.getAccessDecisionManager().decide(authentication, mi, attrs);
  } catch (AccessDeniedException unauthorized) {
    if (logger.isDebugEnabled()) {
      logger.debug(mi.toString() + " denied for " + authentication.toString(), unauthorized);
    }
    return false;
  }
  return true;
}

代码示例来源:origin: org.springframework.security/org.springframework.security.core

public void setSecurityInterceptor(AbstractSecurityInterceptor securityInterceptor) {
    Assert.notNull(securityInterceptor, "AbstractSecurityInterceptor cannot be null");
    Assert.isTrue(MethodInvocation.class.equals(securityInterceptor.getSecureObjectClass()),
      "AbstractSecurityInterceptor does not support MethodInvocations");
    Assert.notNull(securityInterceptor.getAccessDecisionManager(),
      "AbstractSecurityInterceptor must provide a non-null AccessDecisionManager");
    this.securityInterceptor = securityInterceptor;
  }
}

相关文章