目录
- 权限系统的必要性
- 常见的权限管理框架
- SpringSecurity授权
- 基本流程
- 准备脚本
- 限制访问资源所需权限
- 菜单实体类和Mapper
- 封装权限信息
- 封装认证/鉴权失败处理
- 认证失败封装
- 鉴权失败封装
- 配置SpringSecurity
- 过滤器
- 跨域处理
- 接口添加鉴权
- hasAuthority/hasAnyAuthority
- hasRole/ hasAnyRole
- 自定义权限校验方法
权限系统的必要性
权限系统在现代软件开发、信息管理系统、网络服务和各种数字平台中扮演着至关重要的角色,其必要性主要体现在以下几个方面:
-
安全控制:权限系统是保护数据和资源安全的第一道防线。通过限制对敏感信息和关键功能的访问,可以有效防止未经授权的访问、修改或泄露,从而降低安全风险。
-
职责分离:在组织内部,不同的用户或角色拥有不同的职责。权限系统确保每个用户只能访问和操作与他们的工作职责相关的系统部分,这有助于实现职责分离和内部控制,减少错误和欺诈的可能性。
-
合规性要求:许多行业都有严格的数据保护法规和标准(如GDPR、HIPAA等),要求对个人信息和敏感数据进行严格的访问控制。权限系统帮助组织符合这些法律法规的要求,避免法律风险和罚款。
-
提升用户体验:通过为不同用户提供定制化的界面和功能,权限系统可以减少信息过载,使用户更容易找到他们需要的信息和服务,从而提升整体的用户体验。
-
审计追踪:权限系统能够记录用户的访问和操作日志,这对于事后审计、故障排查和安全事件调查至关重要。这不仅有助于及时发现并解决问题,也为追究责任提供了依据。
-
灵活性和可扩展性:随着组织的发展和需求的变化,权限系统允许管理员灵活地调整权限设置,新增或删除用户角色,以及对系统功能进行细粒度的控制,保证了系统的长期稳定性和可扩展性。
总之,权限系统是维护信息安全、支持组织管理和满足法律法规要求的基础架构,对于保障数字环境的稳定、安全和高效运行具有不可替代的作用。
常见的权限管理框架
Java Web开发中,为了实现权限管理,开发者常采用一些成熟的权限框架来简化开发流程和提高系统安全性。以下是一些常见的Java权限管理框架:
-
Spring Security:这是Java领域中最受欢迎和广泛使用的安全框架之一,它为Web应用程序提供了一整套安全解决方案,包括认证(Authentication)和授权(Authorization)。Spring Security支持多种认证机制(如JWT、OAuth2)、自定义权限控制,并且能够无缝集成到Spring Boot应用中。
-
Apache Shiro:Shiro是一个强大且易用的安全框架,它提供身份验证、授权、会话管理以及加密等功能。相比Spring Security,Shiro的学习曲线更平缓,适用于需要快速实现安全功能的项目。Shiro支持多种环境,不仅限于Web应用,也适用于命令行应用、Swing应用等。
-
JBoss Keycloak:Keycloak是一个开源的Identity and Access Management (IAM)系统,提供了单一登录(SSO)、身份管理、社交登录等特性。它可以通过OpenID Connect、OAuth 2.0等协议与Java Web应用集成,非常适合构建大型分布式系统的权限管理。
-
Spring Authorization Server:这是Spring生态系统中用于构建授权服务器的新项目,特别适合需要实现OAuth2协议的场景。虽然它本身不直接处理应用程序的权限控制逻辑,但与Spring Security结合使用,可以构建出强大的认证和授权体系。
-
Apache Ranger:虽然更多被用于大数据平台(如Hadoop、Hive、Kafka)的权限管理,但Apache Ranger也可以应用于其他Java Web项目中,特别是那些需要复杂数据权限控制的场景。
选择合适的权限框架时,需要根据项目的具体需求、团队熟悉度、系统规模以及是否需要支持特定的安全协议等因素综合考虑。
SpringSecurity授权
基本流程
- SpringSecurity是使用默认的FilterSecurityInterceptor来进行权限校验。
- 在FilterSecurityInterceptor中会从SecurityContextHolder获取其中的Authentication,然后获取其中的权限信息。
- 并以此来判断当前用户是否拥有访问当前资源所需的权限。
- 因此需要把用户成功登录后的的权限信息也存入Authentication, 然后设置资源所需要的权限即可。
准备脚本
/*Navicat Premium Data TransferSource Server : 本机连接Source Server Type : MySQLSource Server Version : 50744Source Host : localhost:3306Source Schema : kgc_powerTarget Server Type : MySQLTarget Server Version : 50744File Encoding : 65001Date: 24/06/2024 15:07:37
*/SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;-- ----------------------------
-- Table structure for account
-- ----------------------------
DROP TABLE IF EXISTS `account`;
CREATE TABLE `account` (`id` int(11) NOT NULL,`accountCode` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,`accountName` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,`accountPassword` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;-- ----------------------------
-- Records of account
-- ----------------------------
INSERT INTO `account` VALUES (1, 'admin', '系统管理员', '$2a$10$dJ1Ct/QuOOJTkhNkYeFh8uCeEqpVUO.ZjiPOfPsmbsWlX3ZIp.kDa');
INSERT INTO `account` VALUES (2, 'zhangsan', '张三', '$2a$10$dJ1Ct/QuOOJTkhNkYeFh8uCeEqpVUO.ZjiPOfPsmbsWlX3ZIp.kDa');
INSERT INTO `account` VALUES (3, 'lisi', '李四', '$2a$10$dJ1Ct/QuOOJTkhNkYeFh8uCeEqpVUO.ZjiPOfPsmbsWlX3ZIp.kDa');
INSERT INTO `account` VALUES (4, 'wangwu', '王五', '$2a$10$dJ1Ct/QuOOJTkhNkYeFh8uCeEqpVUO.ZjiPOfPsmbsWlX3ZIp.kDa');
INSERT INTO `account` VALUES (5, 'zhaoliu', '赵六', '$2a$10$dJ1Ct/QuOOJTkhNkYeFh8uCeEqpVUO.ZjiPOfPsmbsWlX3ZIp.kDa');-- ----------------------------
-- Table structure for account_role
-- ----------------------------
DROP TABLE IF EXISTS `account_role`;
CREATE TABLE `account_role` (`accountId` bigint(200) NOT NULL AUTO_INCREMENT COMMENT '用户id',`roleId` bigint(200) NOT NULL DEFAULT 0 COMMENT '角色id',PRIMARY KEY (`accountId`, `roleId`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 6 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;-- ----------------------------
-- Records of account_role
-- ----------------------------
INSERT INTO `account_role` VALUES (1, 1);
INSERT INTO `account_role` VALUES (2, 2);
INSERT INTO `account_role` VALUES (3, 2);
INSERT INTO `account_role` VALUES (4, 3);
INSERT INTO `account_role` VALUES (5, 3);-- ----------------------------
-- Table structure for menu
-- ----------------------------
DROP TABLE IF EXISTS `menu`;
CREATE TABLE `menu` (`id` bigint(20) NOT NULL AUTO_INCREMENT,`menuName` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL DEFAULT 'NULL' COMMENT '菜单名',`path` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '路由地址',`component` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '组件路径',`visible` char(1) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT '0' COMMENT '菜单状态(0显示 1隐藏)',`status` char(1) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT '0' COMMENT '菜单状态(0正常 1停用)',`perms` varchar(100) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '权限标识',`icon` varchar(100) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT '#' COMMENT '菜单图标',`createBy` bigint(20) NULL DEFAULT NULL,`createTime` datetime NULL DEFAULT NULL,`updateBy` bigint(20) NULL DEFAULT NULL,`updateTime` datetime NULL DEFAULT NULL,`delFlag` int(11) NULL DEFAULT 0 COMMENT '是否删除(0未删除 1已删除)',`remark` varchar(500) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '备注',PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 5 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '菜单表' ROW_FORMAT = Dynamic;-- ----------------------------
-- Records of menu
-- ----------------------------
INSERT INTO `menu` VALUES (1, '订单管理', '/order', '/order', '0', '0', 'system:order', '#', NULL, NULL, NULL, NULL, 0, NULL);
INSERT INTO `menu` VALUES (2, '系统管理', '/sys', '/sys', '0', '0', 'system:sys', '#', NULL, NULL, NULL, NULL, 0, NULL);
INSERT INTO `menu` VALUES (3, '个人中心', '/info', '/info', '0', '0', 'system:info', '#', NULL, NULL, NULL, NULL, 0, NULL);
INSERT INTO `menu` VALUES (4, '商品管理', '/product', '/product', '0', '0', 'system:product', '#', NULL, NULL, NULL, NULL, 0, NULL);-- ----------------------------
-- Table structure for role
-- ----------------------------
DROP TABLE IF EXISTS `role`;
CREATE TABLE `role` (`id` bigint(20) NOT NULL AUTO_INCREMENT,`name` varchar(128) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,`roleKey` varchar(100) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '角色权限字符串',`status` char(1) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT '0' COMMENT '角色状态(0正常 1停用)',`delFlag` int(1) NULL DEFAULT 0 COMMENT 'del_flag',`createBy` bigint(200) NULL DEFAULT NULL,`createTime` datetime NULL DEFAULT NULL,`updateBy` bigint(200) NULL DEFAULT NULL,`updateTime` datetime NULL DEFAULT NULL,`remark` varchar(500) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '备注',PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '角色表' ROW_FORMAT = Dynamic;-- ----------------------------
-- Records of role
-- ----------------------------
INSERT INTO `role` VALUES (1, '系统管理员', 'ADMIN', '0', 0, NULL, NULL, NULL, NULL, NULL);
INSERT INTO `role` VALUES (2, '供应商', 'PROVIDER', '0', 0, NULL, NULL, NULL, NULL, NULL);
INSERT INTO `role` VALUES (3, '需求方', 'CONSUMER', '0', 0, NULL, NULL, NULL, NULL, NULL);-- ----------------------------
-- Table structure for role_menu
-- ----------------------------
DROP TABLE IF EXISTS `role_menu`;
CREATE TABLE `role_menu` (`roleId` bigint(200) NOT NULL AUTO_INCREMENT COMMENT '角色ID',`menuId` bigint(200) NOT NULL DEFAULT 0 COMMENT '菜单id',PRIMARY KEY (`roleId`, `menuId`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;-- ----------------------------
-- Records of role_menu
-- ----------------------------
INSERT INTO `role_menu` VALUES (1, 2);
INSERT INTO `role_menu` VALUES (1, 3);
INSERT INTO `role_menu` VALUES (2, 1);
INSERT INTO `role_menu` VALUES (2, 3);
INSERT INTO `role_menu` VALUES (3, 1);
INSERT INTO `role_menu` VALUES (3, 3);
INSERT INTO `role_menu` VALUES (3, 4);SET FOREIGN_KEY_CHECKS = 1;
限制访问资源所需权限
- SpringSecurity提供了基于注解的权限控制方案,可以使用注解去指定访问对应的资源所需的权限, 但是要使用它需要先开启相关配置。
- 启动类上加
@EnableGlobalMethodSecurity(prePostEnabled = true)
菜单实体类和Mapper
package com.micro.pojo;
import lombok.Data;
import java.io.Serializable;
import java.util.Date;/*** @author: zjl* @datetime: 2024/6/24* @desc: 复兴Java,我辈义不容辞*/
@Data
public class Menu implements Serializable {private Long id;/*** 菜单名*/private String menuName;/*** 路由地址*/private String path;/*** 组件路径*/private String component;/*** 菜单状态(0显示 1隐藏)*/private String visible;/*** 菜单状态(0正常 1停用)*/private String status;/*** 权限标识*/private String perms;/*** 菜单图标*/private String icon;private Long createBy;private Date createTime;private Long updateBy;private Date updateTime;/*** 是否删除(0未删除 1已删除)*/private Integer delFlag;/*** 备注*/private String remark;
}
List<String> selectPermsByAccountId(Integer accountId);
<select id="selectPermsByAccountId" resultType="string" parameterType="int">SELECTDISTINCT M.`PERMS`FROMACCOUNT_ROLE ARLEFT JOIN `ROLE` R ON AR.`ROLEID` = R.`ID`LEFT JOIN `ROLE_MENU` RM ON AR.`ROLEID` = RM.`ROLEID`LEFT JOIN `MENU` M ON M.`ID` = RM.`MENUID`WHEREACCOUNTID = #{accountId}AND R.`STATUS` = 0AND M.`STATUS` = 0</select>
mybatis:mapper-locations: classpath:mapper/*.xmlconfiguration:log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
封装权限信息
在UserDetailsServiceImpl中去调用该mapper的方法查询权限信息封装到LoginUser对象中
@Service
public class AccountDetailsServiceImpl implements UserDetailsService {@Resourceprivate AccountMapper accountMapper;@Resourceprivate MenuMapper menuMapper;@Overridepublic UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {Account account = accountMapper.selectAccountByAccountCode(userName);if(Objects.isNull(account)){throw new RuntimeException("用户名或密码错误");}//根据用户查询权限信息 LoginAccountList<String> permissionKeyList = menuMapper.selectPermsByAccountId(account.getId());//封装成UserDetails对象返回return new LoginAccount(account, permissionKeyList);}
}
package com.micro.pojo;import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;/*** @author: zjl* @datetime: 2024/6/22* @desc: 复兴Java,我辈义不容辞*/
@Data
@NoArgsConstructor
public class LoginAccount implements UserDetails {private Account account;private List<String> permissions;@JSONField(serialize = false)private List<GrantedAuthority> authorities;public LoginAccount(Account account,List<String> permissions) {this.account = account;this.permissions = permissions;}@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {if(authorities!=null){return authorities;}//把permissions中字符串类型的权限信息转换成GrantedAuthority对象存入authorities中authorities = permissions.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList());return authorities;}@Overridepublic String getPassword() {return account.getAccountPassword();}@Overridepublic String getUsername() {return account.getAccountName();}@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;}
}
封装认证/鉴权失败处理
- 在SpringSecurity中,如果在认证或者授权的过程中出现了异常会被ExceptionTranslationFilter捕获到。在ExceptionTranslationFilter中会去判断是认证失败还是授权失败出现的异常。
- 认证过程中出现的异常可以被封装成AuthenticationException,然后调用AuthenticationEntryPoint 对象的方法去进行异常处理。
- 如果是授权过程中出现的异常可以被封装成AccessDeniedException,然后调用AccessDeniedHandler对象的方法去进行异常处理。
认证失败封装
package com.micro.service;import com.alibaba.fastjson.JSON;
import com.micro.utils.ResponseResult;
import com.micro.utils.WebUtils;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;/*** @author: zjl* @datetime: 2024/6/24* @desc: 复兴Java,我辈义不容辞*/@Component
public class AuthenticationEntryPointImpl implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {ResponseResult result = new ResponseResult(HttpStatus.UNAUTHORIZED.value(), "认证失败请重新登录");String json = JSON.toJSONString(result);WebUtils.renderString(response,json);}
}
鉴权失败封装
package com.micro.service;import com.alibaba.fastjson.JSON;
import com.micro.utils.ResponseResult;
import com.micro.utils.WebUtils;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;/*** @author: zjl* @datetime: 2024/6/24* @desc: 复兴Java,我辈义不容辞*/
@Component
public class AccessDeniedHandlerImpl implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {ResponseResult result = new ResponseResult(HttpStatus.FORBIDDEN.value(), "权限不足");String json = JSON.toJSONString(result);WebUtils.renderString(response,json);}
}
配置SpringSecurity
package com.micro.config;import com.micro.filter.JwtAuthenticationTokenFilter;
import com.micro.service.AccessDeniedHandlerImpl;
import com.micro.service.AuthenticationEntryPointImpl;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import javax.annotation.Resource;/*** @author: zjl* @datetime: 2024/6/22* @desc: 复兴Java,我辈义不容辞*/@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Resourceprivate JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;@Resourceprivate AccessDeniedHandlerImpl accessDeniedHandler;@Resourceprivate AuthenticationEntryPointImpl authenticationEntryPoint;@Beanpublic PasswordEncoder passwordEncoder(){return new BCryptPasswordEncoder();}@Overrideprotected void configure(HttpSecurity http) throws Exception {http//关闭csrf.csrf().disable()//不通过Session获取SecurityContext.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()// 对于登录接口 允许匿名访问.antMatchers("/login").anonymous()// 除上面外的所有请求全部需要鉴权认证.anyRequest().authenticated();//把token校验过滤器添加到过滤器链中http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler);}@Bean@Overridepublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}
}
过滤器
package com.micro.filter;import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.micro.pojo.Account;
import com.micro.pojo.LoginAccount;
import com.micro.utils.JwtUtil;
import com.micro.utils.RedisStringUtil;
import io.jsonwebtoken.Claims;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;import javax.annotation.Resource;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;
import java.util.Objects;/*** @author: zjl* @datetime: 2024/6/22* @desc: 复兴Java,我辈义不容辞*/
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {@Resourceprivate RedisStringUtil redisStringUtil;@Resourceprivate ObjectMapper objectMapper;@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {//获取tokenString token = request.getHeader("token");if (!StringUtils.hasText(token)) {//放行filterChain.doFilter(request, response);return;}//解析tokenString userid;try {Claims claims = JwtUtil.parseJWT(token);userid = claims.getSubject();} catch (Exception e) {e.printStackTrace();throw new RuntimeException("token非法");}//从redis中获取用户信息String redisKey = "login:" + userid;LoginAccount loginAccount = JSON.parseObject(redisStringUtil.get(redisKey), LoginAccount.class);if(Objects.isNull(loginAccount)){throw new RuntimeException("用户未登录");}//存入SecurityContextHolder//获取权限信息封装到Authentication中UsernamePasswordAuthenticationToken authenticationToken =new UsernamePasswordAuthenticationToken(loginAccount,null,loginAccount.getAuthorities());SecurityContextHolder.getContext().setAuthentication(authenticationToken);//放行filterChain.doFilter(request, response);}
}
跨域处理
package com.micro.config;import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;/*** @author: zjl* @datetime: 2024/6/24* @desc: 复兴Java,我辈义不容辞*/
@Configuration
public class CorsConfig implements WebMvcConfigurer {@Overridepublic void addCorsMappings(CorsRegistry registry) {// 设置允许跨域的路径registry.addMapping("/**")// 设置允许跨域请求的域名.allowedOrigins("*")// 是否允许cookie.allowCredentials(true)// 设置允许的请求方式.allowedMethods("GET", "POST", "DELETE", "PUT")// 设置允许的header属性.allowedHeaders("*")// 跨域允许时间.maxAge(60 * 60);}
}
SecurityConfig类中configure()方法添加以下代码
//允许跨域http.cors();
接口添加鉴权
SpringSecurity提供了以下方法:hasAuthority,hasAnyAuthority,hasRole,hasAnyRole等。
hasAuthority/hasAnyAuthority
- hasAuthority方法内部调用authentication的getAuthorities方法获取用户的权限列表。然后判断存入的方法参数数据在权限列表中。
- hasAnyAuthority方法可以传入多个权限,只有用户有其中任意一个权限都可以访问对应资源。
@RestController
@RequestMapping("/order")
public class OrderController {@GetMapping("/list")//@PreAuthorize("hasAnyAuthority('system:aaa','system:bbb','system:order')")@PreAuthorize("hasAuthority('system:order')")public ResponseResult list(){return new ResponseResult(200, "订单列表");}
}
hasRole/ hasAnyRole
- hasRole要求有对应的角色才可以访问,但是它内部会把传入的参数拼接上 ROLE_ 后再去比较。所以这种情况下要用用户对应的权限也要有 ROLE_ 这个前缀才可以。
- hasAnyRole 有任意的角色就可以访问。它内部也会把传入的参数拼接上 ROLE_ 后再去比较。所以这种情况下要用用户对应的权限也要有 ROLE_ 这个前缀才可以。
修改数据库
@GetMapping("/list")//@PreAuthorize("hasAnyAuthority('system:aaa','system:bbb','system:order')")//@PreAuthorize("hasAuthority('system:order')")@PreAuthorize("hasRole('system:order')")public ResponseResult list(){return new ResponseResult(200, "订单列表");}
自定义权限校验方法
@Component("ex")
public class KgcExpressionRoot {public boolean hasAuthority(String authority){//获取当前用户的权限Authentication authentication = SecurityContextHolder.getContext().getAuthentication();LoginAccount loginAccount = (LoginAccount) authentication.getPrincipal();List<String> permissions = loginAccount.getPermissions();//判断用户权限集合中是否存在authorityreturn permissions.contains(authority);}
}
- 在SPEL表达式中使用 @ex相当于获取容器中bean的名字未ex的对象。然后再调用这个对象的hasAuthority方法
@GetMapping("/list")//@PreAuthorize("hasAnyAuthority('system:aaa','system:bbb','system:order')")//@PreAuthorize("hasAuthority('system:order')")//@PreAuthorize("hasRole('system:order')")@PreAuthorize("@ex.hasAuthority('system:order')")public ResponseResult list(){return new ResponseResult(200, "订单列表");}
