SpringBoot集成Security实现权限控制

SpringSecurity简介

主要有两个主要功能:"认证",是建立一个他声明的主体的过程(一个"主体"一般是指用户,设备或一些可以在你的应用程序中执行动作的其他系统),通俗点说就是系统认为用户是否能登录。一般在拦截器中进行拦截用户信息进行认证。 "授权"指确定一个主体是否允许在你的应用程序执行一个动作的过程,一般是在Security中进行接口权限配置,查看用户是否具有对应接口权限。通俗点讲就是系统判断用户是否有权限去做某些事情。

相应语法:

.successForwardUrl()登录成功后跳转地址

.loginPage()登录页面

.loginProcessingurl登录页面表单提交地址,此地址可以不真实存在。

antMatchers():匹配内容permitAll():允许

1. 添加依赖

复制代码
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

2. Security配置

java 复制代码
import com.example.sushe.util.CommunityConstant;
import com.example.sushe.util.CommunityUtil;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;


@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter implements CommunityConstant {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //授权
        http.authorizeRequests()
                .antMatchers(
                        "/person/findAll","/person/relation/*","/subject/findAll","/subject/relation/*",
                        "/lou/findAll","/home/findAll","/person/delete/*"
                )
                .hasAnyAuthority(
                        AUTHORITY_USER,
                        AUTHORITY_ADMIN,
                        AUTHORITY_MODERATOR
                )
                .antMatchers(
                        "/person/add","/person/update","/person/updatePerson","/person/delete"
                )
                .hasAnyAuthority(
                        AUTHORITY_ADMIN
                )
                .anyRequest().permitAll()
                .and().csrf().disable();


        //权限不够时的出理
        http.exceptionHandling()
                .authenticationEntryPoint(new AuthenticationEntryPoint() {
                    //没有登陆
                    @Override
                    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
                        String xRequestedWith = request.getHeader("x-requested-with");
                        if("XMLHttpRequest".equals(xRequestedWith)){
                            response.setContentType("application/plain/character=utf-8");
                            PrintWriter writer=response.getWriter();
                            writer.write((CommunityUtil.getJSONString(403,"你还没有登录呕")));
                        }else{
                            response.sendRedirect(request.getContextPath()+"/login");
                        }
                    }
                })
                .accessDeniedHandler(new AccessDeniedHandler() {
                    //权限不足
                    @Override
                    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException {
                        String xRequestedWith = request.getHeader("x-requested-with");
                        if("XMLHttpRequest".equals(xRequestedWith)){
                            response.setContentType("application/plain/character=utf-8");
                            PrintWriter writer=response.getWriter();
                            writer.write((CommunityUtil.getJSONString(403,"没有访问此页面的权限")));
                        }else{
                            response.sendRedirect(request.getContextPath()+"/error");
                        }
                    }
                });

        //Security底层会默认拦截/logout请求,进行退出处理
        //覆盖它原来的逻辑
        http.logout().logoutUrl("/Securitylogout");

    }
}

3. 实现UserDetails和UserDetailsService接口

本项目中使用student作为用户表,同时使用type作为权限标识

3.1 将student用户类继承UserDetails接口

SpringSecurty提供了多种验证方法,本次采用用户名/密码的方式进行验证。所以需要实现UserDetailsService接口中的loadUserByUserName方法,从数据库中查找对应的数据然后与用户输入数据进行对比,所以需要返回一个UserDetails对象。

java 复制代码
import com.baomidou.mybatisplus.annotation.IdType;
import com.baomidou.mybatisplus.annotation.TableId;
import lombok.Data;
import lombok.EqualsAndHashCode;
import lombok.experimental.Accessors;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;

@Data
@EqualsAndHashCode(callSuper = false)
@Accessors(chain = true)
public class Student implements UserDetails {

    @TableId(value = "id", type = IdType.AUTO)
    private Integer id;

    private String studentName;

    private String studentSex;

    private String studentSubject;

    private String username;

    private String password;

    private String salt;

    private String email;

    private Integer type;

    private Integer status;

    private String activationCode;

    private String headerUrl;

    private Date createTime;

    private String studentPhone;
    // true: 账号未过期.
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    // true: 账号未锁定.
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    // true: 凭证未过期.
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    // true: 账号可用.
    @Override
    public boolean isEnabled() {
        return true;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> list = new ArrayList<>();
        list.add(new GrantedAuthority() {
            @Override
            public String getAuthority() {
                switch (type) {
                    case 1:
                        return "ADMIN";
                    default:
                        return "USER";
                }
            }
        });
        return list;
    }

}

3.2 同时StudentService继承UserDetailsService

创建getAuthorities方法 获取用户权限,同时Type的字段值代表了用户的权限

自定义实现验证权限类型

java 复制代码
public interface StudentService extends IService<Student>, UserDetailsService {

   

    Collection<? extends GrantedAuthority> getAuthorities(Integer id);
}
java 复制代码
@Service
public class StudentServiceImpl extends ServiceImpl<StudentMapper, Student> implements StudentService {    
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities(Integer id) {
        Student student = this.findStudentById(id);

        List<GrantedAuthority> list = new ArrayList<>();
        list.add(new GrantedAuthority() {
            @Override
            public String getAuthority() {
                switch (student.getType()) {
                    case 1:
                        return AUTHORITY_ADMIN;
                    case 2:
                        return AUTHORITY_MODERATOR;
                    default:
                        return AUTHORITY_USER;
                }
            }
        });
        return list;
    }
}

4. 创建CommunityConstant接口返回权限类型

java 复制代码
public interface CommunityConstant {

    /**
     权限:普通用户ID
     **/
    String AUTHORITY_USER="user";

    /**
     权限:管理员ID
     **/
    String AUTHORITY_ADMIN="admin";

    /**
     权限:管理员ID
     **/
    String AUTHORITY_MODERATOR="moderator";

}

5. 将student中的用户信息导入到Security中,使得安全配置生效

本次采用拦截器的形式来进行构建用户认证结果,并存入SecurityContext,以便于Security进行授权,如果loadUserByName验证通过,则此处没有问题,即可验证通过。

java 复制代码
@Component
public class LoginInterceptor implements HandlerInterceptor {
    @Autowired
    private HostHolder hostHolder;

    @Autowired
    private StudentService studentService;

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        String ticket = CookieUtil.getValue(request, "ticket");  //调用存在cookie里的数据

        if (ticket != null) {
            // 查询凭证
            LoginTicket loginTicket = studentService.findLoginTicket(ticket);
            // 检查凭证是否有效
            if (loginTicket != null && loginTicket.getStatus() == 0 && loginTicket.getExpired().after(new Date())) {

                // 根据凭证查询用户
                Student student = studentService.findStudentById(loginTicket.getUserId());
                // 在本次请求中持有用户
                hostHolder.setStudent(student);

                //构建用户认证结果,并存入SecurityContext,以便于Security进行授权
                Authentication authentication=new UsernamePasswordAuthenticationToken(
                        student,student.getPassword(),studentService.getAuthorities(student.getId()));

                SecurityContextHolder.setContext(new SecurityContextImpl(authentication));
                return true;
            }else{
                response.sendRedirect(request.getContextPath()+"/login");   //转发请求 到request.getContextPath() + "/login";
            }
        }else {
            response.sendRedirect(request.getContextPath()+"/login");   //request.getContextPath()为请求目录  localhost:8080/sushe/
        }
        return false;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        Student student = hostHolder.getStudent();
        if (student != null && modelAndView != null) {
            modelAndView.addObject("loginStudent", student);
        }
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
        hostHolder.clear();
    }
}

6. 配置接口权限

antMatchers表示对应接口。hasAnyAuthority表示对应的权限

java 复制代码
@Override
    protected void configure(HttpSecurity http) throws Exception {
        //授权
        http.authorizeRequests()
                .antMatchers(
                        "/person/findAll","/person/relation/*","/subject/findAll","/subject/relation/*",
                        "/lou/findAll","/home/findAll","/person/delete/*"
                )
                .hasAnyAuthority(
                        AUTHORITY_USER,
                        AUTHORITY_ADMIN,
                        AUTHORITY_MODERATOR
                )
                .antMatchers(
                        "/person/add","/person/update","/person/updatePerson","/person/delete"
                )
                .hasAnyAuthority(
                        AUTHORITY_ADMIN
                )
                .anyRequest().permitAll()
                .and().csrf().disable();


        //权限不够时的出理
        http.exceptionHandling()
                .authenticationEntryPoint(new AuthenticationEntryPoint() {
                    //没有登陆
                    @Override
                    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
                        String xRequestedWith = request.getHeader("x-requested-with");
                        if("XMLHttpRequest".equals(xRequestedWith)){
                            response.setContentType("application/plain/character=utf-8");
                            PrintWriter writer=response.getWriter();
                            writer.write((CommunityUtil.getJSONString(403,"你还没有登录呕")));
                        }else{
                            response.sendRedirect(request.getContextPath()+"/login");
                        }
                    }
                })
                .accessDeniedHandler(new AccessDeniedHandler() {
                    //权限不足
                    @Override
                    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException {
                        String xRequestedWith = request.getHeader("x-requested-with");
                        if("XMLHttpRequest".equals(xRequestedWith)){
                            response.setContentType("application/plain/character=utf-8");
                            PrintWriter writer=response.getWriter();
                            writer.write((CommunityUtil.getJSONString(403,"没有访问此页面的权限")));
                        }else{
                            response.sendRedirect(request.getContextPath()+"/error");
                        }
                    }
                });
相关推荐
路在脚下@12 分钟前
spring boot的配置文件属性注入到类的静态属性
java·spring boot·sql
啦啦右一13 分钟前
Spring Boot | (一)Spring开发环境构建
spring boot·后端·spring
森屿Serien14 分钟前
Spring Boot常用注解
java·spring boot·后端
苹果醋31 小时前
React源码02 - 基础知识 React API 一览
java·运维·spring boot·mysql·nginx
Hello.Reader2 小时前
深入解析 Apache APISIX
java·apache
菠萝蚊鸭2 小时前
Dhatim FastExcel 读写 Excel 文件
java·excel·fastexcel
旭东怪2 小时前
EasyPoi 使用$fe:模板语法生成Word动态行
java·前端·word
007php0072 小时前
Go语言zero项目部署后启动失败问题分析与解决
java·服务器·网络·python·golang·php·ai编程
∝请叫*我简单先生2 小时前
java如何使用poi-tl在word模板里渲染多张图片
java·后端·poi-tl
ssr——ssss3 小时前
SSM-期末项目 - 基于SSM的宠物信息管理系统
java·ssm