前不久Spring Boot 2.7.0 刚刚公布,Spring Security 也降级到了5.7.1 。降级后发现,原来始终在用的Spring Security配置办法,竟然曾经被弃用了。不禁感叹技术更新真快,用着用着就被弃用了!明天带大家体验下Spring Security的最新用法,看看是不是够优雅!
SpringBoot实战电商我的项目mall(50k+star)地址:https://github.com/macrozheng/mall
根本应用
咱们先比照下Spring Security提供的基本功能登录认证,来看看新版用法是不是更好。
降级版本
首先批改我的项目的pom.xml文件,把Spring Boot版本升级至2.7.0版本。
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>旧用法
在Spring Boot 2.7.0 之前的版本中,咱们须要写个配置类继承WebSecurityConfigurerAdapter,而后重写Adapter中的三个办法进行配置;
/**
* SpringSecurity的配置
* Created by macro on 2018/4/26.
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OldSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UmsAdminService adminService;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
//省略HttpSecurity的配置
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}如果你在SpringBoot 2.7.0版本中进行应用的话,你就会发现WebSecurityConfigurerAdapter曾经被弃用了,看样子Spring Security要坚定放弃这种用法了!
新用法
新用法非常简单,无需再继承WebSecurityConfigurerAdapter,只需间接申明配置类,再配置一个生成SecurityFilterChainBean的办法,把原来的HttpSecurity配置挪动到该办法中即可。
/**
* SpringSecurity 5.4.x以上新用法配置
* 为防止循环依赖,仅用于配置HttpSecurity
* Created by macro on 2022/5/19.
*/
@Configuration
public class SecurityConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
//省略HttpSecurity的配置
return httpSecurity.build();
}
}新用法感觉十分简洁罗唆,防止了继承WebSecurityConfigurerAdapter并重写办法的操作,强烈建议大家更新一波!
高级应用
降级 Spring Boot 2.7.0版本后,Spring Security对于配置办法有了大的更改,那么其余应用有没有影响呢?其实是没啥影响的,这里再聊聊如何应用Spring Security实现动静权限管制!
基于办法的动静权限
首先来聊聊基于办法的动静权限管制,这种形式尽管实现简略,但却有肯定的弊病。
- 在配置类上应用
@EnableGlobalMethodSecurity来开启它;
/**
* SpringSecurity的配置
* Created by macro on 2018/4/26.
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OldSecurityConfig extends WebSecurityConfigurerAdapter {
}- 而后在办法中应用
@PreAuthorize配置拜访接口须要的权限;
/**
* 商品治理Controller
* Created by macro on 2018/4/26.
*/
@Controller
@Api(tags = "PmsProductController", description = "商品治理")
@RequestMapping("/product")
public class PmsProductController {
@Autowired
private PmsProductService productService;
@ApiOperation("创立商品")
@RequestMapping(value = "/create", method = RequestMethod.POST)
@ResponseBody
@PreAuthorize("hasAuthority('pms:product:create')")
public CommonResult create(@RequestBody PmsProductParam productParam, BindingResult bindingResult) {
int count = productService.create(productParam);
if (count > 0) {
return CommonResult.success(count);
} else {
return CommonResult.failed();
}
}
}- 再从数据库中查问出用户所领有的权限值设置到
UserDetails对象中去,这种做法尽管实现不便,然而把权限值写死在了办法上,并不是一种优雅的做法。
/**
* UmsAdminService实现类
* Created by macro on 2018/4/26.
*/
@Service
public class UmsAdminServiceImpl implements UmsAdminService {
@Override
public UserDetails loadUserByUsername(String username){
//获取用户信息
UmsAdmin admin = getAdminByUsername(username);
if (admin != null) {
List<UmsPermission> permissionList = getPermissionList(admin.getId());
return new AdminUserDetails(admin,permissionList);
}
throw new UsernameNotFoundException("用户名或明码谬误");
}
}基于门路的动静权限
其实每个接口对应的门路都是惟一的,通过门路来进行接口的权限管制才是更优雅的形式。
- 首先咱们须要创立一个动静权限的过滤器,这里留神下
doFilter办法,用于配置放行OPTIONS和白名单申请,它会调用super.beforeInvocation(fi)办法,此办法将调用AccessDecisionManager中的decide办法来进行鉴权操作;
/**
* 动静权限过滤器,用于实现基于门路的动静权限过滤
* Created by macro on 2020/2/7.
*/
public class DynamicSecurityFilter extends AbstractSecurityInterceptor implements Filter {
@Autowired
private DynamicSecurityMetadataSource dynamicSecurityMetadataSource;
@Autowired
private IgnoreUrlsConfig ignoreUrlsConfig;
@Autowired
public void setMyAccessDecisionManager(DynamicAccessDecisionManager dynamicAccessDecisionManager) {
super.setAccessDecisionManager(dynamicAccessDecisionManager);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
FilterInvocation fi = new FilterInvocation(servletRequest, servletResponse, filterChain);
//OPTIONS申请间接放行
if(request.getMethod().equals(HttpMethod.OPTIONS.toString())){
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
return;
}
//白名单申请间接放行
PathMatcher pathMatcher = new AntPathMatcher();
for (String path : ignoreUrlsConfig.getUrls()) {
if(pathMatcher.match(path,request.getRequestURI())){
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
return;
}
}
//此处会调用AccessDecisionManager中的decide办法进行鉴权操作
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
@Override
public void destroy() {
}
@Override
public Class<?> getSecureObjectClass() {
return FilterInvocation.class;
}
@Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return dynamicSecurityMetadataSource;
}
}- 接下来咱们就须要创立一个类来继承
AccessDecisionManager,通过decide办法对拜访接口所需权限和用户领有的权限进行匹配,匹配则放行;
/**
* 动静权限决策管理器,用于判断用户是否有拜访权限
* Created by macro on 2020/2/7.
*/
public class DynamicAccessDecisionManager implements AccessDecisionManager {
@Override
public void decide(Authentication authentication, Object object,
Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
// 当接口未被配置资源时间接放行
if (CollUtil.isEmpty(configAttributes)) {
return;
}
Iterator<ConfigAttribute> iterator = configAttributes.iterator();
while (iterator.hasNext()) {
ConfigAttribute configAttribute = iterator.next();
//将拜访所需资源或用户领有资源进行比对
String needAuthority = configAttribute.getAttribute();
for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
if (needAuthority.trim().equals(grantedAuthority.getAuthority())) {
return;
}
}
}
throw new AccessDeniedException("道歉,您没有拜访权限");
}
@Override
public boolean supports(ConfigAttribute configAttribute) {
return true;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}- 因为下面的
decide办法中的configAttributes属性是从FilterInvocationSecurityMetadataSource的getAttributes办法中获取的,咱们还需创立一个类继承它,getAttributes办法可用于获取拜访以后门路所需权限值;
/**
* 动静权限数据源,用于获取动静权限规定
* Created by macro on 2020/2/7.
*/
public class DynamicSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
private static Map<String, ConfigAttribute> configAttributeMap = null;
@Autowired
private DynamicSecurityService dynamicSecurityService;
@PostConstruct
public void loadDataSource() {
configAttributeMap = dynamicSecurityService.loadDataSource();
}
public void clearDataSource() {
configAttributeMap.clear();
configAttributeMap = null;
}
@Override
public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
if (configAttributeMap == null) this.loadDataSource();
List<ConfigAttribute> configAttributes = new ArrayList<>();
//获取以后拜访的门路
String url = ((FilterInvocation) o).getRequestUrl();
String path = URLUtil.getPath(url);
PathMatcher pathMatcher = new AntPathMatcher();
Iterator<String> iterator = configAttributeMap.keySet().iterator();
//获取拜访该门路所需资源
while (iterator.hasNext()) {
String pattern = iterator.next();
if (pathMatcher.match(pattern, path)) {
configAttributes.add(configAttributeMap.get(pattern));
}
}
// 未设置操作申请权限,返回空集合
return configAttributes;
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}- 这里须要留神的是,所有门路对应的权限值数据来自于自定义的
DynamicSecurityService;
/**
* 动静权限相干业务类
* Created by macro on 2020/2/7.
*/
public interface DynamicSecurityService {
/**
* 加载资源ANT通配符和资源对应MAP
*/
Map<String, ConfigAttribute> loadDataSource();
}- 所有准备就绪,把动静权限过滤器增加到
FilterSecurityInterceptor之前;
/**
* SpringSecurity 5.4.x以上新用法配置
* 为防止循环依赖,仅用于配置HttpSecurity
* Created by macro on 2022/5/19.
*/
@Configuration
public class SecurityConfig {
@Autowired
private DynamicSecurityService dynamicSecurityService;
@Autowired
private DynamicSecurityFilter dynamicSecurityFilter;
@Bean
SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
//省略若干配置...
//有动静权限配置时增加动静权限校验过滤器
if(dynamicSecurityService!=null){
registry.and().addFilterBefore(dynamicSecurityFilter, FilterSecurityInterceptor.class);
}
return httpSecurity.build();
}
}- 如果你看过这篇仅需四步,整合SpringSecurity+JWT实现登录认证 ! 的话,就晓得应该要配置这两个Bean了,一个负责获取登录用户信息,另一个负责获取存储的动静权限规定,为了适应Spring Security的新用法,咱们不再继承
SecurityConfig,简洁了不少!
/**
* mall-security模块相干配置
* 自定义配置,用于配置如何获取用户信息及动静权限
* Created by macro on 2022/5/20.
*/
@Configuration
public class MallSecurityConfig {
@Autowired
private UmsAdminService adminService;
@Bean
public UserDetailsService userDetailsService() {
//获取登录用户信息
return username -> {
AdminUserDetails admin = adminService.getAdminByUsername(username);
if (admin != null) {
return admin;
}
throw new UsernameNotFoundException("用户名或明码谬误");
};
}
@Bean
public DynamicSecurityService dynamicSecurityService() {
return new DynamicSecurityService() {
@Override
public Map<String, ConfigAttribute> loadDataSource() {
Map<String, ConfigAttribute> map = new ConcurrentHashMap<>();
List<UmsResource> resourceList = adminService.getResourceList();
for (UmsResource resource : resourceList) {
map.put(resource.getUrl(), new org.springframework.security.access.SecurityConfig(resource.getId() + ":" + resource.getName()));
}
return map;
}
};
}
}成果测试
- 接下来启动咱们的示例我的项目
mall-tiny-security,应用如下账号密码登录,该账号只配置了拜访/brand/listAll的权限,拜访地址:http://localhost:8088/swagger…
- 而后把返回的token放入到Swagger的认证头中;
- 当咱们拜访有权限的接口时能够失常获取到数据;
- 当咱们拜访没有权限的接口时,返回没有拜访权限的接口提醒。
总结
Spring Security的降级用法的确够优雅,够简略,而且对之前用法的兼容性也比拟好!个人感觉一个成熟的框架不太会在降级过程中大改用法,即便改了也会对之前的用法做兼容,所以对于绝大多数框架来说旧版本会用,新版本照样会用!
参考资料
本文仅仅是对Spring Security新用法的总结,如果你想理解Spring Security更多用法,能够参考下之前的文章。
- mall整合SpringSecurity和JWT实现认证和受权(一)
- mall整合SpringSecurity和JWT实现认证和受权(二)
- 仅需四步,整合SpringSecurity+JWT实现登录认证 !
- 手把手教你搞定权限治理,联合Spring Security实现接口的动静权限管制!
我的项目源码地址
https://github.com/macrozheng…
发表回复