摘要:序本文就來介紹一下如何使用進(jìn)行賬戶切換順序內(nèi)置的各種可以看到是提供的里頭順序在最后的一個(gè)�。前面講到了主要用來進(jìn)行鑒權(quán)處理�,而是用來做賬戶切換的,把它放在之后����,是要求對(duì)切換用戶的功能進(jìn)行鑒權(quán)���,否則任何人都可以隨意切換用戶,那就安全故障了���。
序
本文就來介紹一下如何使用SwitchUserFilter進(jìn)行賬戶切換
filter順序
spring security內(nèi)置的各種filter:
| Alias |
Filter Class |
Namespace Element or Attribute |
| CHANNEL_FILTER |
ChannelProcessingFilter |
http/intercept-url@requires-channel |
| SECURITY_CONTEXT_FILTER |
SecurityContextPersistenceFilter |
http |
| CONCURRENT_SESSION_FILTER |
ConcurrentSessionFilter |
session-management/concurrency-control |
| HEADERS_FILTER |
HeaderWriterFilter |
http/headers |
| CSRF_FILTER |
CsrfFilter |
http/csrf |
| LOGOUT_FILTER |
LogoutFilter |
http/logout |
| X509_FILTER |
X509AuthenticationFilter |
http/x509 |
| PRE_AUTH_FILTER |
AbstractPreAuthenticatedProcessingFilter Subclasses |
N/A |
| CAS_FILTER |
CasAuthenticationFilter |
N/A |
| FORM_LOGIN_FILTER |
UsernamePasswordAuthenticationFilter |
http/form-login |
| BASIC_AUTH_FILTER |
BasicAuthenticationFilter |
http/http-basic |
| SERVLET_API_SUPPORT_FILTER |
SecurityContextHolderAwareRequestFilter |
http/@servlet-api-provision |
| JAAS_API_SUPPORT_FILTER |
JaasApiIntegrationFilter |
http/@jaas-api-provision |
| REMEMBER_ME_FILTER |
RememberMeAuthenticationFilter |
http/remember-me |
| ANONYMOUS_FILTER |
AnonymousAuthenticationFilter |
http/anonymous |
| SESSION_MANAGEMENT_FILTER |
SessionManagementFilter |
session-management |
| EXCEPTION_TRANSLATION_FILTER |
ExceptionTranslationFilter |
http |
| FILTER_SECURITY_INTERCEPTOR |
FilterSecurityInterceptor |
http |
| SWITCH_USER_FILTER |
SwitchUserFilter |
N/A |
可以看到SwitchUserFilter是spring security提供的filter里頭order順序在最后的一個(gè)���。前面講到了FilterSecurityInterceptor主要用來進(jìn)行鑒權(quán)處理,而SwitchUserFilter是用來做賬戶切換的�����,把它放在FilterSecurityInterceptor之后����,是要求對(duì)切換用戶的功能進(jìn)行鑒權(quán),否則任何人都可以隨意切換用戶��,那就安全故障了���。
config
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public SwitchUserFilter switchUserFilter(UserDetailsService userDetailsService) throws Exception {
SwitchUserFilter switchUserFilter = new SwitchUserFilter();
switchUserFilter.setUserDetailsService(userDetailsService);
switchUserFilter.setTargetUrl("/session");
return switchUserFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//Each namespace block always creates an SecurityContextPersistenceFilter, an ExceptionTranslationFilter and a FilterSecurityInterceptor. These are fixed and cannot be replaced with alternatives.
http
.addFilterAfter(switchUserFilter(userDetailsService()),FilterSecurityInterceptor.class)
.exceptionHandling().authenticationEntryPoint(new UnauthorizedEntryPoint())
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/login","/css/**", "/js/**","/fonts/**").permitAll()
.antMatchers("/session").authenticated()
.antMatchers("/login/impersonate").hasAuthority("ROLE_ADMIN")
.antMatchers("/logout/impersonate").hasAuthority(SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR)
.and()
.formLogin()
.permitAll()
.and()
.logout()
.deleteCookies("JSESSIONID")
.permitAll();
}
@Bean
@Override
protected UserDetailsService userDetailsService(){
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("demoUser1").password("123456")
.authorities("ROLE_USER","read_x").build());
manager.createUser(User.withUsername("admin").password("123456")
.authorities("ROLE_ADMIN").build());
return manager;
}
}
SwitchUserFilter默認(rèn)的切換賬號(hào)的url為/login/impersonate��,默認(rèn)注銷切換賬號(hào)的url為/logout/impersonate���,默認(rèn)的賬號(hào)參數(shù)為username
使用
上面的配置為了方便驗(yàn)證��,把切換完用戶的targetUrl設(shè)置為/session�,其代碼如下
@RestController
@RequestMapping("/session")
public class SessionController {
@GetMapping("")
public Object getCurrentUser(){
return SecurityContextHolder.getContext().getAuthentication();
}
}
首先用普通用戶登錄��,訪問http://localhost:8080/login/impersonate?username=admin��,發(fā)現(xiàn)返回403
注銷�����,使用管理員登錄��,訪問http://localhost:8080/login/impersonate?username=demoUser1�,發(fā)現(xiàn)成功并跳轉(zhuǎn)到session
{
"authorities": [
{
"authority": "ROLE_USER"
},
{
"authority": "read_x"
},
{
"source": {
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": null
},
"authenticated": true,
"principal": {
"password": null,
"username": "admin",
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": null,
"name": "admin"
},
"authority": "ROLE_PREVIOUS_ADMINISTRATOR"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "1BF3D6F40A6F488EFD3ABE8F80E52872"
},
"authenticated": true,
"principal": {
"password": "123456",
"username": "demoUser1",
"authorities": [
{
"authority": "ROLE_USER"
},
{
"authority": "read_x"
}
],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": "123456",
"name": "demoUser1"
}
可以發(fā)現(xiàn)有成功切換
之后再切換回來
http://localhost:8080/logout/impersonate?username=demoUser1
{
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": null
},
"authenticated": true,
"principal": {
"password": null,
"username": "admin",
"authorities": [
{
"authority": "ROLE_ADMIN"
}
],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": null,
"name": "admin"
}
可以發(fā)現(xiàn)切換回來了,是不是非常神奇����,太強(qiáng)大了,以后線上排查問題之類的���,非常方便�����,爽歪歪了簡(jiǎn)直
異常情況
如果你切換了不存在的用戶��,則報(bào)
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Sat Dec 16 14:36:28 CST 2017
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: demoUser2
小結(jié)
SwitchUserFilter是個(gè)強(qiáng)大的filter��,非常方便測(cè)試環(huán)境進(jìn)行調(diào)試�����、測(cè)試����,甚至可以用來進(jìn)行上線問題排查�����。
文章版權(quán)歸作者所有����,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除�。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/11321.html
