编程语言
首页 > 编程语言> > java – 为Spring安全添加过滤器以实现多租户

java – 为Spring安全添加过滤器以实现多租户

作者:互联网

我需要更新我的Spring Security配置以引入多租户管理(我获取每个Web请求的URL,并通过配置文件检索正确的架构).
所以我添加一个过滤器(因为处理程序,登录页面没有正确的模式,因为处理程序在spring安全性之后被调用)到我的spring安全配置但是现在我抓住了URL,设置了模式,但页面仍然是空的并且没有重定向到登录页面,如果我写/登录没有HTML页面出现.

这就是我配置弹簧安全性的方法:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;
    @Autowired
    private RoleServices roleServices;
    @Autowired
    private CustomSuccessHandler customSuccessHandler;

    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth)throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
        .passwordEncoder(passwordEncoder())
        .usersByUsernameQuery("select username,password,enabled from user where username=?")
        .authoritiesByUsernameQuery("select u.username, CONCAT('ROLE_' , r.role) from user u inner join role r on u.idRole = r.idRole where lower(u.username) = lower(?)");
    }

    @Bean
    public PasswordEncoder passwordEncoder(){
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
        //Spring Security ignores request to static resources such as CSS or JS files.
        .ignoring()
        .antMatchers("/static/**","/users/{\\d+}/password/recover","/users/{\\d+}/token/{\\d+}/password/temporary")
        .antMatchers(HttpMethod.PUT,"/users/{\\d+}/token/{\\d+}/password/temporary");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        List<Role> roles=roleServices.getRoles();
        //Retrieve array of roles(only string field without id)
        String[] rolesArray = new String[roles.size()];
        int i=0;
        for (Role role:roles){
            rolesArray[i++] = role.getRole();
        }

        http
           .authorizeRequests() //Authorize Request Configuration
           .anyRequest().hasAnyRole(rolesArray)//.authenticated()
        .and()//Login Form configuration for all others
           .formLogin()
           .loginPage("/login").successHandler(customSuccessHandler)
        //important because otherwise it goes in a loop because login page require authentication and authentication require login page
           .permitAll()
        .and()
           .exceptionHandling().accessDeniedPage("/403")
        .and()
           .logout()
           .logoutSuccessUrl("/login?logout")
           .deleteCookies("JSESSIONID", "JSESSIONID")
           .invalidateHttpSession(true)
           .permitAll()
        .and()
           .sessionManagement().invalidSessionUrl("/login")
        .and()
           .addFilterAfter(new MultiTenancyInterceptor(), BasicAuthenticationFilter.class);

            }
        }

我添加了MultiTenancyInterceptor过滤器,我设置了租户

@Component
public class MultiTenancyInterceptor extends OncePerRequestFilter   {

    @Override
    public void doFilterInternal(HttpServletRequest request,
            HttpServletResponse response,
            FilterChain filterChain)
            throws IOException, ServletException {  
        String url = request.getRequestURL().toString();
        URI uri;
        try {
            uri = new URI(url);
            String domain = uri.getHost();
            if(domain!=null){
                TenantContext.setCurrentTenant(domain);
            }   
        } catch (URISyntaxException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

    }   
}

但是当我写登录页面的控制器时没有收到电话:

@Override
@RequestMapping(value = { "/login" }, method = RequestMethod.GET)
public String loginPage(){
    return "login";
}

你在我的配置方法中看到错误吗?如果您需要更多信息,我可以添加其他类.谢谢
PS:我注意到每个页面请求都会调用doFilter两次

解决方法:

最好的方法是实现Filter inteface并执行一些url逻辑,然后使用filterChain.doFilter(request,response)将其转发到下一个操作;
确保在web.xml中添加此过滤器.

无论哪种方式,您都可以使用spring org.springframework.web.servlet.handler.HandlerInterceptorAdapter来处理http请求的前后处理. Spring内部转发到下一个控制器请求方法.

示例:https://www.mkyong.com/spring-mvc/spring-mvc-handler-interceptors-example/

标签:java,spring-mvc,spring,spring-security,multi-tenant
来源: https://codeday.me/bug/20190705/1389334.html