乐趣区

关于java:从零学习SpringSecurity

一、简介

SpringSecurity 是一个功能强大且高度可定制的身份验证和访问控制框架,和 spring 我的项目整合更加不便。

二、外围性能

  • 认证 (Authentication):指的是验证某个用户是否拜访该零碎。
  • 受权 (Authorization):指的是验证某个用户是否有权限执行某个操作。

三、搭建 v1.0 版本

1、新建一个 springboot 我的项目

myspringsecurity

2、增加 maven 依赖

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

3、新建一个 test 的 controller

package com.zb.myspringsecurity.controller;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/demo")
public class DemoController {@RequestMapping("/hello")
    public String hello() {return "hello world";}
}

4、启动我的项目

MyspringsecurityApplication.main();

5、用浏览器测试

http://localhost:8080/demo/hello

咱们会发现浏览器会跳转到 login 页面,如下图

6、明码登陆

咱们能够在我的项目启动日志外面找到明码

2021-07-19 10:58:48.558  INFO 5244 --- [main] .s.DelegatingFilterProxyRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2021-07-19 10:58:48.558  INFO 5244 --- [main] o.s.b.w.servlet.ServletRegistrationBean  : Servlet dispatcherServlet mapped to [/]
2021-07-19 10:58:48.684  INFO 5244 --- [main] o.s.s.concurrent.ThreadPoolTaskExecutor  : Initializing ExecutorService 'applicationTaskExecutor'
2021-07-19 10:58:48.812  INFO 5244 --- [main] .s.s.UserDetailsServiceAutoConfiguration : 

Using generated security password: ced4127a-1677-438e-a65b-2ab219137083

2021-07-19 10:58:48.868  INFO 5244 --- [main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@40021799, org.springframework.security.web.context.SecurityContextPersistenceFilter@2d7e1102, org.springframework.security.web.header.HeaderWriterFilter@3fbfa96, org.springframework.security.web.csrf.CsrfFilter@61533ae, org.springframework.security.web.authentication.logout.LogoutFilter@4a699efa, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@4482469c, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@4917d36b, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@4a1c0752, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@278f8425, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2adddc06, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4ebadd3d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@332f25c8, org.springframework.security.web.session.SessionManagementFilter@466d49f0, org.springframework.security.web.access.ExceptionTranslationFilter@599f571f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@7004e3d]
2021-07-19 10:58:48.911  INFO 5244 --- [main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''
2021-07-19 10:58:48.914  INFO 5244 --- [main] c.z.m.MyspringsecurityApplication        : Started MyspringsecurityApplication in 1.458 seconds (JVM running for 2.405)
  • 用户名是:user
  • 明码(从日志找到)是:ced4127a-1677-438e-a65b-2ab219137083

登录胜利如下图:

二、进阶版 v2.0(配置文件配置用户明码)

1、配置文件外面写用户名明码

方才的明码生成在日志外面了,理论应用很不不便,能够把明码用户名固定配置一下

spring.security.user.name=admin
spring.security.user.password=123
  • 重新启动我的项目,会发现没有生成明码的日志了
  • 测试用新的用户名明码没问题

三、v3.0(java 类外面写用户名明码)

1、在 java 类外面配置用户名明码

方才是写在配置文件外面,咱们还能够写到 java 类外面

package com.zb.myspringsecurity.config.security;

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableWebSecurity
public class ZbWebSecurityConfigurer extends WebSecurityConfigurerAdapter {

 @Bean
 PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();
 }

 public void configure(AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication()
            .withUser("zhangsan")
            .password(passwordEncoder().encode("123"))
            .roles("ADMIN")
            .and()
            .withUser("lisi")
            .password(passwordEncoder().encode("123"))
            .roles("ADMIN")
            .and()
            .withUser("wangwu")
            .password(passwordEncoder().encode("123"))
            .roles("ADMIN")
            ;
 }
    
}

咱们再重启我的项目测试一下,发现用三个用户名明码都没问题。

四、v4.0(ignore url)

1、批改下面的 java 类,减少两个办法

@Override
public void configure(WebSecurity web) throws Exception {web.ignoring().antMatchers(
            //"/**/*.html",
            "/**/*.js",
            "/**/*.css",
            "/**/*.ico",
            "/**/*.jpg",
            "/**/*.png",
            "/test/**" // 疏忽 test
    );
}

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .and()
            .httpBasic();}
  • 咱们配置了 ignore 的 url
  • 咱们再加一个 controller 用来测试
package com.zb.myspringsecurity.controller;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/test")
public class TestController {@RequestMapping("/test")
    public String hello() {return "hello test";}
}
  • 留神咱们下面的 ignore 外面有:”/test/**”
  • 也就是说 TestController 不会有登录校验

重启我的项目测试一下没问题

五、v5.0(在数据库外面配置用户名明码)

1、新建 mysql 库


create database myspringsecurity CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci;

create user securityuser IDENTIFIED by 'securitypass';

grant all privileges on myspringsecurity.* to securityuser@localhost identified by 'securitypass';

flush privileges;

2、新建用户表和角色表

DROP TABLE IF EXISTS `tb_user`;

CREATE TABLE `tb_user` (`id` bigint(20) NOT NULL AUTO_INCREMENT,
`user_name` varchar(50) DEFAULT NULL,
`password` varchar(100) DEFAULT NULL,
`mobile` int(11) DEFAULT NULL,
`sex` int(2) DEFAULT NULL,
`email` varchar(50) DEFAULT NULL,
`status` int(2) DEFAULT NULL,
`create_time` DATE DEFAULT NULL,
`create_id` int(11) DEFAULT NULL,
`update_time` date DEFAULT NULL,
`update_id` int(11) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `tb_role`;

CREATE TABLE `tb_role` (`id` bigint(20) NOT NULL AUTO_INCREMENT,
`role_name` varchar(50) DEFAULT NULL,
`status` int(2) DEFAULT NULL,
`create_time` DATE DEFAULT NULL,
`create_id` int(11) DEFAULT NULL,
`update_time` date DEFAULT NULL,
`update_id` int(11) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `tr_user_role`;

CREATE TABLE `tr_user_role` (`id` bigint(20) NOT NULL AUTO_INCREMENT,
`user_id` bigint(20) DEFAULT NULL,
`role_id` bigint(20) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;

3、初始化一些数据

insert into `tb_user` (id, user_name, password) values (1, 'zhangsan', '123');
insert into `tb_user` (id, user_name, password) values (2, 'lisi', '123');
insert into `tb_user` (id, user_name, password) values (3, 'wangwu', '123');

insert into `tb_role` (id, role_name) values (1, '系统管理员');
insert into `tb_role` (id, role_name) values (2, '个别操作员');

insert into `tr_user_role` (id, user_id, role_id) values (1, 1, 1);
insert into `tr_user_role` (id, user_id, role_id) values (2, 1, 2);
insert into `tr_user_role` (id, user_id, role_id) values (3, 2, 2);

4、退出 maven 依赖

咱们这里用了 mybatis-plus。

<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>5.1.44</version>
</dependency>

<dependency>
    <groupId>com.baomidou</groupId>
    <artifactId>mybatis-plus-boot-starter</artifactId>
    <version>3.1.2</version>
</dependency>

5、引入 mybatis-plus 主动生成代码的依赖

<!-- mybatis-plus 代码生成 -->
<dependency>
    <groupId>org.freemarker</groupId>
    <artifactId>freemarker</artifactId>
    <version>2.3.29</version>
</dependency>

<dependency>
    <groupId>com.baomidou</groupId>
    <artifactId>mybatis-plus-generator</artifactId>
    <version>3.1.2</version>
</dependency>

6、批改代码生成类

package com.zb.myspringsecurity.config.mybatis;

import com.baomidou.mybatisplus.core.toolkit.StringPool;
import com.baomidou.mybatisplus.generator.AutoGenerator;
import com.baomidou.mybatisplus.generator.InjectionConfig;
import com.baomidou.mybatisplus.generator.config.*;
import com.baomidou.mybatisplus.generator.config.po.TableInfo;
import com.baomidou.mybatisplus.generator.config.rules.NamingStrategy;
import com.baomidou.mybatisplus.generator.engine.FreemarkerTemplateEngine;

import java.util.ArrayList;
import java.util.List;

public class MybatisGenerator {public static void main(String[] args) {AutoGenerator mpg = new AutoGenerator();

        // 全局配置
        GlobalConfig gc = new GlobalConfig();
        final String projectPath = System.getProperty("user.dir");
        gc.setOutputDir(projectPath + "/src/main/java");
        gc.setAuthor("system");
        gc.setOpen(false);
        gc.setFileOverride(true);
        gc.setBaseResultMap(true);
        // gc.setSwagger2(true); 实体属性 Swagger2 注解
        mpg.setGlobalConfig(gc);

        // 数据源配置
        DataSourceConfig dsc = new DataSourceConfig();
        dsc.setUrl("jdbc:mysql://127.0.0.1:3306/myspringsecurity?useUnicode=true&useSSL=false&characterEncoding=utf8");
        // dsc.setSchemaName("public");
        dsc.setDriverName("com.mysql.jdbc.Driver");
        dsc.setUsername("securityuser");
        dsc.setPassword("securitypass");
        mpg.setDataSource(dsc);

        // 包配置
        PackageConfig pc = new PackageConfig();
        pc.setParent("com.zb.myspringsecurity");
        mpg.setPackageInfo(pc);

        // 自定义配置
        InjectionConfig cfg = new InjectionConfig() {
            @Override
            public void initMap() {// to do nothing}
        };

        // 如果模板引擎是 freemarker
        String templatePath = "/templates/mapper.xml.ftl";
        // 如果模板引擎是 velocity
        // String templatePath = "/templates/mapper.xml.vm";

        // 自定义输入配置
        List<FileOutConfig> focList = new ArrayList<>();
        // 自定义配置会被优先输入
        focList.add(new FileOutConfig(templatePath) {
            @Override
            public String outputFile(TableInfo tableInfo) {
                // 自定义输入文件名,如果你 Entity 设置了前后缀、此处留神 xml 的名称会跟着发生变化!!return projectPath + "/src/main/resources/mapper/" + tableInfo.getEntityName() + "Mapper" + StringPool.DOT_XML;}
        });
        cfg.setFileOutConfigList(focList);
        mpg.setCfg(cfg);

        // 配置模板
        TemplateConfig templateConfig = new TemplateConfig();
        templateConfig.setXml(null);
        mpg.setTemplate(templateConfig);

        // 策略配置
        StrategyConfig strategy = new StrategyConfig();
        strategy.setNaming(NamingStrategy.underline_to_camel);
        strategy.setColumnNaming(NamingStrategy.underline_to_camel);
        // strategy.setSuperEntityClass("com.baomidou.ant.common.BaseEntity");
        strategy.setEntityLombokModel(true);
        strategy.setRestControllerStyle(false);
        // 公共父类
        // strategy.setSuperControllerClass("com.baomidou.ant.common.BaseController");
        // 写于父类中的公共字段
        // strategy.setSuperEntityColumns("id");
        strategy.setInclude("tb_user","tb_role","tr_user_role");
        //  strategy.setControllerMappingHyphenStyle(true);
        strategy.setTablePrefix("tb_", "tr_");
        mpg.setStrategy(strategy);
        mpg.setTemplateEngine(new FreemarkerTemplateEngine());
        mpg.execute();}
}
  • 执行生成 mapper,service 和 controller
  • mybatis 筹备好了,能够批改 security 配置了

7、批改 configure 办法

原先的:

public void configure(AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication()
            .withUser("zhangsan")
            .password(passwordEncoder().encode("123"))
            .roles("ADMIN")
            .and()
            .withUser("lisi")
            .password(passwordEncoder().encode("123"))
            .roles("ADMIN")
            .and()
            .withUser(passwordEncoder().encode("123"))
            .password("123")
            .roles("ADMIN")
            ;

}

改成新的:

@Autowired
ZxUserDetailsServiceImpl zxUserDetailsService;

public void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(zxUserDetailsService);
}

8、新增 ZxUserDetailsServiceImpl 类

package com.zb.myspringsecurity.config.security;

import com.zb.myspringsecurity.entity.Role;
import com.zb.myspringsecurity.entity.User;
import com.zb.myspringsecurity.entity.UserRole;
import com.zb.myspringsecurity.service.IUserRoleService;
import com.zb.myspringsecurity.service.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;

import java.util.ArrayList;
import java.util.List;

@Component
public class ZxUserDetailsServiceImpl implements UserDetailsService {
    
    @Autowired
    PasswordEncoder passwordEncoder;
    @Autowired
    IUserService iUserService;
    @Autowired
    IUserRoleService iUserRoleService;
    
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        /**
         // DEMO:
         
        List<SimpleGrantedAuthority> authorityList = new ArrayList<>();
        authorityList.add(new SimpleGrantedAuthority("Admin"));
        
        ZxUser zxUser = new ZxUser();
        zxUser.setUserName("zhangsanfeng");
        zxUser.setPassword(passwordEncoder.encode("123"));
        zxUser.setAuthorities(authorityList);
        return zxUser;
         
         */
        
        List<User> userList = iUserService.lambdaQuery().eq(User::getUserName, username).list();
        if (CollectionUtils.isEmpty(userList)) {throw new UsernameNotFoundException("不存在的用户");
        }
        User user = userList.get(0);
        ZxUser zxUser = new ZxUser();
        zxUser.setUserName(user.getUserName());
        zxUser.setPassword(passwordEncoder.encode(user.getPassword()));
        zxUser.setId(user.getId());
        
        List<UserRole> userRoleList = iUserRoleService.lambdaQuery().eq(UserRole::getUserId, zxUser.getId()).list();
        List<SimpleGrantedAuthority> authorityList = new ArrayList<>();
        if (!CollectionUtils.isEmpty(userRoleList)) {for (UserRole userRole : userRoleList) {authorityList.add(new SimpleGrantedAuthority(String.valueOf(userRole.getRoleId())));
            }
        }
        zxUser.setAuthorities(authorityList);
        return zxUser;
    }
}

9、新增自定义 user

package com.zb.myspringsecurity.config.security;

import com.zb.myspringsecurity.entity.User;
import lombok.Data;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;

@Data
public class ZxUser extends User implements UserDetails {

    private Collection<? extends GrantedAuthority> authorities;
    
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {return authorities;}

    @Override
    public String getPassword() {return super.getPassword();
    }

    @Override
    public String getUsername() {return super.getUserName();
    }

    @Override
    public boolean isAccountNonExpired() {return true;}

    @Override
    public boolean isAccountNonLocked() {return true;}

    @Override
    public boolean isCredentialsNonExpired() {return true;}

    @Override
    public boolean isEnabled() {return true;}
}

10、验证

重启服务,用数据库外面的用户和明码验证没问题。

六、v6.0(实现前后端拆散,token 校验)

1、引入认证管理器 bean

/**
* 认证管理器
* @return
* @throws Exception
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();
}

2、写一个对立的登录接口

package com.zb.myspringsecurity.controller;

import com.zb.myspringsecurity.config.security.ZxUser;
import com.zb.myspringsecurity.config.security.ZxUserDetailsServiceImpl;
import com.zb.myspringsecurity.config.vo.CommonResponse;
import com.zb.myspringsecurity.config.vo.LoginParamVo;
import com.zb.myspringsecurity.config.vo.TokenVo;
import com.zb.myspringsecurity.service.TokenService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.annotation.Resource;

@Slf4j
@RestController
@RequestMapping("/login")
public class LoginController {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Resource
    ZxUserDetailsServiceImpl userDetailsService;
    
    @Resource
    TokenService tokenService;

    @RequestMapping("/login-in")
    public CommonResponse<TokenVo> login(@RequestBody LoginParamVo loginParamVo) {
        try {
            // 1 创立 UsernamePasswordAuthenticationToken
            UsernamePasswordAuthenticationToken token
                    = new UsernamePasswordAuthenticationToken(loginParamVo.getUsername(), loginParamVo.getPassword());
            // 2 认证
            Authentication authentication = this.authenticationManager.authenticate(token);
            // 3 保留认证信息
            SecurityContextHolder.getContext().setAuthentication(authentication);
            // 4 加载 UserDetails
            ZxUser zxUser = this.userDetailsService.loadUserByUsername(loginParamVo.getUsername());
            // 5 生成自定义 token
            TokenVo tokenVo = tokenService.createToken(zxUser);
            return CommonResponse.successWithData(tokenVo);
        } catch (Exception e) {return CommonResponse.fail(401, e.getMessage());
        }

    }
}

3、tokenservice

package com.zb.myspringsecurity.service;

import com.zb.myspringsecurity.config.vo.TokenVo;
import org.springframework.security.core.userdetails.UserDetails;

public interface TokenService {TokenVo createToken(UserDetails details);
    
    boolean verifyToken(String token);
    
    String getUserNameByToken(String token);
}

简略的实现:

package com.zb.myspringsecurity.service.impl;

import com.zb.myspringsecurity.config.vo.TokenVo;
import com.zb.myspringsecurity.service.TokenService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;

import java.util.HashMap;
import java.util.Map;
import java.util.UUID;

@Service
public class TokenServiceImpl implements TokenService {
    
    // todo 能够存 redis, 设置过期工夫
    private static final Map<String, String> tokenMap = new HashMap<>();
    
    @Override
    public TokenVo createToken(UserDetails details) {String token = UUID.randomUUID().toString();
        tokenMap.put(token, details.getUsername());
        
        TokenVo tokenVo = new TokenVo();
        tokenVo.setToken(token);
        tokenVo.setExpireTime(60*60);
        
        return tokenVo;
    }

    @Override
    public boolean verifyToken(String token) {return tokenMap.get(token) != null;
    }

    @Override
    public String getUserNameByToken(String token) {return tokenMap.get(token);
    }

}
  • 创立 token, 校验 token, 依据 token 获取 username
  • 存的是 token 和 username 的关系

4、批改校验形式

批改为:SessionCreationPolicy.STATELESS

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .and()
            .httpBasic()
            ;

}

5、减少一个校验 token 的 filter

@Autowired
ZbTokenAuthenticationFilter zbTokenAuthenticationFilter;

httpSecurity.addFilterBefore(zbTokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

filter:

package com.zb.myspringsecurity.config.security.customer;

import com.zb.myspringsecurity.config.security.ZxUser;
import com.zb.myspringsecurity.config.security.ZxUserDetailsServiceImpl;
import com.zb.myspringsecurity.service.IUserRoleService;
import com.zb.myspringsecurity.service.TokenService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Service;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Service
public class ZbTokenAuthenticationFilter extends OncePerRequestFilter {
    @Autowired
    TokenService tokenService;
    @Autowired
    IUserRoleService iUserRoleService;
    @Autowired
    ZxUserDetailsServiceImpl userDetailsService;
    
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {logger.info("TokenAuthenticationFilter.doFilterInternal start ...");
        String token = request.getHeader("token");

        if (token == null || "".equals(token)) {logger.info("token is null , return .");
            filterChain.doFilter(request, response);
            return;
        }

        if (SecurityContextHolder.getContext().getAuthentication() != null) {filterChain.doFilter(request, response);
            return;
        }

       boolean result = tokenService.verifyToken(token);
        if (!result) {logger.info("ssoService.verifyToken not pass , return .");
            filterChain.doFilter(request, response);
            return;
        }

        ZxUser zxUser = userDetailsService.loadUserByUsername(tokenService.getUserNameByToken(token));

        UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(zxUser, null, zxUser.getAuthorities());

        authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
        
        logger.info("token valid pass , username :" + zxUser.getUsername());
        SecurityContextHolder.getContext().setAuthentication(authentication);
        filterChain.doFilter(request, response);
    }
}
  • 至此,咱们曾经把我的项目革新成前后端拆散的了
  • 有数据库用户明码登录
  • 有登录生成 token
  • 有校验 url, header 必须蕴含 token

七、v7.0(权限管制)

咱们下面曾经把 spring security 的一个外围性能(认证)说完了,上面咱们说受权。

1、减少权限表,关联表

DROP TABLE IF EXISTS `tb_permission`;

CREATE TABLE `tb_permission` (`id` bigint(20) NOT NULL AUTO_INCREMENT,
`en_name` varchar(50) DEFAULT NULL,
`cn_name` varchar(50) DEFAULT NULL,
`create_time` DATE DEFAULT NULL,
`create_id` int(11) DEFAULT NULL,
`update_time` date DEFAULT NULL,
`update_id` int(11) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `tr_role_permission`;

CREATE TABLE `tr_role_permission` (`id` bigint(20) NOT NULL AUTO_INCREMENT,
`role_id` bigint(20) DEFAULT NULL,
`permission_id` bigint(20) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;

2、初始化数据


insert into `tb_permission` (id, en_name, cn_name) values (1, 'system:user:read', '可读');
insert into `tb_permission` (id, en_name, cn_name) values (2, 'system:user:edit', '可批改');

insert into `tr_role_permission` (id, role_id, permission_id) values (1, 1, 1);
insert into `tr_role_permission` (id, role_id, permission_id) values (2, 1, 2);
insert into `tr_role_permission` (id, role_id, permission_id) values (3, 2, 1);

3、批改 ZxUser

减少 permissionSet

@Data
public class ZxUser extends User implements UserDetails {

    ...
    
    private Set<String> permissionSet;
    
    ...
}

4、批改 loadUserByUsername 办法

减少权限查问局部:

@Override
public ZxUser loadUserByUsername(String username) throws UsernameNotFoundException {List<User> userList = iUserService.lambdaQuery().eq(User::getUserName, username).list();
    if (CollectionUtils.isEmpty(userList)) {throw new UsernameNotFoundException("不存在的用户");
    }
    User user = userList.get(0);
    ZxUser zxUser = new ZxUser();
    zxUser.setUserName(user.getUserName());
    zxUser.setPassword(passwordEncoder.encode(user.getPassword()));
    zxUser.setId(user.getId());
    
    List<SimpleGrantedAuthority> authorityList = new ArrayList<>();

    // role
    List<UserRole> userRoleList = iUserRoleService.lambdaQuery().eq(UserRole::getUserId, zxUser.getId()).list();
    if (!CollectionUtils.isEmpty(userRoleList)) {for (UserRole userRole : userRoleList) {authorityList.add(new SimpleGrantedAuthority(String.valueOf(userRole.getRoleId())));
        }

        // permission
        List<Long> roleIdList = userRoleList.stream().map(UserRole::getRoleId).collect(Collectors.toList());
        List<RolePermission> rolePermissionList = iRolePermissionService.lambdaQuery()
                .in(RolePermission::getRoleId, roleIdList).list();
        if (!CollectionUtils.isEmpty(rolePermissionList)) {
            Collection<Permission> permissionList = iPermissionService
                    .listByIds(rolePermissionList.stream()
                            .map(RolePermission::getPermissionId).collect(Collectors.toList()));
            Set<String> permissionSet = permissionList.stream().map(Permission::getEnName).collect(Collectors.toSet());
            zxUser.setPermissionSet(permissionSet);
        }
    }
    zxUser.setAuthorities(authorityList);
    return zxUser;
}

5、咱们实现一个本人的权限管制类

package com.zb.myspringsecurity.config.security.customer;

import com.zb.myspringsecurity.config.security.ZxUser;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;

import java.io.Serializable;
import java.util.Set;

@Slf4j
@Component
public class ZbPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {ZxUser user = (ZxUser) authentication.getPrincipal();
        Set<String> permissonSet = user.getPermissionSet();
        if (permission == null) {log.info("permission valid not pass , permission is null");
            return false;
        }
        if (permissonSet.contains(permission.toString())) {log.info("permission valid pass , permission : {}", permission.toString());
            return true;
        }
        log.info("permission valid not pass , permission : {}", permission.toString());
        return false;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {return false;}
}
  • 很简略,就是判断权限汇合存不存在以后权限

6、配置使之失效

    
@Autowired
ZbPermissionEvaluator zbPermissionEvaluator;

@Bean
public DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler() {DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
    defaultWebSecurityExpressionHandler.setPermissionEvaluator(zbPermissionEvaluator);
    return defaultWebSecurityExpressionHandler;
}

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    
    ...

    httpSecurity.authorizeRequests().expressionHandler(defaultWebSecurityExpressionHandler());

    ...

}

7、测试类

package com.zb.myspringsecurity.controller;


import com.zb.myspringsecurity.entity.User;
import com.zb.myspringsecurity.service.IUserService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletRequest;
import java.util.List;

@Slf4j
@RestController
@RequestMapping("/user")
public class UserController {

    @Autowired
    IUserService iUserService;

    @PreAuthorize("hasPermission('UserController','system:user:read')")
    @RequestMapping("/list")
    public List<User> list(HttpServletRequest request) {log.info("session id: {}" , request.getSession().getId());
        return iUserService.list();}
}

8、启动服务测试

  • 留神: 咱们下面的 /user/list, 配置了 ’system:user:read’ 权限
  • 认真去看咱们初始化的数据库数据,会发现 wangwu 是没有任何角色的,也没有任何权限
  • 所以,wangwu 不能拜访 /user/list

先测试 zhangsan:

POST http://localhost:8080/login/login-in
Accept: */*
Cache-Control: no-cache
content-type:application/json

{"username":"zhangsan", "password":"123"}

返回:

{
  "data": {
    "token": "e048ba23-7061-43d6-ab35-7c2eb93acda8",
    "expireTime": 3600
  },
  "code": 200,
  "msg": "ok"
}

用这个 token 去申请 /user/list


GET http://localhost:8080/user/list
Accept: application/json
token: e048ba23-7061-43d6-ab35-7c2eb93acda8

返回:

[
  {
    "id": 1,
    "userName": "zhangsan",
    "password": "123",
    "mobile": null,
    "sex": null,
    "email": null,
    "status": null,
    "createTime": null,
    "createId": null,
    "updateTime": null,
    "updateId": null
  },
  {
    "id": 2,
    "userName": "lisi",
    "password": "123",
    "mobile": null,
    "sex": null,
    "email": null,
    "status": null,
    "createTime": null,
    "createId": null,
    "updateTime": null,
    "updateId": null
  },
  {
    "id": 3,
    "userName": "wangwu",
    "password": "123",
    "mobile": null,
    "sex": null,
    "email": null,
    "status": null,
    "createTime": null,
    "createId": null,
    "updateTime": null,
    "updateId": null
  }
]
  • 用同样的办法测试 lisi 和 wangwu,lisi 能够拜访,wangwu 不能够,返回如下
{
  "timestamp": "2021-07-19T06:53:38.833+0000",
  "status": 500,
  "error": "Internal Server Error",
  "message": "No message available",
  "path": "/user/list"
}
  • 当然你还能够对立你的异样回复信息,能够自行钻研
  • 至此,咱们的权限管制也实现了

八、总结

  • 至此,咱们的认证和鉴权都说完了
  • 以上只是一种实现,spring security 反对自定义扩大,还有其它实现形式,能够本人钻研
  • 代码放到 github 上了,关注公众号:丰极,回复:myspringsecurity 获取

欢送关注微信公众号:丰极,更多技术学习分享。

退出移动版