(window.webpackJsonp=window.webpackJsonp||[]).push([[608],{1039:function(t,e,r){"use strict";r.r(e);var i=r(56),n=Object(i.a)({},(function(){var t=this,e=t.$createElement,r=t._self._c||e;return r("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[r("h1",{attrs:{id:"授权-httpservletrequestwithauthorizationfilter"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#授权-httpservletrequestwithauthorizationfilter"}},[t._v("#")]),t._v(" 授权 HttpServletRequestwithAuthorizationFilter")]),t._v(" "),r("p",[t._v("本节通过深入研究"),r("RouterLink",{attrs:{to:"/spring-security/index.html#servlet-authorization"}},[t._v("授权")]),t._v("在基于 Servlet 的应用程序中的工作方式，构建了"),r("RouterLink",{attrs:{to:"/architecture.html#servlet-architecture"}},[t._v("Servlet Architecture and Implementation")]),t._v("。")],1),t._v(" "),r("table",[r("thead",[r("tr",[r("th"),t._v(" "),r("th",[r("code",[t._v("AuthorizationFilter")]),t._v("取代["),r("code",[t._v("FilterSecurityInterceptor")]),t._v("]（authorize-requests.html# Servlet-authorization-filtersecurityinterceptor）。"),r("br"),t._v("要保持向后兼容，"),r("code",[t._v("FilterSecurityInterceptor")]),t._v("仍然是默认值。"),r("br"),t._v("本节讨论"),r("code",[t._v("AuthorizationFilter")]),t._v("如何工作以及如何覆盖默认配置。")])])]),t._v(" "),r("tbody")]),t._v(" "),r("p",[t._v("["),r("code",[t._v("AuthorizationFilter")]),t._v("]（https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/access/intercept/intercept/authorizationfilter.html）为"),r("code",[t._v("HttpServletRequest")]),t._v("s 提供"),r("RouterLink",{attrs:{to:"/spring-security/index.html#servlet-authorization"}},[t._v("授权")]),t._v("。它作为"),r("RouterLink",{attrs:{to:"/architecture.html#servlet-security-filters"}},[t._v("安全过滤器")]),t._v("中的一个插入到"),r("RouterLink",{attrs:{to:"/architecture.html#servlet-filterchainproxy"}},[t._v("FilterchainProxy")]),t._v("中。")],1),t._v(" "),r("p",[t._v("声明"),r("code",[t._v("SecurityFilterChain")]),t._v("时，可以重写默认值。不要使用["),r("code",[t._v("authorizeRequests")]),t._v("]（# Servlet-authorize-requests-defaults），而是使用"),r("code",[t._v("authorizeHttpRequests")]),t._v("，就像这样：")]),t._v(" "),r("p",[t._v("例 1。使用 AuthorizeHttpRequests")]),t._v(" "),r("p",[t._v("爪哇")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v("@Bean\nSecurityFilterChain web(HttpSecurity http) throws AuthenticationException {\n http\n .authorizeHttpRequests((authorize) -> authorize\n .anyRequest().authenticated();\n )\n // ...\n\n return http.build();\n}\n")])])]),r("p",[t._v("这在以下几个方面改进了"),r("code",[t._v("authorizeRequests")]),t._v(":")]),t._v(" "),r("ol",[r("li",[r("p",[t._v("使用简化的"),r("code",[t._v("AuthorizationManager")]),t._v("API，而不是元数据源、配置属性、决策管理器和投票者。这简化了重用和定制。")])]),t._v(" "),r("li",[r("p",[t._v("延迟"),r("code",[t._v("Authentication")]),t._v("查找。而不是需要为每个请求查找身份验证，它只会在授权决策需要身份验证的请求中查找。")])]),t._v(" "),r("li",[r("p",[t._v("Bean-基于配置支持。")])])]),t._v(" "),r("p",[t._v("当使用"),r("code",[t._v("authorizeHttpRequests")]),t._v("而不是"),r("code",[t._v("authorizeRequests")]),t._v("时，则使用["),r("code",[t._v("AuthorizationFilter")]),t._v("]（https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/access/intercept/Authorizationfilter.html）代替[<<]（authority-requests.html# Servlet-authority-filtersecurityptor）。")]),t._v(" "),r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/servlet/authorization/authorizationfilter.png",alt:"授权过滤器"}})]),t._v(" "),r("p",[t._v("图 1。授权 HttpServletRequest")]),t._v(" "),r("ul",[r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_1.png",alt:"number 1"}}),t._v("首先，"),r("code",[t._v("AuthorizationFilter")]),t._v("从"),r("RouterLink",{attrs:{to:"/authentication/architecture.html#servlet-authentication-securitycontextholder"}},[t._v("SecurityContextholder")]),t._v("得到"),r("RouterLink",{attrs:{to:"/authentication/architecture.html#servlet-authentication-authentication"}},[t._v("认证")]),t._v("。它将此包在"),r("code",[t._v("Supplier")]),t._v("中，以延迟查找。")],1)]),t._v(" "),r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_2.png",alt:"number 2"}}),t._v("秒，"),r("code",[t._v("AuthorizationFilter")]),t._v("从"),r("code",[t._v("HttpServletRequest")]),t._v("、"),r("code",[t._v("FilterInvocation")]),t._v("、")]),t._v("和"),r("code",[t._v("FilterInvocation")]),t._v("传递给["),r("code",[t._v("AuthorizationManager")]),t._v("]。")]),t._v(" "),r("ul",[r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_4.png",alt:"number 4"}}),t._v("如果拒绝授权，将抛出"),r("code",[t._v("AccessDeniedException")]),t._v("。在这种情况下，["),r("code",[t._v("ExceptionTranslationFilter")]),t._v("]（../architecture.html# Servlet-ExceptionTranslationFilter）处理"),r("code",[t._v("AccessDeniedException")]),t._v("。")])]),t._v(" "),r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_5.png",alt:"number 5"}}),t._v("如果访问被授予，"),r("code",[t._v("AuthorizationFilter")]),t._v("继续使用"),r("RouterLink",{attrs:{to:"/architecture.html#servlet-filters-review"}},[t._v("滤清链")]),t._v("，这允许应用程序正常处理。")],1)])])])]),t._v(" "),r("p",[t._v("通过按优先级顺序添加更多规则，我们可以将安全性配置为具有不同的规则。")]),t._v(" "),r("p",[t._v("例 2。授权请求")]),t._v(" "),r("p",[t._v("爪哇")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('@Bean\nSecurityFilterChain web(HttpSecurity http) throws Exception {\n\thttp\n\t\t// ...\n\t\t.authorizeHttpRequests(authorize -> authorize (1)\n\t\t\t.mvcMatchers("/resources/**", "/signup", "/about").permitAll() (2)\n\t\t\t.mvcMatchers("/admin/**").hasRole("ADMIN") (3)\n\t\t\t.mvcMatchers("/db/**").access("hasRole(\'ADMIN\') and hasRole(\'DBA\')") (4)\n\t\t\t.anyRequest().denyAll() (5)\n\t\t);\n\n\treturn http.build();\n}\n')])])]),r("table",[r("thead",[r("tr",[r("th",[r("strong",[t._v("1")])]),t._v(" "),r("th",[t._v("指定了多个授权规则。"),r("br"),t._v("每个规则都按照它们被声明的顺序被考虑。")])])]),t._v(" "),r("tbody",[r("tr",[r("td",[r("strong",[t._v("2")])]),t._v(" "),r("td",[t._v("我们指定了任何用户都可以访问的多个 URL 模式。"),r("br"),t._v("具体来说，如果 URL 以“/resources/”开头，等于“/signup”或等于“/about”，则任何用户都可以访问请求。")])]),t._v(" "),r("tr",[r("td",[r("strong",[t._v("3")])]),t._v(" "),r("td",[t._v("任何以“/admin/”开头的 URL 都将被限制为具有角色“role_admin”的用户。"),r("br"),t._v("你将注意到，由于我们正在调用"),r("code",[t._v("hasRole")]),t._v("方法，因此我们不需要指定“role_”前缀。")])]),t._v(" "),r("tr",[r("td",[r("strong",[t._v("4")])]),t._v(" "),r("td",[t._v("任何以“/db/”开头的 URL 都要求用户同时具有“role_admin”和“role_DBA”。"),r("br"),t._v("你将注意到，由于我们使用的是"),r("code",[t._v("hasRole")]),t._v("表达式，因此我们不需要指定“role_”前缀。")])]),t._v(" "),r("tr",[r("td",[r("strong",[t._v("5")])]),t._v(" "),r("td",[t._v("任何尚未匹配的 URL 都将被拒绝访问。"),r("br"),t._v("如果你不想意外地忘记更新授权规则，这是一个很好的策略。")])])])]),t._v(" "),r("p",[t._v("你可以通过构建自己的["),r("code",[t._v("RequestMatcherDelegatingAuthorizationManager")]),t._v("]（architecture.html#authz-delegate-authorization-manager）来采用基于 Bean 的方法，如下所示：")]),t._v(" "),r("p",[t._v("例 3。配置 RequestMatcherDelegatingAuthorizationManager")]),t._v(" "),r("p",[t._v("爪哇")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('@Bean\nSecurityFilterChain web(HttpSecurity http, AuthorizationManager access)\n throws AuthenticationException {\n http\n .authorizeHttpRequests((authorize) -> authorize\n .anyRequest().access(access)\n )\n // ...\n\n return http.build();\n}\n\n@Bean\nAuthorizationManager requestMatcherAuthorizationManager(HandlerMappingIntrospector introspector) {\n RequestMatcher permitAll =\n new AndRequestMatcher(\n new MvcRequestMatcher(introspector, "/resources/**"),\n new MvcRequestMatcher(introspector, "/signup"),\n new MvcRequestMatcher(introspector, "/about"));\n RequestMatcher admin = new MvcRequestMatcher(introspector, "/admin/**");\n RequestMatcher db = new MvcRequestMatcher(introspector, "/db/**");\n RequestMatcher any = AnyRequestMatcher.INSTANCE;\n AuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()\n .add(permitAll, (context) -> new AuthorizationDecision(true))\n .add(admin, AuthorityAuthorizationManager.hasRole("ADMIN"))\n .add(db, AuthorityAuthorizationManager.hasRole("DBA"))\n .add(any, new AuthenticatedAuthorizationManager())\n .build();\n return (context) -> manager.check(context.getRequest());\n}\n')])])]),r("p",[t._v("你还可以为任何请求匹配器连接"),r("RouterLink",{attrs:{to:"/spring-security/architecture.html#authz-custom-authorization-manager"}},[t._v("你自己的自定义授权管理器")]),t._v("。")],1),t._v(" "),r("p",[t._v("下面是将自定义授权管理器映射到"),r("code",[t._v("my/authorized/endpoint")]),t._v("的示例：")]),t._v(" "),r("p",[t._v("例 4。自定义授权管理器")]),t._v(" "),r("p",[t._v("爪哇")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('@Bean\nSecurityFilterChain web(HttpSecurity http) throws Exception {\n http\n .authorizeHttpRequests((authorize) -> authorize\n .mvcMatchers("/my/authorized/endpoint").access(new CustomAuthorizationManager());\n )\n // ...\n\n return http.build();\n}\n')])])]),r("p",[t._v("或者，你可以为所有请求提供它，如下所示：")]),t._v(" "),r("p",[t._v("例 5。所有请求的自定义授权管理器")]),t._v(" "),r("p",[t._v("爪哇")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v("@Bean\nSecurityFilterChain web(HttpSecurity http) throws Exception {\n http\n .authorizeHttpRequests((authorize) -> authorize\n .anyRequest.access(new CustomAuthorizationManager());\n )\n // ...\n\n return http.build();\n}\n")])])]),r("p",[r("RouterLink",{attrs:{to:"/spring-security/architecture.html"}},[t._v("授权体系结构")]),r("RouterLink",{attrs:{to:"/spring-security/authorize-requests.html"}},[t._v("使用 FilterSecurityInterceptor 授权 HTTP 请求")])],1)])}),[],!1,null,null,null);e.default=n.exports}}]);