聊聊SwitchUserFilter的使用
序
本文就來介紹一下如何使用SwitchUserFilter進行帳戶切換css
filter順序
spring security內置的各類filter:spring
| Alias | Filter Class | Namespace Element or Attribute |
|---|---|---|
| CHANNEL_FILTER | ChannelProcessingFilter | http/intercept-url@requires-channel |
| SECURITY_CONTEXT_FILTER | SecurityContextPersistenceFilter | http |
| CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter | session-management/concurrency-control |
| HEADERS_FILTER | HeaderWriterFilter | http/headers |
| CSRF_FILTER | CsrfFilter | http/csrf |
| LOGOUT_FILTER | LogoutFilter | http/logout |
| X509_FILTER | X509AuthenticationFilter | http/x509 |
| PRE_AUTH_FILTER | AbstractPreAuthenticatedProcessingFilter Subclasses | N/A |
| CAS_FILTER | CasAuthenticationFilter | N/A |
| FORM_LOGIN_FILTER | UsernamePasswordAuthenticationFilter | http/form-login |
| BASIC_AUTH_FILTER | BasicAuthenticationFilter | http/http-basic |
| SERVLET_API_SUPPORT_FILTER | SecurityContextHolderAwareRequestFilter | http/@servlet-api-provision |
| JAAS_API_SUPPORT_FILTER | JaasApiIntegrationFilter | http/@jaas-api-provision |
| REMEMBER_ME_FILTER | RememberMeAuthenticationFilter | http/remember-me |
| ANONYMOUS_FILTER | AnonymousAuthenticationFilter | http/anonymous |
| SESSION_MANAGEMENT_FILTER | SessionManagementFilter | session-management |
| EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter | http |
| FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor | http |
| SWITCH_USER_FILTER | SwitchUserFilter | N/A |
能夠看到SwitchUserFilter是spring security提供的filter裏頭order順序在最後的一個。前面講到了FilterSecurityInterceptor主要用來進行鑑權處理,而SwitchUserFilter是用來作帳戶切換的,把它放在FilterSecurityInterceptor以後,是要求對切換用戶的功能進行鑑權,不然任何人均可以隨意切換用戶,那就安全故障了。api
config
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public SwitchUserFilter switchUserFilter(UserDetailsService userDetailsService) throws Exception {
SwitchUserFilter switchUserFilter = new SwitchUserFilter();
switchUserFilter.setUserDetailsService(userDetailsService);
switchUserFilter.setTargetUrl("/session");
return switchUserFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//Each <http> namespace block always creates an SecurityContextPersistenceFilter, an ExceptionTranslationFilter and a FilterSecurityInterceptor. These are fixed and cannot be replaced with alternatives.
http
.addFilterAfter(switchUserFilter(userDetailsService()),FilterSecurityInterceptor.class)
.exceptionHandling().authenticationEntryPoint(new UnauthorizedEntryPoint())
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/login","/css/**", "/js/**","/fonts/**").permitAll()
.antMatchers("/session").authenticated()
.antMatchers("/login/impersonate").hasAuthority("ROLE_ADMIN")
.antMatchers("/logout/impersonate").hasAuthority(SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR)
.and()
.formLogin()
.permitAll()
.and()
.logout()
.deleteCookies("JSESSIONID")
.permitAll();
}
@Bean
@Override
protected UserDetailsService userDetailsService(){
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("demoUser1").password("123456")
.authorities("ROLE_USER","read_x").build());
manager.createUser(User.withUsername("admin").password("123456")
.authorities("ROLE_ADMIN").build());
return manager;
}
}
SwitchUserFilter默認的切換帳號的url爲/login/impersonate,默認註銷切換帳號的url爲/logout/impersonate,默認的帳號參數爲username
使用
上面的配置爲了方便驗證,把切換完用戶的targetUrl設置爲/session,其代碼以下安全
@RestController
@RequestMapping("/session")
public class SessionController {
@GetMapping("")
public Object getCurrentUser(){
return SecurityContextHolder.getContext().getAuthentication();
}
}
首先用普通用戶登陸,訪問http://localhost:8080/login/impersonate?username=admin,發現返回403session
註銷,使用管理員登陸,訪問http://localhost:8080/login/impersonate?username=demoUser1,發現成功並跳轉到sessionapp
{
"authorities": [
{
"authority": "ROLE_USER"
},
{
"authority": "read_x"
},
{
"source": {
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": null
},
"authenticated": true,
"principal": {
"password": null,
"username": "admin",
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": null,
"name": "admin"
},
"authority": "ROLE_PREVIOUS_ADMINISTRATOR"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "1BF3D6F40A6F488EFD3ABE8F80E52872"
},
"authenticated": true,
"principal": {
"password": "123456",
"username": "demoUser1",
"authorities": [
{
"authority": "ROLE_USER"
},
{
"authority": "read_x"
}
],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": "123456",
"name": "demoUser1"
}
能夠發現有成功切換
以後再切換回來
http://localhost:8080/logout/impersonate?username=demoUser1ide
{
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": null
},
"authenticated": true,
"principal": {
"password": null,
"username": "admin",
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": null,
"name": "admin"
}
能夠發現切換回來了,是否是很是神奇,太強大了,之後線上排查問題之類的,很是方便,爽歪歪了簡直
- 異常狀況
若是你切換了不存在的用戶,則報測試
This application has no explicit mapping for /error, so you are seeing this as a fallback. Sat Dec 16 14:36:28 CST 2017 There was an unexpected error (type=Unauthorized, status=401). Authentication Failed: demoUser2
小結
SwitchUserFilter是個強大的filter,很是方便測試環境進行調試、測試,甚至能夠用來進行上線問題排查。ui
相關文章
- 1. 聊聊Redis使用場景
- 2. 聊聊 Redis 使用場景
- 3. 聊聊 OAuth 2.0 的 token expire_in 使用
- 4. 聊聊mq的使用場景
- 5. 聊聊 Java 泛型的使用
- 6. 聊聊在javascript中數組的使用
- 7. 聊一聊ES6中class的使用
- 8. 使用websocket實現單聊和多聊
- 9. 聊聊Flutter-WebView使用詳解
- 10. 聊聊kingbus的starRaft
- 更多相關文章...
- • TortoiseSVN 使用教程 - SVN 教程
- • Docker 容器使用 - Docker教程
- • Composer 安裝與使用
- • 使用Rxjava計算圓周率
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章