Spring Security 6.x 中如何配置`access()`方法来限制特定角色的访问?
时间: 2024-09-24 08:06:39 浏览: 27
在Spring Security 6.x中,你可以通过`WebSecurityConfigurerAdapter`或更现代的`SecurityWebFluxConfigurer`类来配置`AccessDecisionManager`和`AccessDecisionVoter`以限制特定角色的访问。以下是基本步骤:
1. **创建自定义Voter**:
创建一个实现了`AccessDecisionVoter`接口的类,比如`RoleBasedAccessVoter`,并在其中检查用户的角色是否匹配需要的权限。
```java
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.vote.AuthenticatedVoter;
public class RoleBasedAccessVoter extends AuthenticatedVoter {
private Set<String> requiredRoles = ...; // 需要的角色列表
@Override
protected boolean supports(ConfigAttribute attribute) {
return attribute.getAttribute().equals("ACCESS");
}
@Override
protected int vote(Authentication authentication, Object object, ConfigAttribute attribute) {
if (authentication.hasRole(requiredRoles)) {
return ACCESS_GRANTED;
}
// 其他情况...
}
}
```
2. **添加Voter到决策管理器**:
在`configure(HttpSecurity http)`方法中,注册你的Voter并配置`AccessDecisionManager`。
```java
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.access.expression.SecurityExpressionHandler;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password(passwordEncoder().encode("password"))
.roles("USER", "ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").access("@roleBasedAccessVoter.vote(authentication, object, 'ACCESS')")
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.setExpressionHandler(new SecurityExpressionHandler<>());
// 添加你的自定义Voter实例
http.getSharedObject(AccessDecisionManager.class).addVoter(new RoleBasedAccessVoter());
}
}
```
在这里,`"/admin/**"`路径会被`RoleBasedAccessVoter`检查是否有管理员("ADMIN")角色。