Spring Security的RBAC数据模型嵌入
1.簡介
? 基于角色的權限訪問控制(Role-Based Access Control)作為傳統訪問控制(自主訪問,強制訪問)的有前景的代替受到廣泛的關注。在RBAC中,權限與角色相關聯,用戶通過成為適當角色的成員而得到這些角色的權限。這就極大地簡化了權限的管理。在一個組織中,角色是為了完成各種工作而創造,用戶則依據它的責任和資格來被指派相應的角色,用戶可以很容易地從一個角色被指派到另一個角色。角色可依新的需求和系統的合并而賦予新的權限,而權限也可根據需要而從某角色中回收。角色與角色的關系可以建立起來以囊括更廣泛的客觀情況。
2.授權前臺頁面對接流程
3.代碼相關
新建工程 authorize:
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>com.city.security</groupId><artifactId>city-security</artifactId><version>1.0.0-SNAPSHOT</version></parent><artifactId>city-security-authorize</artifactId><dependencies><dependency><groupId>javax.servlet</groupId><artifactId>javax.servlet-api</artifactId></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-core</artifactId></dependency></dependencies></project>RbacService
public interface RbacService {boolean hasPermission(HttpServletRequest request, Authentication authentication);
}RbacServiceImpl
@Component("rbacService")
public class RbacServiceImpl implements RbacService {@Autowiredprivate AntPathMatcher antPathMatcher = new AntPathMatcher();@Overridepublic boolean hasPermission(HttpServletRequest request, Authentication authentication) {Object principal = authentication.getPrincipal();boolean hasPermission = false;if (principal instanceof UserDetails) {//說明我從數據庫查到信息放到這個principal里面String username = ((UserDetails) principal).getUsername();//讀取用戶所擁有的權限Set<String> urls = new HashSet<String>();for (String url : urls) {if(antPathMatcher.match(url,request.getRequestURI())){hasPermission=true;break;}}}return hasPermission;}
}修改DemoAuthorizeConifgProvider:
@Component
@Order(Integer.MAX_VALUE)//表示最后讀取
public class DemoAuthorizeConifgProvider implements AuthorizeConfigProvider {@Overridepublic void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {System.out.println("---DemoAuthorizeConifgProvider------");config.anyRequest().access("@rbacService.hasPermission(request,authentication)");}}@Order修改順序:
//配置permitAll的路徑
@Component
@Order(Integer.MIN_VALUE)//最先讀取
public class CityAuthorizeConfigProvider implements AuthorizeConfigProvider {@Autowiredprivate SecurityProperties securityProperties;@Overridepublic void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {config.antMatchers("/static/**","/page/login","/page/failure","/page/mobilePage","/code/image","/code/sms","/authentication/mobile",securityProperties.getBrower().getSignUPUrl(),"/user/register","/page/registerPage","/page/invalidSession","/page/logoutSuccess",securityProperties.getBrower().getSignOutUrl()).permitAll();}
}
4.基于方法的控制表達式
- 開啟使用方法注解的配置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
2.四種方法注解:@PreAuthorize、@PostAuthorize、@PreFilter和、PostFilter
- 用法
@PreAuthorize 注解適合進入方法前的權限驗證
@PreAuthorize("hasRole('ROLE_ADMIN')")
@GetMapping("/admin")
@ResponseBody
public Object admin(Principal principal) {return principal;
}
@PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER') and principal.username.equals(#username)")
@GetMapping("/test/{username}")
@ResponseBody
public Object test(@PathVariable String username) {return "Hello test";
}@PostAuthorize 在方法執行后再進行權限驗證,適合驗證帶有返回值的權限
// 這里的returnObject就代表返回的對象
@PostAuthorize("returnObject.username.equals(principal.username)")
@GetMapping("/demo2")
public Object demo2() {User user = new User("lzc","lzc",AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));return user;
}@PreFilter可以對集合類型的參數進行過濾,@PostFilter可以對集合類型返回值進行過濾,用法跟上面兩種方式類似。
轉載于:https://www.cnblogs.com/charlypage/p/10813914.html
總結
以上是生活随笔為你收集整理的Spring Security的RBAC数据模型嵌入的全部內容,希望文章能夠幫你解決所遇到的問題。
