Spring Security基本配置
1. 创建项目,添加依赖创建一个Spring Boot Web项目,然后添加spring-boot-starter-security依赖即可,代码如下:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
2,配置数据库
spring.datasource.type=com.alibaba.druid.pool.DruidDataSource
spring.datasource.username=root
spring.datasource.password=root
spring.datasource.url=jdbc:mysql:///security
3. 创建实体类
public class User implements UserDetails {
private Integer id;
private String username;
private String password;
private Boolean enabled;
private Boolean locked;
private List<Role> roles;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
for (Role role : roles) {
authorities.add(new SimpleGrantedAuthority(role.getName()));
}
return authorities;
}
}
public class Role {
private Integer id;
private String name;
private String nameZh;
}
public class Menu {
private Integer id;
private String pattern;
private List<Role> roles;
}
@Service
public class UserService implements UserDetailsService {
@Autowired
UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userMapper.loadUserByUsername(username);
if (user == null) {
throw new UsernameNotFoundException("账户不存在!");
}
user.setRoles(userMapper.getUserRolesByUid(user.getId()));
return user;
}
}
定义UserService实现UserDetailsService接口,并实现该接口中的loadUserByUsername方法,该方法的参数就是用户登录时输入的用户名,
通过用户名去数据库中查找用户,如果没有查找到用户,就抛出一个账户不存在的异常,如果查找到了用户,就继续查找该用户所具有的角色信息,
并将获取到的user对象返回,再由系统提供的DaoAuthenticationProvider类去比对密码是否正确。• loadUserByUsername方法将在用户登录时自动调用
4. 配置Spring Security
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService userService;
@Bean
RoleHierarchy roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
String hierarchy = "ROLE_dba > ROLE_admin ROLE_admin > ROLE_user";
roleHierarchy.setHierarchy(hierarchy);
return roleHierarchy;
}
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.authorizeRequests()
// .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
// @Override
// public <O extends FilterSecurityInterceptor> O postProcess(O object) {
// object.setSecurityMetadataSource(cfisms());
// object.setAccessDecisionManager(cadm());
// return object;
// }
// })
http.authorizeRequests()
.and()
.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/login").permitAll()
.usernameParameter("name")
.passwordParameter("passwd")
.and()
.authorizeRequests().anyRequest().authenticated()
//.successHandler()
.and()
.csrf().disable();
}
// @Bean
// CustomFilterInvocationSecurityMetadataSource cfisms() {
// return new CustomFilterInvocationSecurityMetadataSource();
// }
// @Bean
// CustomAccessDecisionManager cadm() {
// return new CustomAccessDecisionManager();
// }
}
开发者自定义FilterInvocationSecurityMetadataSource主要实现该接口中的getAttributes方法,该方法的参数是一个FilterInvocation,
开发者可以从FilterInvocation中提取出当前请求的URL,返回值是Collection<ConfigAttribute>,表示当前请求URL所需的角色。
• 第4行创建一个AntPathMatcher,主要用来实现ant风格的URL匹配。
• 第10行从参数中提取出当前请求的URL。
• 第11行从数据库中获取所有的资源信息,即本案例中的menu表以及menu所对应的role,在真实项目环境中,开发者可以将资源信息缓存在Redis或者其他缓存数据库中。
• 第12~21行遍历资源信息,遍历过程中获取当前请求的URL所需要的角色信息并返回。如果当前请求的URL在资源表中不存在相应的模式,就假设该请求登录后即可访问,
即直接返回ROLE_LOGIN。• getAllConfigAttributes方法用来返回所有定义好的权限资源,SpringSecurity在启动时会校验相关配置是否正确,如果不需要校验,那么该方法直接返回null即可。
• supports方法返回类对象是否支持校验。
@Component
public class CustomFilterInvocationSecurityMetadataSource
implements FilterInvocationSecurityMetadataSource {
AntPathMatcher antPathMatcher = new AntPathMatcher();
@Autowired
MenuMapper menuMapper;
@Override
public Collection<ConfigAttribute> getAttributes(Object object)
throws IllegalArgumentException {
String requestUrl = ((FilterInvocation) object).getRequestUrl();
List<Menu> allMenus = menuMapper.getAllMenus();
for (Menu menu : allMenus) {
if (antPathMatcher.match(menu.getPattern(), requestUrl)) {
List<Role> roles = menu.getRoles();
String[] roleArr = new String[roles.size()];
for (int i = 0; i < roleArr.length; i++) {
roleArr[i] = roles.get(i).getName();
}
return SecurityConfig.createList(roleArr);
}
}
return SecurityConfig.createList("ROLE_LOGIN");
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> clazz) {
return FilterInvocation.class.isAssignableFrom(clazz);
}
}
自定义AccessDecisionManager当一个请求走完FilterInvocationSecurityMetadataSource中的getAttributes方法后,
接下来就会来到AccessDecisionManager类中进行角色信息的比对,自定义AccessDecisionManager如下:
@Component
public class CustomAccessDecisionManager
implements AccessDecisionManager {
@Override
public void decide(Authentication auth,
Object object,
Collection<ConfigAttribute> ca){
Collection<? extends GrantedAuthority> auths = auth.getAuthorities();
for (ConfigAttribute configAttribute : ca) {
if ("ROLE_LOGIN".equals(configAttribute.getAttribute())
&& auth instanceof UsernamePasswordAuthenticationToken) {
return;
}
for (GrantedAuthority authority : auths) {
if (configAttribute.getAttribute().equals(authority.getAuthority())) {
return;
}
}
}
throw new AccessDeniedException("权限不足");
}
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
}
浙公网安备 33010602011771号