当前位置: 代码迷 >> 综合 >> springboot-Securtity-角色权限控制
  详细解决方案

springboot-Securtity-角色权限控制

热度:106   发布时间:2023-09-06 23:56:16

Spring Boot Security

springboot-Securtity-角色权限控制

如图,是一种通用的用户权限模型。一般情况下会有5张表,分别是:用户表,角色表,权限表,用户角色关系表,角色权限对应表。

一般,资源分配时是基于角色的(即,资源访问权限赋给角色,用户通过角色进而拥有权限);而访问资源的时候是基于资源权限去进行授权判断的。

Spring Security和Apache Shiro是两个应用比较多的权限管理框架。Spring Security依赖Spring,其功能强大,相对于Shiro而言学习难度稍大一些。

Spring的强大是不言而喻的,可扩展性也很强,强大到用Spring家族的产品只要按照其推荐的做法来就非常非常简单,否则,自己去整合过程可能会很痛苦。

目前,我们项目是基于Spring Boot的,而且Spring Boot的权限管理也是推荐使用Spring Security的,所以再难也是要学习的。

Spring Security简介

Spring Security致力于为Java应用提供认证和授权管理。它是一个强大的,高度自定义的认证和访问控制框架。

具体介绍参见https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/

这句话包括两个关键词:Authentication(认证)和 Authorization(授权,也叫访问控制)

认证是验证用户身份的合法性,而授权是控制你可以做什么。

简单地来说,认证就是你是谁,授权就是你可以做什么。

在开始集成之前,我们先简单了解几个接口:

AuthenticationProvider

AuthenticationProvider接口是用于认证的,可以通过实现这个接口来定制我们自己的认证逻辑,它的实现类有很多,默认的是JaasAuthenticationProvider

它的全称是 Java Authentication and Authorization Service (JAAS)

springboot-Securtity-角色权限控制

AccessDecisionManager

AccessDecisionManager是用于访问控制的,它决定用户是否可以访问某个资源,实现这个接口可以定制我们自己的授权逻辑。

springboot-Securtity-角色权限控制

AccessDecisionVoter

AccessDecisionVoter是投票器,在授权的时通过投票的方式来决定用户是否可以访问,这里涉及到投票规则。

springboot-Securtity-角色权限控制

UserDetailsService

UserDetailsService是用于加载特定用户信息的,它只有一个接口通过指定的用户名去查询用户。

springboot-Securtity-角色权限控制

UserDetails

UserDetails代表用户信息,即主体,相当于Shiro中的Subject。User是它的一个实现。

Spring Boot集成Spring Security

按照官方文档的说法,为了定义我们自己的认证管理,我们可以添加UserDetailsService, AuthenticationProvider, or AuthenticationManager这种类型的Bean。

实现的方式有多种,这里我选择最简单的一种(因为本身我们这里的认证授权也比较简单)

通过定义自己的UserDetailsService从数据库查询用户信息,至于认证的话就用默认的。

Maven依赖

springboot-Securtity-角色权限控制

1 <?xml version="1.0" encoding="UTF-8"?>2 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"3     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">4     <modelVersion>4.0.0</modelVersion>5 6     <groupId>com.cjs.example</groupId>7     <artifactId>cjs-springsecurity-example</artifactId>8     <version>0.0.1-SNAPSHOT</version>9     <packaging>jar</packaging>
10 
11     <name>cjs-springsecurity-example</name>
12     <description></description>
13 
14     <parent>
15         <groupId>org.springframework.boot</groupId>
16         <artifactId>spring-boot-starter-parent</artifactId>
17         <version>2.0.2.RELEASE</version>
18         <relativePath/> <!-- lookup parent from repository -->
19     </parent>
20 
21     <properties>
22         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
23         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
24         <java.version>1.8</java.version>
25     </properties>
26 
27     <dependencies>
28         <dependency>
29             <groupId>org.springframework.boot</groupId>
30             <artifactId>spring-boot-starter-cache</artifactId>
31         </dependency>
32         <dependency>
33             <groupId>org.springframework.boot</groupId>
34             <artifactId>spring-boot-starter-data-redis</artifactId>
35         </dependency>
36         <dependency>
37             <groupId>org.springframework.boot</groupId>
38             <artifactId>spring-boot-starter-security</artifactId>
39         </dependency>
40         <dependency>
41             <groupId>org.springframework.boot</groupId>
42             <artifactId>spring-boot-starter-thymeleaf</artifactId>
43         </dependency>
44         <dependency>
45             <groupId>org.springframework.boot</groupId>
46             <artifactId>spring-boot-starter-web</artifactId>
47         </dependency>
48         <dependency>
49             <groupId>org.thymeleaf.extras</groupId>
50             <artifactId>thymeleaf-extras-springsecurity4</artifactId>
51             <version>3.0.2.RELEASE</version>
52         </dependency>
53 
54 
55         <dependency>
56             <groupId>org.projectlombok</groupId>
57             <artifactId>lombok</artifactId>
58             <optional>true</optional>
59         </dependency>
60         <dependency>
61             <groupId>org.springframework.boot</groupId>
62             <artifactId>spring-boot-starter-test</artifactId>
63             <scope>test</scope>
64         </dependency>
65         <dependency>
66             <groupId>org.springframework.security</groupId>
67             <artifactId>spring-security-test</artifactId>
68             <scope>test</scope>
69         </dependency>
70     </dependencies>
71 
72     <build>
73         <plugins>
74             <plugin>
75                 <groupId>org.springframework.boot</groupId>
76                 <artifactId>spring-boot-maven-plugin</artifactId>
77             </plugin>
78         </plugins>
79     </build>
80 
81 </project>

springboot-Securtity-角色权限控制

Security配置

springboot-Securtity-角色权限控制

1 package com.cjs.example.config;2 3 import com.cjs.example.support.MyUserDetailsService;4 import org.springframework.beans.factory.annotation.Autowired;5 import org.springframework.context.annotation.Bean;6 import org.springframework.context.annotation.Configuration;7 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;8 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;9 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
10 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
11 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
12 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
13 import org.springframework.security.crypto.password.PasswordEncoder;
14 
15 @Configuration
16 @EnableWebSecurity
17 @EnableGlobalMethodSecurity(prePostEnabled = true)  //  启用方法级别的权限认证
18 public class SecurityConfig extends WebSecurityConfigurerAdapter {
19 
20     @Autowired
21     private MyUserDetailsService myUserDetailsService;
22 
23 
24     @Override
25     protected void configure(HttpSecurity http) throws Exception {
26         //  允许所有用户访问"/"和"/index.html"
27         http.authorizeRequests()
28                 .antMatchers("/", "/index.html").permitAll()
29                 .anyRequest().authenticated()   // 其他地址的访问均需验证权限
30                 .and()
31                 .formLogin()
32                 .loginPage("/login.html")   //  登录页
33                 .failureUrl("/login-error.html").permitAll()
34                 .and()
35                 .logout()
36                 .logoutSuccessUrl("/index.html");
37     }
38 
39     @Override
40     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
41         auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
42     }
43 
44     @Bean
45     public PasswordEncoder passwordEncoder() {
46         return new BCryptPasswordEncoder();
47     }
48 
49 }

springboot-Securtity-角色权限控制

MyUserDetailsService

springboot-Securtity-角色权限控制

1 package com.cjs.example.support;2 3 import com.cjs.example.entity.SysPermission;4 import com.cjs.example.entity.SysRole;5 import com.cjs.example.entity.SysUser;6 import com.cjs.example.service.UserService;7 import org.springframework.beans.factory.annotation.Autowired;8 import org.springframework.security.core.authority.SimpleGrantedAuthority;9 import org.springframework.security.core.userdetails.User;
10 import org.springframework.security.core.userdetails.UserDetails;
11 import org.springframework.security.core.userdetails.UserDetailsService;
12 import org.springframework.security.core.userdetails.UsernameNotFoundException;
13 import org.springframework.stereotype.Service;
14 
15 import java.util.ArrayList;
16 import java.util.List;
17 
18 @Service
19 public class MyUserDetailsService implements UserDetailsService {
20 
21     @Autowired
22     private UserService userService;
23 
24     /**
25      * 授权的时候是对角色授权,而认证的时候应该基于资源,而不是角色,因为资源是不变的,而用户的角色是会变的
26      */
27 
28     @Override
29     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
30         SysUser sysUser = userService.getUserByName(username);
31         if (null == sysUser) {
32             throw new UsernameNotFoundException(username);
33         }
34         List<SimpleGrantedAuthority> authorities = new ArrayList<>();
35         for (SysRole role : sysUser.getRoleList()) {
36             for (SysPermission permission : role.getPermissionList()) {
37                 authorities.add(new SimpleGrantedAuthority(permission.getCode()));
38             }
39         }
40 
41         return new User(sysUser.getUsername(), sysUser.getPassword(), authorities);
42     }
43 }

springboot-Securtity-角色权限控制

权限分配

springboot-Securtity-角色权限控制

1 package com.cjs.example.service.impl;2 3 import com.cjs.example.dao.UserDao;4 import com.cjs.example.entity.SysUser;5 import com.cjs.example.service.UserService;6 import org.springframework.beans.factory.annotation.Autowired;7 import org.springframework.cache.annotation.Cacheable;8 import org.springframework.stereotype.Service;9 
10 @Service
11 public class UserServiceImpl implements UserService {
12 
13     @Autowired
14     private UserDao userDao;
15 
16     @Cacheable(cacheNames = "authority", key = "#username")
17     @Override
18     public SysUser getUserByName(String username) {
19         return userDao.selectByName(username);
20     }
21 }

springboot-Securtity-角色权限控制

springboot-Securtity-角色权限控制

1 package com.cjs.example.dao;2 3 import com.cjs.example.entity.SysPermission;4 import com.cjs.example.entity.SysRole;5 import com.cjs.example.entity.SysUser;6 import lombok.extern.slf4j.Slf4j;7 import org.springframework.stereotype.Repository;8 9 import java.util.Arrays;
10 
11 @Slf4j
12 @Repository
13 public class UserDao {
14 
15     private SysRole admin = new SysRole("ADMIN", "管理员");
16     private SysRole developer = new SysRole("DEVELOPER", "开发者");
17 
18     {
19         SysPermission p1 = new SysPermission();
20         p1.setCode("UserIndex");
21         p1.setName("个人中心");
22         p1.setUrl("/user/index.html");
23 
24         SysPermission p2 = new SysPermission();
25         p2.setCode("BookList");
26         p2.setName("图书列表");
27         p2.setUrl("/book/list");
28 
29         SysPermission p3 = new SysPermission();
30         p3.setCode("BookAdd");
31         p3.setName("添加图书");
32         p3.setUrl("/book/add");
33 
34         SysPermission p4 = new SysPermission();
35         p4.setCode("BookDetail");
36         p4.setName("查看图书");
37         p4.setUrl("/book/detail");
38 
39         admin.setPermissionList(Arrays.asList(p1, p2, p3, p4));
40         developer.setPermissionList(Arrays.asList(p1, p2));
41 
42     }
43 
44     public SysUser selectByName(String username) {
45         log.info("从数据库中查询用户");
46         if ("zhangsan".equals(username)) {
47             SysUser sysUser = new SysUser("zhangsan", "$2a$10$EIfFrWGINQzP.tmtdLd2hurtowwsIEQaPFR9iffw2uSKCOutHnQEm");
48             sysUser.setRoleList(Arrays.asList(admin, developer));
49             return sysUser;
50         }else if ("lisi".equals(username)) {
51             SysUser sysUser = new SysUser("lisi", "$2a$10$EIfFrWGINQzP.tmtdLd2hurtowwsIEQaPFR9iffw2uSKCOutHnQEm");
52             sysUser.setRoleList(Arrays.asList(developer));
53             return sysUser;
54         }
55         return null;
56     }
57 
58 }

springboot-Securtity-角色权限控制

示例

这里我设计的例子是用户登录成功以后跳到个人中心,然后用户可以可以进入图书列表查看。

用户zhangsan可以查看所有的,而lisi只能查看图书列表,不能添加不能查看详情。

页面设计

LoginController.java

springboot-Securtity-角色权限控制

1 package com.cjs.example.controller;2 3 import org.springframework.stereotype.Controller;4 import org.springframework.ui.Model;5 import org.springframework.web.bind.annotation.RequestMapping;6 7 @Controller8 public class LoginController {9 
10     // Login form
11     @RequestMapping("/login.html")
12     public String login() {
13         return "login.html";
14     }
15 
16     // Login form with error
17     @RequestMapping("/login-error.html")
18     public String loginError(Model model) {
19         model.addAttribute("loginError", true);
20         return "login.html";
21     }
22 
23 }

springboot-Securtity-角色权限控制

BookController.java

springboot-Securtity-角色权限控制

1 package com.cjs.example.controller;2 3 import org.springframework.security.access.prepost.PreAuthorize;4 import org.springframework.stereotype.Controller;5 import org.springframework.web.bind.annotation.GetMapping;6 import org.springframework.web.bind.annotation.RequestMapping;7 8 @Controller9 @RequestMapping("/book")
10 public class BookController {
11 
12     @PreAuthorize("hasAuthority('BookList')")
13     @GetMapping("/list.html")
14     public String list() {
15         return "book/list";
16     }
17 
18     @PreAuthorize("hasAuthority('BookAdd')")
19     @GetMapping("/add.html")
20     public String add() {
21         return "book/add";
22     }
23 
24     @PreAuthorize("hasAuthority('BookDetail')")
25     @GetMapping("/detail.html")
26     public String detail() {
27         return "book/detail";
28     }
29 }

springboot-Securtity-角色权限控制

UserController.java

springboot-Securtity-角色权限控制

1 package com.cjs.example.controller;2 3 import com.cjs.example.entity.SysUser;4 import com.cjs.example.service.UserService;5 import org.springframework.beans.factory.annotation.Autowired;6 import org.springframework.security.access.prepost.PreAuthorize;7 import org.springframework.stereotype.Controller;8 import org.springframework.web.bind.annotation.GetMapping;9 import org.springframework.web.bind.annotation.RequestMapping;
10 import org.springframework.web.bind.annotation.ResponseBody;
11 
12 @Controller
13 @RequestMapping("/user")
14 public class UserController {
15 
16     @Autowired
17     private UserService userService;
18 
19     /**
20      * 个人中心
21      */
22     @PreAuthorize("hasAuthority('UserIndex')")
23     @GetMapping("/index")
24     public String index() {
25         return "user/index";
26     }
27 
28     @RequestMapping("/hi")
29     @ResponseBody
30     public String hi() {
31         SysUser sysUser = userService.getUserByName("zhangsan");
32         return sysUser.toString();
33     }
34 
35 }

springboot-Securtity-角色权限控制

index.html

springboot-Securtity-角色权限控制

1 <!DOCTYPE html>2 <html lang="en">3 <head>4     <meta charset="UTF-8">5     <title>首页</title>6 </head>7 <body>8     <h2>这里是首页</h2>9 </body>
10 </html>

springboot-Securtity-角色权限控制

login.html

springboot-Securtity-角色权限控制

1 <!DOCTYPE html>2 <html lang="zh" xmlns:th="http://www.thymeleaf.org">3 <head>4     <meta charset="UTF-8">5     <title>Login page</title>6 </head>7 <body>8 <h1>Login page</h1>9 <p th:if="${loginError}" class="error">用户名或密码错误</p>
10 <form th:action="@{/login.html}" method="post">
11     <label for="username">Username</label>:
12     <input type="text" id="username" name="username" autofocus="autofocus" /> <br />
13     <label for="password">Password</label>:
14     <input type="password" id="password" name="password" /> <br />
15     <input type="submit" value="Login" />
16 </form>
17 </body>
18 </html>

springboot-Securtity-角色权限控制

/user/index.html

springboot-Securtity-角色权限控制

1 <!DOCTYPE html>2 <html lang="zh" xmlns:th="http://www.thymeleaf.org">3 <head>4     <meta charset="UTF-8">5     <title>个人中心</title>6 </head>7 <body>8     <h2>个人中心</h2>9     <div th:insert="~{fragments/header::logout}"></div>
10     <a href="/book/list.html">图书列表</a>
11 </body>
12 </html>

springboot-Securtity-角色权限控制

/book/list.html

springboot-Securtity-角色权限控制

<!DOCTYPE html>
<html lang="zh" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head><meta charset="UTF-8"><title>图书列表</title>
</head>
<body>
<div th:insert="~{fragments/header::logout}"></div>
<h2>图书列表</h2>
<div sec:authorize="hasAuthority('BookAdd')"><button οnclick="">添加</button>
</div>
<table border="1" cellspacing="0" style="width: 20%"><thead><tr><th>名称</th><th>出版社</th><th>价格</th><th>操作</th></tr></thead><tbody><tr><td>Java从入门到放弃</td><td>机械工业出版社</td><td>39</td><td><span sec:authorize="hasAuthority('BookDetail')"><a href="/book/detail.html">查看</a></span></td></tr><tr><td>MySQ从删库到跑路</td><td>清华大学出版社</td><td>59</td><td><span sec:authorize="hasAuthority('BookDetail')"><a href="/book/detail.html">查看</a></span></td></tr></tbody>
</table>
</body>
</html>

springboot-Securtity-角色权限控制

header.html

springboot-Securtity-角色权限控制

1 <!DOCTYPE html>2 <html xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">3 <body>4 <div th:fragment="logout" class="logout" sec:authorize="isAuthenticated()">5     Logged in user: <span sec:authentication="name"></span> |6     Roles: <span sec:authentication="principal.authorities"></span>7     <div>8         <form action="#" th:action="@{/logout}" method="post">9             <input type="submit" value="退出" />
10         </form>
11     </div>
12 </div>
13 </body>
14 </html>

springboot-Securtity-角色权限控制

错误处理

ErrorController.java

springboot-Securtity-角色权限控制

1 package com.cjs.example.controller;2 3 import lombok.extern.slf4j.Slf4j;4 import org.springframework.http.HttpStatus;5 import org.springframework.ui.Model;6 import org.springframework.web.bind.annotation.ControllerAdvice;7 import org.springframework.web.bind.annotation.ExceptionHandler;8 import org.springframework.web.bind.annotation.ResponseStatus;9 
10 @Slf4j
11 @ControllerAdvice
12 public class ErrorController {
13 
14     @ExceptionHandler(Throwable.class)
15     @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
16     public String exception(final Throwable throwable, final Model model) {
17         log.error("Exception during execution of SpringSecurity application", throwable);
18         String errorMessage = (throwable != null ? throwable.getMessage() : "Unknown error");
19         model.addAttribute("errorMessage", errorMessage);
20         return "error";
21     }
22 
23 }

springboot-Securtity-角色权限控制

error.html

springboot-Securtity-角色权限控制

1 <!DOCTYPE html>2 <html xmlns:th="http://www.thymeleaf.org">3 <head>4     <title>Error page</title>5     <meta charset="utf-8" />6 </head>7 <body th:with="httpStatus=${T(org.springframework.http.HttpStatus).valueOf(#response.status)}">8 <h1 th:text="|${httpStatus} - ${httpStatus.reasonPhrase}|">404</h1>9 <p th:utext="${errorMessage}">Error java.lang.NullPointerException</p>
10 <a href="index.html" th:href="@{/index.html}">返回首页</a>
11 </body>
12 </html>

springboot-Securtity-角色权限控制

效果演示

zhangsan登录

springboot-Securtity-角色权限控制

springboot-Securtity-角色权限控制

springboot-Securtity-角色权限控制

springboot-Securtity-角色权限控制

lisi登录

springboot-Securtity-角色权限控制

springboot-Securtity-角色权限控制

springboot-Securtity-角色权限控制

至此,可以实现基本的权限管理

工程结构

springboot-Securtity-角色权限控制

代码已上传至https://github.com/chengjiansheng/cjs-springsecurity-example.git

 

访问控制表达式

springboot-Securtity-角色权限控制

其它

通常情况下登录成功或者失败以后不是跳转到页面而是返回json数据,该怎么做呢?

可以继承SavedRequestAwareAuthenticationSuccessHandler,并在配置中指定successHandler或者继承SimpleUrlAuthenticationFailureHandler,并在配置中指定failureHandler

springboot-Securtity-角色权限控制

1 package com.cjs.example.handler;2 3 import org.springframework.security.core.Authentication;4 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;5 6 import javax.servlet.ServletException;7 import javax.servlet.http.HttpServletRequest;8 import javax.servlet.http.HttpServletResponse;9 import java.io.IOException;
10 import java.util.HashMap;
11 
12 public class MySavedRequestAwareAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
13     @Override
14     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
15 
16 //        // Use the DefaultSavedRequest URL
17 //        String targetUrl = savedRequest.getRedirectUrl();
18 //        logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl);
19 //        getRedirectStrategy().sendRedirect(request, response, targetUrl);
20 
21         Map<String, Object> map = new HashMap<>();
22         response.getWriter().write(JSON.toJSONString(map));
23 
24 
25     }
26 }

springboot-Securtity-角色权限控制

这么复杂感觉还不如自己写个Filter还简单些

是的,仅仅是这些的话还真不如自己写个过滤器来得简单,但是Spring Security的功能远不止如此,比如OAuth2,CSRF等等

这个只适用单应用,不可能每个需要权限的系统都这么去写,可以不可以做成认证中心,做单点登录?

当然是可以的,而且必须可以。权限分配可以用一个管理后台,认证和授权必须独立出来,下一节用OAuth2.0来实现

 

参考

https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#el-pre-post-annotations

https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#getting-started

https://www.thymeleaf.org/doc/articles/standarddialect5minutes.html

https://www.thymeleaf.org/doc/articles/layouts.html

https://www.thymeleaf.org/doc/articles/springsecurity.html

https://blog.csdn.net/u283056051/article/details/55803855

https://segmentfault.com/a/1190000008893479

https://www.bbsmax.com/A/A2dmY2DWde/

https://blog.csdn.net/qq_29580525/article/details/79317969