<em>Mac</em>Book项目 2009年学校开始实施<em>Mac</em>Book项目,所有师生配备一本<em>Mac</em>Book,并同步更新了校园无线网络。学校每周进行电脑技术更新,每月发送技术支持资料,极大改变了教学及学习方式。因此2011
2021-06-01 09:32:01
解決Spring Security的許可權設定不生效問題
2022-03-12 19:00:17
Spring Security許可權設定不生效
在整合Spring Security做介面許可權設定時,在給使用者設定的許可權後,還是一直顯示“無許可權”或者"許可權不足"。
1、不生效的例子
介面
@RequestMapping("/admin")
@ResponseBody
@PreAuthorize("hasRole('ADMIN')")
public String printAdmin() {
return "如果你看見這句話,說明你有ROLE_ADMIN角色";
}
@RequestMapping("/user")
@ResponseBody
@PreAuthorize("hasRole('USER')")
public String printUser() {
return "如果你看見這句話,說明你有ROLE_USER角色";
}
SecurityConfig
.and()
.authorizeRequests()
.antMatchers("/user").hasAnyRole("USER")
.antMatchers("/admin").hasAnyRole("ADMIN")
.anyRequest().authenticated() //必須授權才能範圍
使用者攜帶許可權
2、解決辦法
經測試,只有使用者攜帶許可權的欄位為 “ROLE_” + 介面/設定 中的許可權欄位,才能控制生效,舉例:
將上面的使用者攜帶許可權改為
Spring Security動態設定許可權
匯入依賴
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.3</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.22</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
<version>5.1.46</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
相關設定
application.properties
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/javaboy?useUnicode=true&characterEncoding=utf8&serverTimezone=UTC spring.datasource.username=root spring.datasource.password=root spring.datasource.type=com.alibaba.druid.pool.DruidDataSource
實體類User,Role,Menu
這裡要實現UserDetails介面,這個介面好比一個規範。防止開發者定義的密碼變數名各不相同,從而導致springSecurity不知道哪個方法是你的密碼
public class User implements UserDetails {
private Integer id;
private String username;
private String password;
private Boolean enabled;
private Boolean locked;
private List<Role> roleList;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
for (Role role : roleList) {
authorities.add(new SimpleGrantedAuthority(role.getName()));
}
return authorities;
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return !locked;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return enabled;
}
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public void setUsername(String username) {
this.username = username;
}
public void setPassword(String password) {
this.password = password;
}
public Boolean getEnabled() {
return enabled;
}
public void setEnabled(Boolean enabled) {
this.enabled = enabled;
}
public Boolean getLocked() {
return locked;
}
public void setLocked(Boolean locked) {
this.locked = locked;
}
public List<Role> getRoleList() {
return roleList;
}
public void setRoleList(List<Role> roleList) {
this.roleList = roleList;
}
}public class Role {
private Integer id;
private String name;
private String nameZh;
...
}public class Menu {
private Integer id;
private String pattern;
private List<Role> roles;
...
}建立UserMapper類&&UserMapper.xml
和MenuMapper類&&MenuMapperxml
UserMapper
@Mapper
public interface UserMapper {
User getUserByName(String name);
List<Role> getRoleById(Integer id);
}UserMapper.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.qwl.mysecuritydy.mapper.UserMapper">
<select id="getUserByName" resultType="com.qwl.mysecuritydy.bean.User">
select * from user where username= #{name}
</select>
<select id="getRoleById" resultType="com.qwl.mysecuritydy.bean.Role">
select * from role where id in (select rid from user_role where uid = #{uid})
</select>
</mapper>MenuMapper
@Mapper
public interface MenuMapper {
List<Menu> getMenus();
}MemuMapper.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.qwl.mysecuritydy.mapper.MenuMapper"> <resultMap id="menus_map" type="com.qwl.mysecuritydy.bean.Menu"> <id property="id" column="id"/> <result property="pattern" column="pattern"/> <collection property="roles" ofType="com.qwl.mysecuritydy.bean.Role"> <id property="id" column="rid"/> <result property="name" column="rname"/> <result property="nameZh" column="rnameZh"/> </collection> </resultMap> <select id="getMenus" resultMap="menus_map"> select m.*,r.id as rid,r.name as rname,r.nameZh as rnameZh from menu_role mr left join menu m on mr.mid = m.id left join role r on mr.rid = r.id </select> </mapper>
建立UserService MenuService
建立UserService實現UserServiceDetails介面
@Service
public class UserService implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userMapper.getUserByName(username);
if(user ==null){
throw new UsernameNotFoundException("使用者名稱不存在");
}
user.setRoleList(userMapper.getRoleById(user.getId()));
return user;
}
}建立MenuService
@Service
public class MenuService {
@Autowired
private MenuMapper menuMapper;
public List<Menu> getMenus() {return menuMapper.getMenus();}
}建立CustomFilterInvocationSecurityMetadataSource
實現介面FilterInvocationSecurityMetadataSource
注:加@comppent註解,把自定義類註冊成spring元件
supports返回值設成true表示支援
重寫getAttributes()方法
invacation呼叫 ,求助metadata後設資料
@Component
public class CustomFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
//ant風格的路徑匹配器
AntPathMatcher pathMatcher = new AntPathMatcher();
@Autowired
private MenuService menuService;
//supports返回值設成true表示支援
@Override
public boolean supports(Class<?> aClass) {
return true;
}
@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
//獲取當前使用者請求的url
String requestUrl=((FilterInvocation) object).getRequestUrl();
//資料庫中查詢出所有的路徑
List<Menu> menus =menuService.getMenus();
for (Menu menu : menus) {
//判斷使用者請求的url和資料庫的url是否能匹配的上
if (pathMatcher.match(menu.getPattern(), requestUrl)) {
List<Role> roles =menu.getRoles();
String[] roleStr = new String[roles.size()];
for (int i = 0; i < roles.size(); i++) {
roleStr[i]=roles.get(i).getName();
}
//將篩選的url路徑所具備的角色返回回去
return SecurityConfig.createList(roleStr);
}
}
//如果沒有匹配上就返回一個預設的角色,作用好比作一個標記
return SecurityConfig.createList("ROLE_def");
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
}建立CustomAccessDecisionManager
實現AccessDecisionManager介面 access 通道
注:加@comppent註解,把自定義類註冊成spring元件
將兩個supports()都設定成true
重寫decide()方法
@Component
public class CustomAccessDecisionManager implements AccessDecisionManager {
@Override
public void decide(Authentication authentication, Object o, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
//configattributes裡存放著CustomFilterInvocationSecurityMetadataSource過濾出來的角色
for (ConfigAttribute configAttribute : collection) {
//如果你請求的url在資料庫中不具備角色
if ("ROLE_def".equals(configAttribute.getAttribute())) {
//在判斷是不是匿名使用者(也就是未登入)
if (authentication instanceof AnonymousAuthenticationToken) {
System.out.println(">>>>>>>>>>>>>>>>匿名使用者>>>>>>>>>>>>>>");
throw new AccessDeniedException("許可權不足,無法存取");
}else{
//這裡面就是已經登入的其他型別使用者,直接放行
System.out.println(">>>>>>>>>>>其他型別使用者>>>>>>>>>>>");
return;
}
}
//如果你存取的路徑在資料庫中具有角色就會來到這裡
//Autherntication這裡面存放著登入後的使用者所有資訊
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (GrantedAuthority authority : authorities) {
System.out.println(">>>>>>>authority(賬戶所擁有的許可權):"+authority.getAuthority());
System.out.println(">>>>>>>configAttribute(路徑需要的角色):"+configAttribute.getAttribute());
//路徑需要的角色和賬戶所擁有的角色作比較
if (authority.getAuthority().equals(configAttribute.getAttribute())) {
System.out.println(">>>>>>>>>>>>>>>>>>進來>>>>>>>>>>>>>>>>>");
return;
}
}
}
}
@Override
public boolean supports(ConfigAttribute configAttribute) {
return true;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}建立WebSecurityConfig設定類
WebSecurityConfig實現WebSecurityConfigurerAdapter
注入一會所需要的類
SpringSecurity5.0之後必須密碼加密
將資料庫查出的賬戶密碼交給SpringSecurity去判斷
設定HttpSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Autowired
private CustomFilterInvocationSecurityMetadataSource customFilterInvocationSecurityMetadataSource;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
//springSecutity5.0之後必密碼加密
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
//將資料庫查出的賬戶密碼交給springsecurity去判斷
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
}
//設定HttpSecurity
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
@Override
public <O extends FilterSecurityInterceptor> O postProcess(O object){
object.setSecurityMetadataSource(customFilterInvocationSecurityMetadataSource);
object.setAccessDecisionManager(customAccessDecisionManager);
return object;
}
})
.and()
.formLogin()
.permitAll()
.and()
.csrf().disable();
}
}Controller
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello(){
return "hello";
}
@GetMapping("/dba/hello")
public String dba(){
return "hello dba";
}
@GetMapping("/admin/hello")
public String admin(){
return "hello admin";
}
@GetMapping("/user/hello")
public String user(){
return "hello user";
}
}
以上為個人經驗,希望能給大家一個參考,也希望大家多多支援it145.com。
相關文章
-
黑科技的輕簡出行,告別「電量焦慮症」:Anker氮化鎵超能充系列
综合看Anker超能充系列的性价比很高,并且与不仅和iPhone12/苹果<em>Mac</em>Book很配,而且适合多设备充电需求的日常使用或差旅场景,不管是安卓还是Switch同样也能用得上它,希望这次分享能给准备购入充电器的小伙伴们有所
2021-06-01 09:31:42
-
吳亦凡廠牌首秀,L4WUDU居然忘詞了,Rapper和明星比還是有差距!
除了L4WUDU与吴亦凡已经多次共事,成为了明面上的厂牌成员,吴亦凡还曾带领20XXCLUB全队参加2020年的一场音乐节,这也是20XXCLUB首次全员合照,王嗣尧Turbo、陈彦希Regi、<em>Mac</em> Ova Seas、林渝植等人全部出场。然而让
2021-06-01 09:31:34
-
IPFS、Chia、Bzz和ICP挖礦該怎麼選?哪一個更有優勢?
目前应用IPFS的机构:1 谷歌<em>浏览器</em>支持IPFS分布式协议 2 万维网 (历史档案博物馆)数据库 3 火狐<em>浏览器</em>支持 IPFS分布式协议 4 EOS 等数字货币数据存储 5 美国国会图书馆,历史资料永久保存在 IPFS 6 加
2021-06-01 09:31:24
-
有哪些事是買了雪佛蘭後才知道的?美事偷著樂,開拓者車主隨聊
开拓者的车机是兼容苹果和<em>安卓</em>,虽然我不怎么用,但确实兼顾了我家人的很多需求:副驾的门板还配有解锁开关,有的时候老婆开车,下车的时候偶尔会忘记解锁,我在副驾驶可以自己开门:第二排设计很好,不仅配置了一个很大的
2021-06-01 09:30:48
-
iPhone12在618最新定價,跌價幅度超過1400元,還等iPhone13嗎?
不仅是<em>安卓</em>手机,苹果手机的降价力度也是前所未有了,iPhone12也“跳水价”了,发布价是6799元,如今已经跌至5308元,降价幅度超过1400元,最新定价确认了。iPhone12是苹果首款5G手机,同时也是全球首款5nm芯片的智能机,它
2021-06-01 09:30:45