SpringSecurity权限管理,根据请求URL鉴权

avatar 2019年06月25日15:41:37 6 15944 views
博主分享免费Java教学视频,B站账号:Java刘哥 ,长期提供技术问题解决、项目定制:本站商品点此
SpringSecurity和Shiro是两大权限框架,前者属于Spring家族,功能比较强,重量级的存在,新手搞的时候可能会经常遇到坑。后者比较轻量级,上手相对比较简单。这两个我都写过权限管理的博客。

前填有个朋友让我帮他把他的一个 SpringSecurity 项目改造成通过URL检查权限,之前他在控制器每个方法上加上如下注解来实现的,该方法通常是初学者使用的,但是用于公司的大型项目肯定不行,比较蠢,代码冗余,不能扩展,不利于维护。
  1. @PreAuthorize("hasAnyAuthority('ROLE_ADMIN'")  // 指定角色权限才能操作方法

现在的目标就是剔除所有的该注解,通过拦截器来判断该用户是否有该URL的权限。

在这之前先讲一下Spring Security实现权限管理吧!


一、数据库设计


主要包括用户表,角色表,权限表,用户和角色关联表,角色和权限关联表

重要字段我都用红线标明了

其中权限表(t_permission)其实也充当了菜单表的作用,其中的path字段就是请求路径,如 /post,/psot/new,/post/edit/* (我们以正则表达式的方式写,后面不限字符串以*表示),到时候比对的时候用正则表达式判断







实体类这里就不给了,这里主要还是讲核心思想

主要关注第二节的配置


二、核心文件


1.SpringSecurity的配置文件

WebSecurityConfig.java
  1. package com.liuyanzhao.sens.config.security;
  3. import com.liuyanzhao.sens.common.utils.SecurityUtil;
  4. import com.liuyanzhao.sens.config.security.jwt.AuthenticationFailHandler;
  5. import com.liuyanzhao.sens.config.security.jwt.AuthenticationSuccessHandler;
  6. import com.liuyanzhao.sens.config.security.jwt.JWTAuthenticationFilter;
  7. import com.liuyanzhao.sens.config.security.jwt.RestAccessDeniedHandler;
  8. import com.liuyanzhao.sens.config.security.permission.MyFilterSecurityInterceptor;
  9. import lombok.extern.slf4j.Slf4j;
  10. import org.springframework.beans.factory.annotation.Autowired;
  11. import org.springframework.beans.factory.annotation.Value;
  12. import org.springframework.context.annotation.Configuration;
  13. import org.springframework.data.redis.core.StringRedisTemplate;
  14. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  15. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
  16. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  17. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  18. import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
  19. import org.springframework.security.config.http.SessionCreationPolicy;
  20. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  21. import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
  23. /**
  24.  * Security 核心配置类
  25.  * 开启注解控制权限至Controller
  26.  * @author 言曌
  27.  */
  28. @Slf4j
  29. @Configuration
  30. @EnableGlobalMethodSecurity(prePostEnabled=true)
  31. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  33.  @Autowired
  34.     private IgnoredUrlsProperties ignoredUrlsProperties;
  36.     @Autowired
  37.     private UserDetailsServiceImpl userDetailsService;
  39.     @Autowired
  40.     private AuthenticationSuccessHandler successHandler;
  42.     @Autowired
  43.     private AuthenticationFailHandler failHandler;
  45.     @Autowired
  46.     private RestAccessDeniedHandler accessDeniedHandler;
  48.     @Autowired
  49.     private MyFilterSecurityInterceptor myFilterSecurityInterceptor;
  51.     @Autowired
  52.     private StringRedisTemplate redisTemplate;
  54.     @Autowired
  55.     private SecurityUtil securityUtil;
  57.     @Override
  58.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  59.         auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
  60.     }
  62.     @Override
  63.     protected void configure(HttpSecurity http) throws Exception {
  65.         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http
  66.                 .authorizeRequests();
  68.         //除配置文件忽略路径其它所有请求都需经过认证和授权
  69.         for(String url:ignoredUrlsProperties.getUrls()){
  70.             registry.antMatchers(url).permitAll();
  71.         }
  73.         registry.and()
  74.                 //表单登录方式
  75.                 .formLogin()
  76.                 .loginPage("/sens/common/needLogin")
  77.                 //登录请求url
  78.                 .loginProcessingUrl("/sens/login")
  79.                 .permitAll()
  80.                 //成功处理类
  81.                 .successHandler(successHandler)
  82.                 //失败
  83.                 .failureHandler(failHandler)
  84.                 .and()
  85.                 //允许网页iframe
  86.                 .headers().frameOptions().disable()
  87.                 .and()
  88.                 .logout()
  89.                 .permitAll()
  90.                 .and()
  91.                 .authorizeRequests()
  92.                 //任何请求
  93.                 .anyRequest()
  94.                 //需要身份认证
  95.                 .authenticated()
  96.                 .and()
  97.                 //关闭跨站请求防护
  98.                 .csrf().disable()
  99.                 //前后端分离采用JWT 不需要session
  100.                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  101.                 .and()
  102.                 //自定义权限拒绝处理类
  103.                 .exceptionHandling().accessDeniedHandler(accessDeniedHandler)
  104.                 .and() //添加自定义权限过滤器
  105.                 .addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class);
  106.     }
  107. }

addFilterBefore 作用就是当执行权限验证前执行,我们需要在这之前判断即可。



2.自定义拦截器

MyFilterSecurityInterceptor.java
  1. package com.liuyanzhao.sens.config.security.permission;
  3. import lombok.extern.slf4j.Slf4j;
  4. import org.springframework.beans.factory.annotation.Autowired;
  5. import org.springframework.security.access.SecurityMetadataSource;
  6. import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
  7. import org.springframework.security.access.intercept.InterceptorStatusToken;
  8. import org.springframework.security.web.FilterInvocation;
  9. import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
  10. import org.springframework.stereotype.Component;
  12. import javax.servlet.*;
  13. import java.io.IOException;
  15. /**
  16.  * 权限管理拦截器
  17.  * 监控用户行为
  18.  * @author 言曌
  19.  */
  20. @Slf4j
  21. @Component
  22. public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
  24.     @Autowired
  25.     private FilterInvocationSecurityMetadataSource securityMetadataSource;
  27.     @Autowired
  28.     public void setMyAccessDecisionManager(MyAccessDecisionManager myAccessDecisionManager) {
  29.         super.setAccessDecisionManager(myAccessDecisionManager);
  30.     }
  32.     @Override
  33.     public void init(FilterConfig filterConfig) throws ServletException {
  35.     }
  37.     @Override
  38.     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
  40.         FilterInvocation fi = new FilterInvocation(request, response, chain);
  41.         invoke(fi);
  42.     }
  44.     public void invoke(FilterInvocation fi) throws IOException, ServletException {
  46.         InterceptorStatusToken token = super.beforeInvocation(fi);
  47.         try {
  48.             fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
  49.         } finally {
  50.             super.afterInvocation(token, null);
  51.         }
  52.     }
  54.     @Override
  55.     public void destroy() {
  57.     }
  59.     @Override
  60.     public Class<?> getSecureObjectClass() {
  61.         return FilterInvocation.class;
  62.     }
  64.     @Override
  65.     public SecurityMetadataSource obtainSecurityMetadataSource() {
  66.         return this.securityMetadataSource;
  67.     }
  68. }



3.自定义权限资源管理器

MySecurityMetadataSource.java
  1. package com.liuyanzhao.sens.config.security.permission;
  3. import com.liuyanzhao.sens.common.constant.CommonConstant;
  4. import com.liuyanzhao.sens.modules.base.entity.Permission;
  5. import com.liuyanzhao.sens.modules.base.service.PermissionService;
  6. import cn.hutool.core.util.StrUtil;
  7. import lombok.extern.slf4j.Slf4j;
  8. import org.springframework.beans.factory.annotation.Autowired;
  9. import org.springframework.security.access.ConfigAttribute;
  10. import org.springframework.security.access.SecurityConfig;
  11. import org.springframework.security.web.FilterInvocation;
  12. import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
  13. import org.springframework.stereotype.Component;
  14. import org.springframework.util.AntPathMatcher;
  15. import org.springframework.util.PathMatcher;
  17. import java.util.*;
  19. /**
  20.  * 权限资源管理器
  21.  * 为权限决断器提供支持
  22.  *
  23.  * @author 言曌
  24.  */
  25. @Slf4j
  26. @Component
  27. public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
  29.     @Autowired
  30.     private PermissionService permissionService;
  32.     private Map<String, Collection<ConfigAttribute>> map = null;
  34.     /**
  35.      * 加载权限表中所有操作请求权限
  36.      */
  37.     public void loadResourceDefine() {
  39.         map = new HashMap<>(16);
  40.         Collection<ConfigAttribute> configAttributes;
  41.         ConfigAttribute cfg;
  42.         // 获取启用的权限操作请求
  43.         List<Permission> permissions = permissionService.findByTypeAndStatusOrderBySortOrder(CommonConstant.PERMISSION_OPERATION, CommonConstant.STATUS_NORMAL);
  44.         for (Permission permission : permissions) {
  45.             if (StrUtil.isNotBlank(permission.getTitle()) && StrUtil.isNotBlank(permission.getPath())) {
  46.                 configAttributes = new ArrayList<>();
  47.                 cfg = new SecurityConfig(permission.getTitle());
  48.                 //作为MyAccessDecisionManager类的decide的第三个参数
  49.                 configAttributes.add(cfg);
  50.                 //用权限的path作为map的key,用ConfigAttribute的集合作为value
  51.                 map.put(permission.getPath(), configAttributes);
  52.             }
  53.         }
  54.     }
  56.     /**
  57.      * 判定用户请求的url是否在权限表中
  58.      * 如果在权限表中,则返回给decide方法,用来判定用户是否有此权限
  59.      * 如果不在权限表中则放行
  60.      *
  61.      * @param o
  62.      * @return
  63.      * @throws IllegalArgumentException
  64.      */
  65.     @Override
  66.     public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
  68.         if (map == null) {
  69.             loadResourceDefine();
  70.         }
  71.         //Object中包含用户请求request
  72.         String url = ((FilterInvocation) o).getRequestUrl();
  73.         PathMatcher pathMatcher = new AntPathMatcher();
  74.         Iterator<String> iterator = map.keySet().iterator();
  75.         while (iterator.hasNext()) {
  76.             String resURL = iterator.next();
  77.             if (StrUtil.isNotBlank(resURL) && pathMatcher.match(resURL, url)) {
  78.                 return map.get(resURL);
  79.             }
  80.         }
  81.         return null;
  82.     }
  84.     @Override
  85.     public Collection<ConfigAttribute> getAllConfigAttributes() {
  86.         return null;
  87.     }
  89.     @Override
  90.     public boolean supports(Class<?> aClass) {
  91.         return true;
  92.     }
  93. }



4.自定义角色决断器

MyAccessDecisionManager.java
  1. package com.liuyanzhao.sens.config.security.permission;
  3. import lombok.extern.slf4j.Slf4j;
  4. import org.springframework.security.access.AccessDecisionManager;
  5. import org.springframework.security.access.AccessDeniedException;
  6. import org.springframework.security.access.ConfigAttribute;
  7. import org.springframework.security.authentication.InsufficientAuthenticationException;
  8. import org.springframework.security.core.Authentication;
  9. import org.springframework.security.core.GrantedAuthority;
  10. import org.springframework.stereotype.Component;
  12. import java.util.Collection;
  13. import java.util.Iterator;
  15. /**
  16.  * 权限管理决断器
  17.  * 判断用户拥有的权限或角色是否有资源访问权限
  18.  * @author 言曌
  19.  */
  20. @Slf4j
  21. @Component
  22. public class MyAccessDecisionManager implements AccessDecisionManager {
  24.     @Override
  25.     public void decide(Authentication authentication, Object o, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
  27.         if(configAttributes==null){
  28.             return;
  29.         }
  30.         Iterator<ConfigAttribute> iterator = configAttributes.iterator();
  31.         while (iterator.hasNext()){
  32.             ConfigAttribute c = iterator.next();
  33.             String needPerm = c.getAttribute();
  34.             for(GrantedAuthority ga : authentication.getAuthorities()) {
  35.                 // 匹配用户拥有的ga 和 系统中的needPerm
  36.                 if(needPerm.trim().equals(ga.getAuthority())) {
  37.                     return;
  38.                 }
  39.             }
  40.         }
  41.         throw new AccessDeniedException("抱歉,您没有访问权限");
  42.     }
  44.     @Override
  45.     public boolean supports(ConfigAttribute configAttribute) {
  46.         return true;
  47.     }
  49.     @Override
  50.     public boolean supports(Class<?> aClass) {
  51.         return true;
  52.     }
  53. }


三、基本整合


1.UserDetailsServiceImpl.java
  1. package com.liuyanzhao.sens.config.security;
  3. import com.liuyanzhao.sens.modules.base.entity.User;
  4. import com.liuyanzhao.sens.common.exception.LoginFailLimitException;
  5. import com.liuyanzhao.sens.modules.base.service.UserService;
  6. import cn.hutool.core.util.StrUtil;
  7. import lombok.extern.slf4j.Slf4j;
  8. import org.springframework.beans.factory.annotation.Autowired;
  9. import org.springframework.data.redis.core.StringRedisTemplate;
  10. import org.springframework.security.core.userdetails.UserDetails;
  11. import org.springframework.security.core.userdetails.UserDetailsService;
  12. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  13. import org.springframework.stereotype.Component;
  15. import java.util.concurrent.TimeUnit;
  17. /**
  18.  * @author 言曌
  19.  */
  20. @Slf4j
  21. @Component
  22. public class UserDetailsServiceImpl implements UserDetailsService{
  24.     @Autowired
  25.     private StringRedisTemplate redisTemplate;
  27.     @Autowired
  28.     private UserService userService;
  30.     @Override
  31.     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  33.         String flagKey = "loginFailFlag:" + username;
  34.         String value = redisTemplate.opsForValue().get(flagKey);
  35.         Long timeRest = redisTemplate.getExpire(flagKey, TimeUnit.MINUTES);
  36.         if(StrUtil.isNotBlank(value)){
  37.             //超过限制次数
  38.             throw new LoginFailLimitException("登录错误次数超过限制,请"+timeRest+"分钟后再试");
  39.         }
  40.         User user = userService.findByUsername(username);
  41.         return new SecurityUserDetails(user);
  42.     }
  43. }



2.SecurityUserDetails.java
  1. package com.liuyanzhao.sens.config.security;
  3. import com.liuyanzhao.sens.common.constant.CommonConstant;
  4. import com.liuyanzhao.sens.modules.base.entity.Permission;
  5. import com.liuyanzhao.sens.modules.base.entity.Role;
  6. import com.liuyanzhao.sens.modules.base.entity.User;
  7. import cn.hutool.core.util.StrUtil;
  8. import lombok.extern.slf4j.Slf4j;
  9. import org.springframework.security.core.GrantedAuthority;
  10. import org.springframework.security.core.authority.SimpleGrantedAuthority;
  11. import org.springframework.security.core.userdetails.UserDetails;
  13. import java.util.ArrayList;
  14. import java.util.Collection;
  15. import java.util.List;
  17. /**
  18.  * @author 言曌
  19.  */
  20. @Slf4j
  21. public class SecurityUserDetails extends User implements UserDetails {
  23.     private static final long serialVersionUID = 1L;
  25.     public SecurityUserDetails(User user) {
  27.         if(user!=null) {
  28.             this.setUsername(user.getUsername());
  29.             this.setPassword(user.getPassword());
  30.             this.setStatus(user.getStatus());
  31.             this.setRoles(user.getRoles());
  32.             this.setPermissions(user.getPermissions());
  33.         }
  34.     }
  36.     /**
  37.      * 添加用户拥有的权限和角色
  38.      * @return
  39.      */
  40.     @Override
  41.     public Collection<? extends GrantedAuthority> getAuthorities() {
  43.         List<GrantedAuthority> authorityList = new ArrayList<>();
  44.         List<Permission> permissions = this.getPermissions();
  45.         // 添加请求权限
  46.         if(permissions!=null&&permissions.size()>0){
  47.             for (Permission permission : permissions) {
  48.                 if(CommonConstant.PERMISSION_OPERATION.equals(permission.getType())
  49.                         &&StrUtil.isNotBlank(permission.getTitle())
  50.                         &&StrUtil.isNotBlank(permission.getPath())) {
  52.                     authorityList.add(new SimpleGrantedAuthority(permission.getTitle()));
  53.                 }
  54.             }
  55.         }
  56.         // 添加角色
  57.         List<Role> roles = this.getRoles();
  58.         if(roles!=null&&roles.size()>0){
  59.             // lambda表达式
  60.             roles.forEach(item -> {
  61.                 if(StrUtil.isNotBlank(item.getName())){
  62.                     authorityList.add(new SimpleGrantedAuthority(item.getName()));
  63.                 }
  64.             });
  65.         }
  66.         return authorityList;
  67.     }
  69.     /**
  70.      * 账户是否过期
  71.      * @return
  72.      */
  73.     @Override
  74.     public boolean isAccountNonExpired() {
  76.         return true;
  77.     }
  79.     /**
  80.      * 是否禁用
  81.      * @return
  82.      */
  83.     @Override
  84.     public boolean isAccountNonLocked() {
  86.         return CommonConstant.USER_STATUS_LOCK.equals(this.getStatus()) ? false : true;
  87.     }
  89.     /**
  90.      * 密码是否过期
  91.      * @return
  92.      */
  93.     @Override
  94.     public boolean isCredentialsNonExpired() {
  96.         return true;
  97.     }
  99.     /**
  100.      * 是否启用
  101.      * @return
  102.      */
  103.     @Override
  104.     public boolean isEnabled() {
  106.         return CommonConstant.USER_STATUS_NORMAL.equals(this.getStatus()) ? true : false;
  107.     }
  108. }


四、匿名访问的URL通过application.yml配置


上面 WebSecurityConfig 中我们通过读取 application.yml 中的配置,允许匿名访问这些路径。

公司通常也是这样做的。

IgnoredUrlsProperties.java
  1. package com.liuyanzhao.sens.config.security;
  3. import lombok.Data;
  4. import org.springframework.boot.context.properties.ConfigurationProperties;
  5. import org.springframework.context.annotation.Configuration;
  7. import java.util.ArrayList;
  8. import java.util.List;
  10. /**
  11.  * @author 言曌
  12.  */
  13. @Data
  14. @Configuration
  15. @ConfigurationProperties(prefix = "ignored")
  16. public class IgnoredUrlsProperties {
  18.     private List<String> urls = new ArrayList<>();
  19. }



application.yml
  1. # 忽略鉴权url
  2. ignored:
  3.   urls:
  4.     - /editor-app/**
  5.     - /sens/act/**
  6.     - /sens/dictData/getByType/**
  7.     - /sens/email/sendResetCode
  8.     - /sens/email/resetByEmail
  9.     - /sens/file/view/**
  10.     - /sens/social/**
  11.     - /sens/ws/**
  12.     - /sens/user/regist
  13.     - /sens/user/smsLogin
  14.     - /sens/user/resetByMobile
  15.     - /sens/common/**
  16.     - /druid/**
  17.     - /swagger-ui.html
  18.     - /swagger-resources/**
  19.     - /swagger/**
  20.     - /**/v2/api-docs
  21.     - /**/*.js
  22.     - /**/*.css
  23.     - /**/*.png
  24.     - /**/*.ico
  25.     - /test/**







历史上的今天
六月
25日
  • 微信
  • 交流学习,服务定制
  • weinxin
  • 个人淘宝
  • 店铺名:言曌博客咨询部

  • (部分商品未及时上架淘宝)
avatar

发表评论

avatar 登录者:匿名
匿名评论,评论回复后会有邮件通知

  

已通过评论:0   待审核评论数:0