Spring Security的RBAC数据模型嵌入
1.簡介
? 基于角色的權(quán)限訪問控制(Role-Based Access Control)作為傳統(tǒng)訪問控制(自主訪問,強(qiáng)制訪問)的有前景的代替受到廣泛的關(guān)注。在RBAC中,權(quán)限與角色相關(guān)聯(lián),用戶通過成為適當(dāng)角色的成員而得到這些角色的權(quán)限。這就極大地簡化了權(quán)限的管理。在一個組織中,角色是為了完成各種工作而創(chuàng)造,用戶則依據(jù)它的責(zé)任和資格來被指派相應(yīng)的角色,用戶可以很容易地從一個角色被指派到另一個角色。角色可依新的需求和系統(tǒng)的合并而賦予新的權(quán)限,而權(quán)限也可根據(jù)需要而從某角色中回收。角色與角色的關(guān)系可以建立起來以囊括更廣泛的客觀情況。
2.授權(quán)前臺頁面對接流程
3.代碼相關(guān)
新建工程 authorize:
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>com.city.security</groupId><artifactId>city-security</artifactId><version>1.0.0-SNAPSHOT</version></parent><artifactId>city-security-authorize</artifactId><dependencies><dependency><groupId>javax.servlet</groupId><artifactId>javax.servlet-api</artifactId></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-core</artifactId></dependency></dependencies></project>RbacService
public interface RbacService {boolean hasPermission(HttpServletRequest request, Authentication authentication);
}RbacServiceImpl
@Component("rbacService")
public class RbacServiceImpl implements RbacService {@Autowiredprivate AntPathMatcher antPathMatcher = new AntPathMatcher();@Overridepublic boolean hasPermission(HttpServletRequest request, Authentication authentication) {Object principal = authentication.getPrincipal();boolean hasPermission = false;if (principal instanceof UserDetails) {//說明我從數(shù)據(jù)庫查到信息放到這個principal里面String username = ((UserDetails) principal).getUsername();//讀取用戶所擁有的權(quán)限Set<String> urls = new HashSet<String>();for (String url : urls) {if(antPathMatcher.match(url,request.getRequestURI())){hasPermission=true;break;}}}return hasPermission;}
}修改DemoAuthorizeConifgProvider:
@Component
@Order(Integer.MAX_VALUE)//表示最后讀取
public class DemoAuthorizeConifgProvider implements AuthorizeConfigProvider {@Overridepublic void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {System.out.println("---DemoAuthorizeConifgProvider------");config.anyRequest().access("@rbacService.hasPermission(request,authentication)");}}@Order修改順序:
//配置permitAll的路徑
@Component
@Order(Integer.MIN_VALUE)//最先讀取
public class CityAuthorizeConfigProvider implements AuthorizeConfigProvider {@Autowiredprivate SecurityProperties securityProperties;@Overridepublic void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {config.antMatchers("/static/**","/page/login","/page/failure","/page/mobilePage","/code/image","/code/sms","/authentication/mobile",securityProperties.getBrower().getSignUPUrl(),"/user/register","/page/registerPage","/page/invalidSession","/page/logoutSuccess",securityProperties.getBrower().getSignOutUrl()).permitAll();}
}
4.基于方法的控制表達(dá)式
- 開啟使用方法注解的配置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
2.四種方法注解:@PreAuthorize、@PostAuthorize、@PreFilter和、PostFilter
- 用法
@PreAuthorize 注解適合進(jìn)入方法前的權(quán)限驗(yàn)證
@PreAuthorize("hasRole('ROLE_ADMIN')")
@GetMapping("/admin")
@ResponseBody
public Object admin(Principal principal) {return principal;
}
@PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER') and principal.username.equals(#username)")
@GetMapping("/test/{username}")
@ResponseBody
public Object test(@PathVariable String username) {return "Hello test";
}@PostAuthorize 在方法執(zhí)行后再進(jìn)行權(quán)限驗(yàn)證,適合驗(yàn)證帶有返回值的權(quán)限
// 這里的returnObject就代表返回的對象
@PostAuthorize("returnObject.username.equals(principal.username)")
@GetMapping("/demo2")
public Object demo2() {User user = new User("lzc","lzc",AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));return user;
}@PreFilter可以對集合類型的參數(shù)進(jìn)行過濾,@PostFilter可以對集合類型返回值進(jìn)行過濾,用法跟上面兩種方式類似。
轉(zhuǎn)載于:https://www.cnblogs.com/charlypage/p/10813914.html
總結(jié)
以上是生活随笔為你收集整理的Spring Security的RBAC数据模型嵌入的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
