1、功能实现

1.开启基于方法的安全认证机制
2.自定义实现细粒度的权限控制

2、security03 子工程

学习本篇前最好对入门篇有所了解

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>com.yzm</groupId><artifactId>security</artifactId><version>0.0.1-SNAPSHOT</version><relativePath>../pom.xml</relativePath> <!-- lookup parent from repository --></parent><artifactId>security03</artifactId><version>0.0.1-SNAPSHOT</version><packaging>jar</packaging><name>security03</name><description>Demo project for Spring Boot</description><dependencies><dependency><groupId>com.yzm</groupId><artifactId>common</artifactId><version>0.0.1-SNAPSHOT</version></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>

application.yml

spring:datasource:driver-class-name: com.mysql.cj.jdbc.Driverurl: jdbc:mysql://192.168.192.128:3306/testdb?useUnicode=true&characterEncoding=utf8&useSSL=false&allowMultiQueries=true&zeroDateTimeBehavior=convertToNull&serverTimezone=Asia/Shanghaiusername: rootpassword: 1234# 启动时提示需要这个，加上就好了main:allow-bean-definition-overriding: truemybatis-plus:mapper-locations: classpath:/mapper/*Mapper.xmltype-aliases-package: com.yzm.security03.entityconfiguration:map-underscore-to-camel-case: truelog-impl: org.apache.ibatis.logging.stdout.StdOutImpl

3、自定义UserDetailsService 实现类

package com.yzm.security03.config;import com.yzm.security03.entity.Role;
import com.yzm.security03.entity.User;
import com.yzm.security03.service.RoleService;
import com.yzm.security03.service.UserService;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;/*** 自定义UserDetailsService，重写loadUserByUsername方法，查询数据库获取用户信息和权限信息* Spring Security进行用户认证时，需要根据用户的账号、密码、权限等信息进行认证，* 因此，需要根据查询到的用户信息封装成一个认证用户对象并交给Spring Security进行认证。* 查询用户信息并封装成认证用户对象的过程是在UserDetailsService接口的实现类（需要用户自己实现）中完成的*/
@Service
public class SecUserDetailsServiceImpl implements UserDetailsService {private final UserService userService;private final RoleService roleService;public SecUserDetailsServiceImpl(UserService userService, RoleService roleService) {this.userService = userService;this.roleService = roleService;}@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userService.lambdaQuery().eq(User::getUsername, username).one();if (user == null) {throw new UsernameNotFoundException(String.format("用户'%s'不存在", username));}List<Integer> roleIds = Arrays.stream(user.getRIds().split(",")).map(Integer::parseInt).collect(Collectors.toList());List<Role> roleList = roleService.listByIds(roleIds);List<SimpleGrantedAuthority> authorities = roleList.stream().map(Role::getRName).distinct().map(SimpleGrantedAuthority::new).collect(Collectors.toList());return new SecUserDetails(username, user.getPassword(), authorities, roleIds);}
}

由于我需要一些自定义的属性信息，默认org.springframework.security.core.userdetails.User满足不了需求，所以自定义了SecUserDetails 继承User，为后面使用细粒度权限作准备

package com.yzm.security03.config;import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;import java.util.Collection;
import java.util.List;
import java.util.Set;/*** 自定义 安全用户模型* loadUserByUsername 的返回值是UserDetails，这是一个接口，* 可以使用它的子类org.springframework.security.core.userdetails.User* 也可以自定义一个，新增一些自定义的东西*/
public class SecUserDetails extends User {private static final long serialVersionUID = 3033317408164827323L;// 自定义属性private List<Integer> roleIds;private Set<String> permissions;public SecUserDetails(String username, String password, Collection<? extends GrantedAuthority> authorities) {this(username, password, true, true, true, true, authorities);}public SecUserDetails(String username, String password, Collection<? extends GrantedAuthority> authorities, List<Integer> roleIds) {this(username, password, true, true, true, true, authorities);this.roleIds = roleIds;}public SecUserDetails(String username, String password, Collection<? extends GrantedAuthority> authorities, Set<String> permissions) {this(username, password, true, true, true, true, authorities);this.permissions = permissions;}public SecUserDetails(String username,String password,boolean enabled,boolean accountNonExpired,boolean credentialsNonExpired,boolean accountNonLocked,Collection<? extends GrantedAuthority> authorities) {super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);}public List<Integer> getRoleIds() {return roleIds;}public void setRoleIds(List<Integer> roleIds) {this.roleIds = roleIds;}public Set<String> getPermissions() {return permissions;}public void setPermissions(Set<String> permissions) {this.permissions = permissions;}
}

4、SecurityConfig 配置类

开启注解 @EnableGlobalMethodSecurity(prePostEnabled = true)

package com.yzm.security03.config;import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;@Slf4j
@Configuration
@EnableWebSecurity // 开启Security服务
@EnableGlobalMethodSecurity(prePostEnabled = true) // 开启全局注解
public class SecurityConfig extends WebSecurityConfigurerAdapter {private final UserDetailsService userDetailsService;private final SecPermissionEvaluator permissionEvaluator;public SecurityConfig(@Qualifier("secUserDetailsServiceImpl") UserDetailsService userDetailsService, SecPermissionEvaluator permissionEvaluator) {this.userDetailsService = userDetailsService;this.permissionEvaluator = permissionEvaluator;}/*** 密码编码器* passwordEncoder.encode是用来加密的,passwordEncoder.matches是用来解密的*/@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}/*** 配置用户* 指定默认从哪里获取认证用户的信息，即指定一个UserDetailsService接口的实现类*/@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {// 从数据库读取用户、并使用密码编码器解密auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());}//配置资源权限规则@Overrideprotected void configure(HttpSecurity http) throws Exception {http// 关闭CSRF跨域.csrf().disable()// 登录.formLogin().loginPage("/auth/login") //指定登录页的路径，默认/login.loginProcessingUrl("/login") //指定自定义form表单请求的路径(必须跟login.html中的form action=“url”一致).defaultSuccessUrl("/home", true) // 登录成功后的跳转url地址.failureUrl("/auth/login?error") // 登录失败后的跳转url地址.permitAll().and().exceptionHandling().accessDeniedPage("/401") // 拒接访问跳转页面.and()// 退出登录.logout().permitAll().and()// 访问路径URL的授权策略，如注册、登录免登录认证等.authorizeRequests().antMatchers("/", "/home", "/register", "/auth/login").permitAll() //指定url放行.anyRequest().authenticated() //其他任何请求都需要身份认证.and();}
}

5、注解使用

@PreAuthorize(“hasAuthority(‘ROLE_ADMIN’)”)
@PreAuthorize(“hasAnyRole(‘ADMIN’,‘USER’)”)

package com.yzm.security03.controller;import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;@RestController
@RequestMapping("/admin")
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
public class AdminController {@GetMappingpublic Object admin(@AuthenticationPrincipal UserDetails userDetails) {return userDetails;}@GetMapping("/select")public Object select() {return "Select";}@GetMapping("/create")public Object create() {return "Create";}@GetMapping("/update")public Object update() {return "Update";}@GetMapping("/delete")public Object delete() {return "Delete";}
}

package com.yzm.security03.controller;import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;@RestController
@RequestMapping("/user")
@PreAuthorize("hasAnyRole('ADMIN','USER')")
public class UserController {@GetMappingpublic Object user(@AuthenticationPrincipal UserDetails userDetails) {return userDetails;}...@GetMapping("/delete")public Object delete() {return "Delete";}
}

6、html 页面

参考上一篇入门篇

7、测试注解

启动项目，登录yzm，访问 /user/** 接口

admin可以访问所有接口

8、细粒度权限控制@PreAuthorize(“hasPermission()”)

目前演示都是基于角色进行授权的，如果要角色role跟权限permission一起使用，就需要我们自定义了
SecPermissionEvaluator 实现 PermissionEvaluator 重写 hasPermission()

package com.yzm.security03.config;import com.yzm.security03.entity.Permissions;
import com.yzm.security03.entity.Role;
import com.yzm.security03.service.PermissionsService;
import com.yzm.security03.service.RoleService;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;import java.io.Serializable;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;/*** 细粒度的权限控制*/
@Slf4j
@Component
public class SecPermissionEvaluator implements PermissionEvaluator {private final RoleService roleService;private final PermissionsService permissionsService;public SecPermissionEvaluator(RoleService roleService, PermissionsService permissionsService) {this.roleService = roleService;this.permissionsService = permissionsService;}@Overridepublic boolean hasPermission(Authentication authentication, Object targetUrl, Object targetPermission) {log.info("hasPermission 方法执行");// 获得loadUserByUsername()方法的结果SecUserDetails userDetails = (SecUserDetails) authentication.getPrincipal();// 获得loadUserByUsername()中注入的角色//Collection<GrantedAuthority> authorities = userDetails.getAuthorities();// 拿到SecUserDetails 自定义的roleIds值List<Integer> roleIds = userDetails.getRoleIds();// 查询角色对应的权限id信息List<Role> roles = roleService.listByIds(roleIds);Set<Integer> permIds = new HashSet<>();roles.forEach(role -> {Set<Integer> collect = Arrays.stream(role.getPIds().split(",")).map(Integer::parseInt).collect(Collectors.toSet());permIds.addAll(collect);});List<Permissions> perms = permissionsService.listByIds(permIds);String permission = (String) targetUrl + ":" + (String) targetPermission;for (Permissions perm : perms) {// 如果访问的Url和权限用户符合的话，返回trueif (permission.equals(perm.getPName())) {return true;}}return false;}@Overridepublic boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {return false;}}

SecurityConfig中把自定义SecPermissionEvaluator交给Security管理

    /*** 注入自定义PermissionEvaluator*/@Beanpublic DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();handler.setPermissionEvaluator(permissionEvaluator);return handler;}

使用@PreAuthorize(“hasPermission(’’,’’)”)

package com.yzm.security03.controller;import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;@RestController
@RequestMapping("/admin")
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
public class AdminController {@GetMapping("/select")@PreAuthorize("hasPermission('admin','select')")public Object select() {return "Select";}@GetMapping("/create")public Object create() {return "Create";}@GetMapping("/update")public Object update() {return "Update";}@GetMapping("/delete")@PreAuthorize("hasPermission('admin','delete')")public Object delete() {return "Delete";}
}

package com.yzm.security03.controller;import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;@RestController
@RequestMapping("/user")
@PreAuthorize("hasAnyRole('ADMIN','USER')")
public class UserController {@GetMapping("/select")@PreAuthorize("hasPermission('user','select')")public Object select() {return "Select";}@GetMapping("/create")public Object create() {return "Create";}@GetMapping("/update")public Object update() {return "Update";}@GetMapping("/delete")@PreAuthorize("hasPermission('user','delete')")public Object delete() {return "Delete";}
}

9、测试细粒度权限

登录yzm，/user/select、/user/delete时会打印日志，并且由于/user/delete没有权限，拒绝访问

Security之注解篇

1、功能实现

2、security03 子工程

3、自定义UserDetailsService 实现类

4、SecurityConfig 配置类

5、注解使用

6、html 页面

7、测试注解

8、细粒度权限控制@PreAuthorize(“hasPermission()”)

9、测试细粒度权限

相关链接

Security之注解篇相关推荐

最新文章

热门文章