spring boot+freemarker+spring security标签权限判断
SpringBoot+SpringSecurity+Freemarker项目中在页面上使用security标签控制按钮显示隐藏达到对按钮级权限控制还是比较方便的,如下配置即可。
1、引入依赖
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
</dependency> <dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.2.1-b03</version>
</dependency>
2、依赖引入后到spring-security-taglibs包中META-INF下security.tld复制出来,放到/resources/下,最后建一个目录tags,如下:
3、建一个配置类:ClassPathTldsLoader.java
import java.util.Arrays;
import java.util.List; import javax.annotation.PostConstruct; import org.apache.commons.lang.ArrayUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer; public class ClassPathTldsLoader { /**
* 指定路径
*/
private static final String SECURITY_TLD = "/security.tld"; final private List<String> classPathTlds; public ClassPathTldsLoader(String... classPathTlds) {
super();
if(ArrayUtils.isEmpty(classPathTlds)){
this.classPathTlds = Arrays.asList(SECURITY_TLD);
}else{
this.classPathTlds = Arrays.asList(classPathTlds);
}
}
@Autowired
private FreeMarkerConfigurer freeMarkerConfigurer; @PostConstruct
public void loadClassPathTlds() {
freeMarkerConfigurer.getTaglibFactory().setClasspathTlds(classPathTlds);
}
}
4.然后在网站配置文件SecurityConfig.java中加入bean
/**
* 自动加载security-taglibs
* @return
*/
@Bean
@ConditionalOnMissingBean(ClassPathTldsLoader.class)
public ClassPathTldsLoader classPathTldsLoader(){
return new ClassPathTldsLoader();
}
参考:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder; @EnableWebSecurity
//启用全局post安全方法设置
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter { private static final String key = "muyang.my"; @Autowired
private UserDetailsService userDetailsService; @Bean
public PasswordEncoder passwordEncoder()
{
return new BCryptPasswordEncoder(); } @Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
//密码加密方式
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider; } @Override
protected void configure(HttpSecurity http) throws Exception {
// TODO Auto-generated method stub
//super.configure(http);
//关闭csrf验证:跨站攻击
//http.csrf().disable();
//权限设置
http.authorizeRequests() //定义那些url需要保护,哪些不需要保护
.antMatchers("/static/**").permitAll() //都可以访问
.antMatchers("/user/**").hasRole("ADMIN") //需要登陆才能访问
.and()
.headers().frameOptions().disable() //解决js跨站把x-frame-options disable即可
.and()
.formLogin() //基于FORM表单登陆验证
.loginPage("/login").failureUrl("/login-error") //自定义登陆界面//自定义登陆错误页面
.and().rememberMe().key(key) //记住我
.and().exceptionHandling().accessDeniedPage("/403"); // 处理异常,拒绝访问就重定向到 403 页面
} /**
* 认证信息管理
* @param auth
* @throws Exception
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
//super.configure(auth);
//auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
auth.userDetailsService(userDetailsService);
auth.authenticationProvider(authenticationProvider());
} /**
* 自动加载security-taglibs
* @return
*/
@Bean
@ConditionalOnMissingBean(ClassPathTldsLoader.class)
public ClassPathTldsLoader classPathTldsLoader(){
return new ClassPathTldsLoader();
} }
5、在freemarker页面顶部引入标签
<#assign security=JspTaglibs["http://www.springframework.org/security/tags"] />
使用标签
<@security.authorize access="hasRole('ADMIN')">
222
</@security.authorize>
6.或者
<%@taglib uri="http://www.springframework.org/security/tags" prefix="sec"%>
<sec:authorize access="isAuthenticated()">
<% response.sendRedirect("main"); %>
</sec:authorize>