我想每個寫項目的人，都肯定會遇到控制權(quán)限這個問題.
例如這個這個鏈接只能管理員訪問，那個鏈接丫只能超級管理員訪問等等，實現(xiàn)方式也有多種多樣，控制的粒度也不一樣。
以前剛學的時候，不會框架，大都是手寫注解+過濾器來進行權(quán)限的控制，但這樣增加了過濾器的負擔。用起來也會稍微有些麻煩，粒度不太好控制。

用框架的話，就是封裝了更多的操作，讓一切更簡單吧。當然不局限于Security，還有像Shiro安全框架，這兩種非常常見。
一起加油吧！！！😁
先看個圖舒緩一下，準備開始吧🐱?🏍

下面就開始吧！！！👇

SpringBoot整合Security安全框架、控制權(quán)限

• • 一、前言
  • • 介紹：
    • 官網(wǎng)：
    • 優(yōu)缺點：
    • 案例：
  • 二、環(huán)境準備
  • • 2.1、數(shù)據(jù)庫表
    • 2.2、導入依賴
    • 2.3、配置文件
    • 2.4、`WebSecurityConfig` Security的主要配置類：
    • 2.5、Security身份驗證
    • 2.6、Security授權(quán)
    • 2.7、UserDetailsService
    • 2.7、MacLoginUrlAuthenticationEntryPoint
    • 2.8、MyAccessDeniedHandler
    • 2.9、MyLogoutSuccessHandler
    • 2.10、JWT的工具類
  • 三、代碼
  • • entity
    • mapper
    • service、impl
    • controller
  • 四、測試
  • • 1）登錄
    • 2）測試管理員
  • 五、總結(jié)

一、前言

介紹：

Spring Security是一個能夠為基于Spring的企業(yè)應用系統(tǒng)提供聲明式的安全訪問控制解決方案的安全框架。它提供了一組可以在Spring應用上下文中配置的Bean，充分利用了Spring IoC，DI（控制反轉(zhuǎn)Inversion of Control ,DI:Dependency Injection 依賴注入）和AOP（面向切面編程）功能，為應用系統(tǒng)提供聲明式的安全訪問控制功能，減少了為企業(yè)系統(tǒng)安全控制編寫大量重復代碼的工作。

官網(wǎng)：

SpringSecurity 最新

SpringSecurity 5.0.6版本

優(yōu)缺點：

優(yōu)點

• Spring Boot 官方提供了大量的非常方便的開箱即用的 Starter ，包括 Spring Security 的 Starter ，使得在 Spring Boot 中使用 Spring Security 變得更加容易。

• Spring Security功能強大，比較好用。

缺點

Spring Security 是一個重量級的安全管理框架，

Spring Security概念復雜，配置繁瑣（這個確實，沒法逃開）

案例：

我們在訪問一個網(wǎng)站時，大都都會設置普通用戶能有的權(quán)限，然后管理員有的權(quán)限，再就是超級管理員等等，這次就是實現(xiàn)這樣一個案例。

項目結(jié)構(gòu)：

二、環(huán)境準備

2.1、數(shù)據(jù)庫表

CREATE TABLE `account` (`id` int(10) NOT NULL AUTO_INCREMENT,`username` varchar(25) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,`password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,`role` varchar(25) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,PRIMARY KEY (`id`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 5 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;INSERT INTO `account` VALUES (1, 'user', '$2a$10$1MHNdZS.oCICxLRVbnNBZe4CRn9Rk1MVQhasSMhHr0G4BCNQjPpna', 'ROLE_USER'); INSERT INTO `account` VALUES (2, 'admin', '$2a$10$dKkrkgVzaCPX74TvxOjwNuFJjIRJeAuDPKFntwNwRvRHkwIAHV5Q6', 'ROLE_ADMIN'); INSERT INTO `account` VALUES (3, 'super_admin', '$2a$10$CqOXnSp6oks9UTvsops4U.0vMGbUE2Bp28xKaPmlug4W8Mk59Sj8y', 'ROLE_SUPER_ADMIN'); INSERT INTO `account` VALUES (4, 'test', '$2a$10$SQsuH1XfxHdsVmf2nE75wOAE6GHm1nd/xDp/08KYJmtbzJt2J6xIG', 'TEST');

2.2、導入依賴

<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.5.2</version><relativePath/> <!-- lookup parent from repository --> </parent> <dependencies><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId></dependency><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>3.4.1</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.0</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency><!--java版本太高 向下兼容的包--><dependency><groupId>javax.xml.bind</groupId><artifactId>jaxb-api</artifactId><version>2.3.0</version></dependency> </dependencies>

2.3、配置文件

# 應用名稱 spring.application.name=demo # 應用服務 WEB 訪問端口 server.port=8080spring.datasource.name=defaultDataSource # 數(shù)據(jù)庫連接地址 spring.datasource.url=jdbc:mysql://localhost:3306/security?serverTimezone=UTC # 數(shù)據(jù)庫用戶名&密碼： spring.datasource.username=root spring.datasource.password=123456mybatis-plus.mapper-locations=classpath:mapper/**/*.xmllogging.level.com.crush.security.mapper=DEBUG# token 存活時間 token.expire=3600000 token.key=123456

2.4、WebSecurityConfig Security的主要配置類：

import com.crush.security.auth.filter.JwtAuthenticationFilter; import com.crush.security.auth.filter.JwtAuthorizationFilter; import com.crush.security.auth.handle.MacLoginUrlAuthenticationEntryPoint; import com.crush.security.auth.handle.MyAccessDeniedHandler; import com.crush.security.auth.handle.MyLogoutSuccessHandler; import com.crush.security.auth.service.UserDetailServiceImpl; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;/*** @author crush*/ @Configuration @EnableWebSecurity //啟用全局配置 @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {/**放行的路徑*/private final String[] PATH_RELEASE = {"/login","/all"};/***根據(jù)用戶名找到用戶*/@Autowiredprivate UserDetailServiceImpl userDetailService;@Autowiredprivate MacLoginUrlAuthenticationEntryPoint macLoginUrlAuthenticationEntryPoint;@Autowiredprivate MyAccessDeniedHandler myAccessDeniedHandler;@Autowiredprivate MyLogoutSuccessHandler myLogoutSuccessHandler;@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().and().csrf().disable();http.authorizeRequests()/**antMatchers (這里的路徑) permitAll 這里是允許所有人 訪問*/.antMatchers(PATH_RELEASE).permitAll()/** 映射任何請求 */.anyRequest()/** 指定任何經(jīng)過身份驗證的用戶都允許使用URL。*/.authenticated()/** 指定支持基于表單的身份驗證 */.and().formLogin().permitAll()/** 允許配置異常處理。可以自己傳值進去 使用WebSecurityConfigurerAdapter時，將自動應用此WebSecurityConfigurerAdapter 。*/.and().exceptionHandling()/** 設置要使用的AuthenticationEntryPoint。 macLoginUrlAuthenticationEntryPoint 驗證是否登錄*/.authenticationEntryPoint(macLoginUrlAuthenticationEntryPoint)/** 指定要使用的AccessDeniedHandler 處理拒絕訪問失敗。*/.accessDeniedHandler(myAccessDeniedHandler)/** 提供注銷支持。 使用WebSecurityConfigurerAdapter時，將自動應用此WebSecurityConfigurerAdapter 。* 默認設置是訪問URL “ / logout”將使HTTP會話無效，清理配置的所有rememberMe()身份驗證，清除SecurityContextHolder ，* 然后重定向到“ / login？success”，從而注銷用戶*/.and().logout().logoutSuccessHandler(myLogoutSuccessHandler)/** 處理身份驗證表單提交。 授予權(quán)限 */.and().addFilter(new JwtAuthenticationFilter(authenticationManager()))/** 處理HTTP請求的BASIC授權(quán)標頭，然后將結(jié)果放入SecurityContextHolder 。 */.addFilter(new JwtAuthorizationFilter(authenticationManager()))/**不需要session */.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);}@Overridepublic void configure(WebSecurity web) throws Exception {super.configure(web);}/*** * 因為使用了BCryptPasswordEncoder來進行密碼的加密，所以身份驗證的時候也的用他來判斷哈、，* @param auth* @throws Exception*/@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailService).passwordEncoder(passwordEncoder());}/** * 密碼加密*/@BeanPasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();} }

2.5、Security身份驗證

import com.crush.security.entity.MyUser; import com.crush.security.utils.JwtTokenUtils; import com.fasterxml.jackson.databind.ObjectMapper; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.util.ArrayList; import java.util.Collection;/*** 處理身份驗證表單提交。** @author crush*/ public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {this.authenticationManager = authenticationManager;}/*** 執(zhí)行實際的身份驗證。* 該實現(xiàn)應執(zhí)行以下操作之一：* 返回已驗證用戶的已填充驗證令牌，指示驗證成功* 返回null，表示身份驗證過程仍在進行中。 在返回之前，實現(xiàn)應執(zhí)行完成該過程所需的任何其他工作。* 如果身份驗證過程失敗，則拋出AuthenticationException*/@Overridepublic Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException {//輸入流中獲取到登錄的信息try {MyUser loginUser = new ObjectMapper().readValue(request.getInputStream(), MyUser.class);logger.info("loginUser===>" + loginUser);/*** authenticate* 嘗試對傳遞的Authentication對象進行身份Authentication ，* 如果成功，則返回完全填充的Authentication對象（包括授予的權(quán)限）* */return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(loginUser.getUsername(), loginUser.getPassword(), new ArrayList<>()));} catch (IOException e) {e.printStackTrace();return null;}}/*** 成功驗證后調(diào)用的方法* 如果驗證成功，就生成token并返回*/@Overrideprotected void successfulAuthentication(HttpServletRequest request,HttpServletResponse response,FilterChain chain,Authentication authResult) throws IOException, ServletException {// 查看源代碼會發(fā)現(xiàn)調(diào)用getPrincipal()方法會返回一個實現(xiàn)了`UserDetails`接口的對象// 所以就是JwtUser啦MyUser user = (MyUser) authResult.getPrincipal();String role = "";// 因為在JwtUser中存了權(quán)限信息，可以直接獲取，由于只有一個角色就這么干了Collection<? extends GrantedAuthority> authorities = user.getAuthorities();for (GrantedAuthority authority : authorities) {role = authority.getAuthority();}// 根據(jù)用戶名，角色創(chuàng)建token并返回json信息String token = JwtTokenUtils.createToken(user.getUsername(), role, false);user.setPassword(null);user.setToken(JwtTokenUtils.TOKEN_PREFIX + token);response.setStatus(HttpServletResponse.SC_OK);response.setHeader("token", JwtTokenUtils.TOKEN_PREFIX + token);response.setContentType("application/json;charset=utf-8");PrintWriter writer = response.getWriter();writer.write(new ObjectMapper().writeValueAsString(user));}/*** 驗證失敗時候調(diào)用的方法*/@Overrideprotected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {response.setStatus(HttpServletResponse.SC_FORBIDDEN);response.setContentType("application/json;charset=utf-8");PrintWriter writer = response.getWriter();writer.write(new ObjectMapper().writeValueAsString( "登錄失敗，賬號或密碼錯誤"));} }

2.6、Security授權(quán)

import com.crush.security.utils.JwtTokenUtils; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Collections;/*** 處理HTTP請求的BASIC授權(quán)標頭，然后將結(jié)果放入SecurityContextHolder 。*/ public class JwtAuthorizationFilter extends BasicAuthenticationFilter {public JwtAuthorizationFilter(AuthenticationManager authenticationManager) {super(authenticationManager);}@Overrideprotected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain chain) throws IOException, ServletException {String tokenHeader = request.getHeader(JwtTokenUtils.TOKEN_HEADER);// 如果請求頭中沒有Authorization信息則直接放行了if (tokenHeader == null || !tokenHeader.startsWith(JwtTokenUtils.TOKEN_PREFIX)) {chain.doFilter(request, response);return;}// 如果請求頭中有token，則進行解析，并且設置認證信息SecurityContextHolder.getContext().setAuthentication(getAuthentication(tokenHeader));super.doFilterInternal(request, response, chain);}/** * 這里從token中獲取用戶信息并新建一個token*/private UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader) {String token = tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX, "");String username = JwtTokenUtils.getUsername(token.trim());String role = JwtTokenUtils.getUserRole(token);if (username != null) {return new UsernamePasswordAuthenticationToken(username, null,Collections.singleton(new SimpleGrantedAuthority(role)));}return null;} }

2.7、UserDetailsService

UserDetailServiceImpl 實現(xiàn)了UserDetailsService,用來加載用戶特定數(shù)據(jù)的核心接口。

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; import com.crush.security.entity.MyUser; import com.crush.security.service.IMyUserService; import lombok.extern.slf4j.Slf4j; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service;@Slf4j @Service public class UserDetailServiceImpl implements UserDetailsService {finalIMyUserService userService;public UserDetailServiceImpl(IMyUserService userService) {this.userService = userService;}@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {MyUser user = userService.getOne(new QueryWrapper<MyUser>().eq("username", username));return user;} }

2.7、MacLoginUrlAuthenticationEntryPoint

/*** * 身份驗證沒有通過回調(diào)*/ @Component public class MacLoginUrlAuthenticationEntryPoint implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);httpServletResponse.setContentType("application/json;charset=utf-8");PrintWriter writer = httpServletResponse.getWriter();writer.write(new ObjectMapper().writeValueAsString("未登錄！"));} }

2.8、MyAccessDeniedHandler

/*** 權(quán)限不足回調(diào)*/ @Component public class MyAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {httpServletResponse.setContentType("application/json;charset=utf-8");httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);PrintWriter writer = httpServletResponse.getWriter();writer.write(new ObjectMapper().writeValueAsString("不好意思，你的權(quán)限不足！"));} }

2.9、MyLogoutSuccessHandler

/*** 退出回調(diào)*/ @Component public class MyLogoutSuccessHandler implements LogoutSuccessHandler {@Overridepublic void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {httpServletResponse.setStatus(HttpServletResponse.SC_OK);httpServletResponse.setContentType("application/json;charset=utf-8");PrintWriter writer = httpServletResponse.getWriter();writer.write(new ObjectMapper().writeValueAsString( "退出成功"));} }

2.10、JWT的工具類

生成token

package com.crush.security.utils;import io.jsonwebtoken.Claims; import io.jsonwebtoken.ExpiredJwtException; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;import java.util.Date; import java.util.HashMap;public class JwtTokenUtils {public static final String TOKEN_HEADER = "Authorization";public static final String TOKEN_PREFIX = "Bearer ";private static final String SECRET = "jwtsecretdemo";private static final String ISS = "echisan";/*** 過期時間是3600秒，既是1個小時*/private static final long EXPIRATION = 3600L;/*** 選擇了記住我之后的過期時間為7天*/private static final long EXPIRATION_REMEMBER = 604800L;// 添加角色的keyprivate static final String ROLE_CLAIMS = "rol";/*** 修改一下創(chuàng)建token的方法** @param username* @param role* @param isRememberMe* @return*/public static String createToken(String username, String role, boolean isRememberMe) {String token = null;try {long expiration = isRememberMe ? EXPIRATION_REMEMBER : EXPIRATION;HashMap<String, Object> map = new HashMap<>();map.put(ROLE_CLAIMS, role);token = Jwts.builder().signWith(SignatureAlgorithm.HS512, SECRET)// 這里要早set一點，放到后面會覆蓋別的字段.setClaims(map).setIssuer(ISS).setSubject(username).setIssuedAt(new Date()).setExpiration(new Date(System.currentTimeMillis() + expiration * 1000)).compact();} catch (ExpiredJwtException e) {e.getClaims();}return token;}/*** 從token中獲取用戶名** @param token* @return*/public static String getUsername(String token) {return getTokenBody(token).getSubject();}/*** 從token中獲取roles** @param token* @return*/public static String getUserRole(String token) {return (String) getTokenBody(token).get(ROLE_CLAIMS);}/*** 是否已過期** @param token* @return*/public static boolean isExpiration(String token) {return getTokenBody(token).getExpiration().before(new Date());}private static Claims getTokenBody(String token) {return Jwts.parser().setSigningKey(SECRET).parseClaimsJws(token).getBody();}public static void main(String[] args) {BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();String user = encoder.encode("test");System.out.println(user);} }

弄完上面這些，相關(guān)配置就都搞定了，剩下就是最簡單的編碼啦。

三、代碼

entity

@Data @EqualsAndHashCode(callSuper = false) @TableName("account") public class MyUser implements Serializable, UserDetails {private static final long serialVersionUID = 1L;private int id;private String username;private String password;// 1:啟用 ， 0：禁用@TableField(exist = false)private Integer enabled = 1;// 1：鎖住 ， 0：未鎖@TableField(exist = false)private Integer locked = 0;private String role;@TableField(exist = false)private String token;//授權(quán)@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {List<SimpleGrantedAuthority> authorities = new ArrayList<>();SimpleGrantedAuthority authority = new SimpleGrantedAuthority(role);authorities.add(authority);return authorities;}@Overridepublic boolean isAccountNonExpired() { return true; }@Overridepublic boolean isAccountNonLocked() { return locked == 0; }@Overridepublic boolean isCredentialsNonExpired() { return true; }@Overridepublic boolean isEnabled() { return enabled == 1; } }

mapper

import com.baomidou.mybatisplus.core.mapper.BaseMapper; import com.crush.security.entity.MyUser; import org.springframework.stereotype.Repository;@Repository public interface MyUserMapper extends BaseMapper<MyUser> {}

service、impl

import com.baomidou.mybatisplus.extension.service.IService; import com.crush.security.entity.MyUser;public interface IMyUserService extends IService<MyUser> {} import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl; import com.crush.security.entity.MyUser; import com.crush.security.mapper.MyUserMapper; import com.crush.security.service.IMyUserService; import org.springframework.stereotype.Service;@Service public class MyUserServiceImpl extends ServiceImpl<MyUserMapper, MyUser> implements IMyUserService { }

controller

package com.crush.security.controller;import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController;@RestController public class UserController {@RequestMapping("/all")String all() {return "在WebSecurityConfig中配置了放行，任何人都可以進行訪問";}@PreAuthorize("permitAll()")@RequestMapping("/test")String test() {return "所有登錄的人都可以訪問";}@PreAuthorize("hasRole('USER')")@RequestMapping("/user/userList")String userList() {return "role: user";}@PreAuthorize("hasRole('ADMIN')")@RequestMapping("/admin/updateUser")String updateUser() {return "role: admin";}@PreAuthorize("hasRole('SUPER_ADMIN')")@RequestMapping("/admin/superAdmin")String superAdmin() {return "role: superAdmin";}@PreAuthorize("hasAnyRole('ADMIN','USER')")@RequestMapping("/userAndAdmin")String userAndAdminTest() {return "role: admin and user";}@PreAuthorize("hasAnyRole('ADMIN')or hasAnyRole('SUPER_ADMIN')")@RequestMapping("/AdminAndSuperAdminTest")String AdminAndSuperAdminTest() {return "role: admin and super_admin";}// hasAnyAuthority() 也是可以多個字符串 權(quán)限驗證，可以不跟ROLE_前綴@PreAuthorize("hasAuthority('TEST') ")@RequestMapping("/ceshi2")String ceshi2() {return "hasAuthority：權(quán)限驗證，不過查的也是role那個字段，不過不用拼接上ROLE而已";} }

四、測試

注:我使用的測試工具是Postman,另外login接口接收的數(shù)據(jù)是需要JSON類型的。

1）登錄

注意這里的token，我們是需要把他記住，下次去請求要攜帶上。

2）測試管理員

3）測試hasAnyAuthority （）注解

hasAnyAuthority() 也是可以多個字符串 權(quán)限驗證，可以不跟ROLE_前綴

五、總結(jié)

Security框架和SpringBoot集成，其實上手特別快，但是如果要想研究的比較深刻的話，我覺得是比較困難的，上文講過，security是屬于一個重量級的框架，里面很多東西特別多。使用方面肯定是沒有任何問題的。

你卷我卷，大家卷，什么時候這條路才是個頭啊。😇（還是直接上天吧)

有時候也想停下來歇一歇，一直做一個事情，感覺挺難堅持的。😁

你好，如果你正巧看到這篇文章，并且覺得對你有益的話，就給個贊吧，讓我感受一下分享的喜悅吧，蟹蟹。🤗

如若有寫的有誤的地方，也請大家不嗇賜教！！

同樣如若有存在疑惑的地方，請留言或私信，定會在第一時間回復你。

持續(xù)更新中

源碼鏈接：Gitee

github還沒上去🤦?♂?，暫時先放著gitee吧。

總結(jié)

以上是生活随笔為你收集整理的SpringBoot整合Security安全框架、控制权限的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。