如何使用 Spring Security 根据用户对 URL 的访问来显示 JSP 内容

发布于 2024-11-09 10:08:06 字数 879 浏览 0 评论 0原文

如果你想根据用户对一个或多个 URL 的访问来显示 JSP 页面中的内容，那么基于用户对一个 URL 的访问很容易做到：

<sec:authorize url="/someurl">
    <!-- show content, if someurl is accessible -->
</sec:authorize>

但是，有时根据某些布尔表达式来显示内容可能会很方便用户可访问的 URL，类似于（不正确）：

<sec:authorize url="!'/someurl'">
    <!-- show content, if someurl is inaccessible -->
</sec:authorize>

或

<sec:authorize url="'/someurl1' and '/someurl2'">
    <!-- show content, if someurl1 and someurl2 are accessible -->
</sec:authorize>

到目前为止，我想出了一个肮脏的解决方案，使用 Spring EL 构造和自定义类中的静态方法：

<sec:authorize access="!T(my.package.MyClass).isAccessibleToUser('/someurl')">
    <!-- show content, if someurl is inaccessible -->
</sec:authorize>

是否有一些更优雅的方法来实现此目的？

原文

If you want to show content in JSP page based on user's access to one or more URLs, it is easy to do based on user's access to one URL:

<sec:authorize url="/someurl">
    <!-- show content, if someurl is accessible -->
</sec:authorize>

However, sometimes it may come to be handy to show content based on some boolean expression on user's accessible URL, something like (incorrect):

<sec:authorize url="!'/someurl'">
    <!-- show content, if someurl is inaccessible -->
</sec:authorize>

<sec:authorize url="'/someurl1' and '/someurl2'">
    <!-- show content, if someurl1 and someurl2 are accessible -->
</sec:authorize>

So far I have come up with a dirty solution using Spring EL construct with a static method in a custom class:

<sec:authorize access="!T(my.package.MyClass).isAccessibleToUser('/someurl')">
    <!-- show content, if someurl is inaccessible -->
</sec:authorize>

Is there some more elegant way to achieve this?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

浅紫色的梦幻 2024-11-16 10:08:06

我只是将该逻辑放在与页面关联的控制器中，而不是将其全部塞在前端，或者如果您使用 Spring MVC，更好的解决方案是创建一个 RequestInterceptor 类。

public class RequestInterceptor extends HandlerInterceptorAdapter {
    @Override
        public void postHandle(
            HttpServletRequest request,
            HttpServletResponse response,
            Object handler,
            ModelAndView modelAndView) throws Exception {

            // logic here that checks if the user can see something
            modelAndView.addObject("canUserSeeSection", abooleanvalue);

            super.postHandle(request, response, handler, modelAndView);
        }
    }
}

然后在你的前端，你可以摆脱标准 JSP if 标签使用

<c:if test="${canUserSeeSection}" ...

同样的想法也应该适用于 SpringSecurity 标签。

I would just put that logic in the controller being associated with the page instead of cramming it all in on the frontend, or if you're using Spring MVC, the better solution would be to create a RequestInterceptor class .

public class RequestInterceptor extends HandlerInterceptorAdapter {
    @Override
        public void postHandle(
            HttpServletRequest request,
            HttpServletResponse response,
            Object handler,
            ModelAndView modelAndView) throws Exception {

            // logic here that checks if the user can see something
            modelAndView.addObject("canUserSeeSection", abooleanvalue);

            super.postHandle(request, response, handler, modelAndView);
        }
    }
}

and then in your frontend you can get away with standard JSP if tags using