devbox
码创造者
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

SpringBoot集成Security实现权限控制_springboot security权限控制

作者:码创造者 | 2024-07-01 00:22:47

springboot security权限控制

SpringSecurity简介

认证+授权

主要有两个主要功能:“认证”,是建立一个他声明的主体的过程(一个“主体”一般是指用户,设备或一些可以在你的应用程序中执行动作的其他系统),通俗点说就是系统认为用户是否能登录。一般在拦截器中进行拦截用户信息进行认证。 “授权"指确定一个主体是否允许在你的应用程序执行一个动作的过程,一般是在Security中进行接口权限配置,查看用户是否具有对应接口权限。通俗点讲就是系统判断用户是否有权限去做某些事情。

相应语法:

.successForwardUrl()登录成功后跳转地址

.loginPage()登录页面

.loginProcessingurl登录页面表单提交地址,此地址可以不真实存在。

antMatchers():匹配内容permitAll():允许

1. 添加依赖

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

2. 认证

SpringSecurty提供了多种验证方法,本次采用用户名/密码的方式进行验证。所以需要实现UserDetailsService接口中的loadUserByUserName方法,从数据库中查找对应的数据然后与用户输入数据进行对比,所以需要返回一个UserDetails对象。

2.1. 实现UserDetails和UserDetailsService接口

本项目中使用student作为用户表,同时使用type作为权限标识

2.1.1 将student用户类继承UserDetails接口

  1. import com.baomidou.mybatisplus.annotation.IdType;
  2. import com.baomidou.mybatisplus.annotation.TableId;
  3. import lombok.Data;
  4. import lombok.EqualsAndHashCode;
  5. import lombok.experimental.Accessors;
  6. import org.springframework.security.core.GrantedAuthority;
  7. import org.springframework.security.core.userdetails.UserDetails;
  8.  
  9. import java.util.ArrayList;
  10. import java.util.Collection;
  11. import java.util.Date;
  12. import java.util.List;
  13.  
  14. @Data
  15. @EqualsAndHashCode(callSuper = false)
  16. @Accessors(chain = true)
  17. public class Student implements UserDetails {
  18.  
  19.     @TableId(value = "id", type = IdType.AUTO)
  20.     private Integer id;
  21.  
  22.     private String studentName;
  23.  
  24.     private String studentSex;
  25.  
  26.     private String studentSubject;
  27.  
  28.     private String username;
  29.  
  30.     private String password;
  31.  
  32.     private String salt;
  33.  
  34.     private String email;
  35.  
  36.     private Integer type;
  37.  
  38.     private Integer status;
  39.  
  40.     private String activationCode;
  41.  
  42.     private String headerUrl;
  43.  
  44.     private Date createTime;
  45.  
  46.     private String studentPhone;
  47.     // true: 账号未过期.
  48.     @Override
  49.     public boolean isAccountNonExpired() {
  50.         return true;
  51.     }
  52.  
  53.     // true: 账号未锁定.
  54.     @Override
  55.     public boolean isAccountNonLocked() {
  56.         return true;
  57.     }
  58.  
  59.     // true: 凭证未过期.
  60.     @Override
  61.     public boolean isCredentialsNonExpired() {
  62.         return true;
  63.     }
  64.  
  65.     // true: 账号可用.
  66.     @Override
  67.     public boolean isEnabled() {
  68.         return true;
  69.     }
  70.  
  71.     @Override
  72.     public Collection<? extends GrantedAuthority> getAuthorities() {
  73.         List<GrantedAuthority> list = new ArrayList<>();
  74.         list.add(new GrantedAuthority() {
  75.             @Override
  76.             public String getAuthority() {
  77.                 switch (type) {
  78.                     case 1:
  79.                         return "ADMIN";
  80.                     default:
  81.                         return "USER";
  82.                 }
  83.             }
  84.         });
  85.         return list;
  86.     }
  87.  
  88. }

2.1.2 同时StudentService继承UserDetailsService

创建getAuthorities方法 获取用户权限,同时Type的字段值代表了用户的权限

自定义实现验证权限类型

  1. public interface StudentService extends IService<Student>, UserDetailsService {
  2.  
  3.    
  4.  
  5.     Collection<? extends GrantedAuthority> getAuthorities(Integer id);
  6. }
  1. @Service
  2. public class StudentServiceImpl extends ServiceImpl<StudentMapper, Student> implements StudentService {    
  3.     @Override
  4.     public Collection<? extends GrantedAuthority> getAuthorities(Integer id) {
  5.         Student student = this.findStudentById(id);
  6.  
  7.         List<GrantedAuthority> list = new ArrayList<>();
  8.         list.add(new GrantedAuthority() {
  9.             @Override
  10.             public String getAuthority() {
  11.                 switch (student.getType()) {
  12.                     case 1:
  13.                         return AUTHORITY_ADMIN;
  14.                     case 2:
  15.                         return AUTHORITY_MODERATOR;
  16.                     default:
  17.                         return AUTHORITY_USER;
  18.                 }
  19.             }
  20.         });
  21.         return list;
  22.     }
  23. }

2.2 创建CommunityConstant接口返回权限类型

可以自定义也可以不使用这一步

  1.  
  2. public interface CommunityConstant {
  3.  
  4.     /**
  5.      权限:普通用户ID
  6.      **/
  7.     String AUTHORITY_USER="user";
  8.  
  9.     /**
  10.      权限:管理员ID
  11.      **/
  12.     String AUTHORITY_ADMIN="admin";
  13.  
  14.     /**
  15.      权限:管理员ID
  16.      **/
  17.     String AUTHORITY_MODERATOR="moderator";
  18.  
  19. }

2.3 认证步骤

将student中的用户信息导入到Security中,使得安全配置生效

//构建用户认证结果,并存入SecurityContext,以便于Security进行授权
                Authentication authentication=new UsernamePasswordAuthenticationToken(
                        student,student.getPassword(),studentService.getAuthorities(student.getId()));

                SecurityContextHolder.setContext(new SecurityContextImpl(authentication));

本次采用拦截器的形式来进行构建用户认证结果,并存入SecurityContext,以便于Security进行授权,如果loadUserByName验证通过,则此处没有问题,即可验证通过。

  1. @Component
  2. public class LoginInterceptor implements HandlerInterceptor {
  3.     @Autowired
  4.     private HostHolder hostHolder;
  5.  
  6.     @Autowired
  7.     private StudentService studentService;
  8.  
  9.     @Override
  10.     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
  11.  
  12.         String ticket = CookieUtil.getValue(request, "ticket");  //调用存在cookie里的数据
  13.  
  14.         if (ticket != null) {
  15.             // 查询凭证
  16.             LoginTicket loginTicket = studentService.findLoginTicket(ticket);
  17.             // 检查凭证是否有效
  18.             if (loginTicket != null && loginTicket.getStatus() == 0 && loginTicket.getExpired().after(new Date())) {
  19.  
  20.                 // 根据凭证查询用户
  21.                 Student student = studentService.findStudentById(loginTicket.getUserId());
  22.                 // 在本次请求中持有用户
  23.                 hostHolder.setStudent(student);
  24.  
  25.                 //构建用户认证结果,并存入SecurityContext,以便于Security进行授权
  26.                 Authentication authentication=new UsernamePasswordAuthenticationToken(
  27.                         student,student.getPassword(),studentService.getAuthorities(student.getId()));
  28.  
  29.                 SecurityContextHolder.setContext(new SecurityContextImpl(authentication));
  30.                 return true;
  31.             }else{
  32.                 response.sendRedirect(request.getContextPath()+"/login");   //转发请求 到request.getContextPath() + "/login";
  33.             }
  34.         }else {
  35.             response.sendRedirect(request.getContextPath()+"/login");   //request.getContextPath()为请求目录  localhost:8080/sushe/
  36.         }
  37.         return false;
  38.     }
  39.  
  40.     @Override
  41.     public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
  42.         Student student = hostHolder.getStudent();
  43.         if (student != null && modelAndView != null) {
  44.             modelAndView.addObject("loginStudent", student);
  45.         }
  46.     }
  47.  
  48.     @Override
  49.     public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
  50.         hostHolder.clear();
  51.     }
  52. }

3. 授权

在认证通过之后我们可以在security配置中进行用户,管理员等不同角色对接口的访问限制。

.antMatcher{}  对应相关接口

.hasAnyAuthority{} 对应相关用户

  1. package com.example.sushe.config;
  2.  
  3.  
  4. import com.example.sushe.util.CommunityConstant;
  5. import com.example.sushe.util.CommunityUtil;
  6. import org.springframework.context.annotation.Configuration;
  7. import org.springframework.security.access.AccessDeniedException;
  8. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  9. import org.springframework.security.config.annotation.web.builders.WebSecurity;
  10. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  11. import org.springframework.security.core.AuthenticationException;
  12. import org.springframework.security.web.AuthenticationEntryPoint;
  13. import org.springframework.security.web.access.AccessDeniedHandler;
  14.  
  15. import javax.servlet.ServletException;
  16. import javax.servlet.http.HttpServletRequest;
  17. import javax.servlet.http.HttpServletResponse;
  18. import java.io.IOException;
  19. import java.io.PrintWriter;
  20.  
  21.  
  22. @Configuration
  23. public class SecurityConfig extends WebSecurityConfigurerAdapter implements CommunityConstant {
  24.  
  25.     @Override
  26.     public void configure(WebSecurity web) throws Exception {
  27.         web.ignoring().antMatchers("/resources/**");
  28.     }
  29.  
  30.     @Override
  31.     protected void configure(HttpSecurity http) throws Exception {
  32.         //授权
  33.         http.authorizeRequests()
  34.                 .antMatchers(
  35.                         "/person/findAll"
  36.                 )
  37.                 .hasAnyAuthority(
  38.                         AUTHORITY_USER,
  39.                         AUTHORITY_ADMIN,
  40.                         AUTHORITY_MODERATOR
  41.                 )
  42.                 .antMatchers(
  43.                         "/person/add/*","/person/update/*","/person/updatePerson","/person/delete","/subject/*"
  44.                 )
  45.                 .hasAnyAuthority(
  46.                         AUTHORITY_ADMIN
  47.                 )
  48.                 .anyRequest().permitAll()
  49.                 .and().csrf().disable();
  50.  
  51.  
  52.         //权限不够时的出理
  53.         http.exceptionHandling()
  54.                 .authenticationEntryPoint(new AuthenticationEntryPoint() {
  55.                     //没有登陆
  56.                     @Override
  57.                     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
  58.                         String xRequestedWith = request.getHeader("x-requested-with");
  59.                         if("XMLHttpRequest".equals(xRequestedWith)){
  60.                             response.setContentType("application/plain/character=utf-8");
  61.                             PrintWriter writer=response.getWriter();
  62.                             writer.write((CommunityUtil.getJSONString(403,"你还没有登录呕")));
  63.                         }else{
  64.                             response.sendRedirect(request.getContextPath()+"/login");
  65.                         }
  66.                     }
  67.                 })
  68.                 .accessDeniedHandler(new AccessDeniedHandler() {
  69.                     //权限不足
  70.                     @Override
  71.                     public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException {
  72.                         String xRequestedWith = request.getHeader("x-requested-with");
  73.                         if("XMLHttpRequest".equals(xRequestedWith)){
  74.                             response.setContentType("application/plain/character=utf-8");
  75.                             PrintWriter writer=response.getWriter();
  76.                             writer.write((CommunityUtil.getJSONString(403,"没有访问此页面的权限")));
  77.                         }else{
  78.                             response.sendRedirect(request.getContextPath()+"/error");
  79.                         }
  80.                     }
  81.                 });
  82.  
  83.         //Security底层会默认拦截/logout请求,进行退出处理
  84.         //覆盖它原来的逻辑
  85.         http.logout().logoutUrl("/Securitylogout");
  86.     }
  87. }

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/码创造者/article/detail/774488
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号