iT邦幫忙

DAY 26
1

無痛學習SpringMVC與Spring Security系列 第 26

[Security]Method-Level Security(I)-@PreAuthorize的使用

  • 分享至 

  • xImage
  •  

之前對於網頁的安全保護僅只於URL所對應的頁面,書中的術語稱作Page-Level Authorization,但URL Security Rule仍有漏洞,如在http.authorizeRequests()未考慮所有URL的存取權限或是使用者要求的資訊是data等web service,如JSON格式的資料,在之前的安全規則要存取"/DCN"必須通過驗證,但如果我們在網址列直接打入http://localhost:8080/SpringMVC/dcn.json,畫面如下,結果竟然不需驗證就可以得到JSON格式的資料

.antMatchers("/dcn/**") //對象為所有網址
.authenticated() //存取必須通過驗證

根本之道為在Service層加入Security Rules,也就是今天要分享的@PreAuthorize Annotation,@PreAuthorize是宣告於Method之上,參數為允許存取的條件,通常宣告於介面上,這樣相關的實作也會套用其規則,針對"/DCN",追溯到DAO,其實是List<DCN> findAll(),故修改DCNRepository介面code如下。

public interface DCNRepository{
	void save(DCN dcn);
	
	@PreAuthorize("hasRole('ROLE_USER')")
	List<DCN> findAll();
	DCN findByNo(String dcnNo);
	DCN findByNoAndRev(String dcnNo, Integer rev);
}

接著我們需要Enable Method Security,在故要在SecurityConfig中加入@EnableGlobalMethodSecurity(prePostEnabled=true)並宣告DCNRepository bean,修改後的SecurityConfig如下

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
	
	......

	@Bean
	public DCNRepository dcnRepository(){
		return new DCNRepositoryImp();
	}
}

啟動Server,在網址列打入http://localhost:8080/SpringMVC/dcn.json,則會要求登入,因為產生MethodSecurityInterceptor丟出例外,Console log如下,顯示存取被拒:

07:32:00 [http-nio-8080-exec-7] DispatcherServlet - DispatcherServlet with name 'dispatcher' processing GET request for [/SpringMVC/dcn.json]
07:32:00 [http-nio-8080-exec-7] RequestMappingHandlerMapping - Looking up handler method for path /dcn.json
07:32:00 [http-nio-8080-exec-7] RequestMappingHandlerMapping - Returning handler method [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]
07:32:00 [http-nio-8080-exec-7] DispatcherServlet - Last-Modified value for [/SpringMVC/dcn.json] is: -1
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - Accessing URL Path:/SpringMVC/dcn.json
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - Request processing started on:10/25/2014 at 07:32:00
07:32:00 [http-nio-8080-exec-7] ExceptionHandlerExceptionResolver - Resolving exception from handler [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]: org.springframework.security.access.AccessDeniedException: Access is denied
07:32:00 [http-nio-8080-exec-7] ResponseStatusExceptionResolver - Resolving exception from handler [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]: org.springframework.security.access.AccessDeniedException: Access is denied
07:32:00 [http-nio-8080-exec-7] DefaultHandlerExceptionResolver - Resolving exception from handler [public java.lang.String tw.blogger.springtech.springmvc.controller.DCNController.DCNList(org.springframework.ui.Model)]: org.springframework.security.access.AccessDeniedException: Access is denied
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - Total time taken for processing164 ms
07:32:00 [http-nio-8080-exec-7] MonitorInterceptor - ========================================
07:32:00 [http-nio-8080-exec-7] DispatcherServlet - Could not complete request
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:60)

明天繼續


上一篇
[Security]密碼加密及自訂存取被拒網頁(403)
下一篇
[Security]Method-Level Security(II)-@PostFilter篩選輸出條件
系列文
無痛學習SpringMVC與Spring Security31
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言