关于spring:Spring-Security权限注解

启用注解

@EnableGlobalMethodSecurity(prePostEnabled = true)

失常启用开启那个注解就行，上面放下我的配置

package com.fedtech.sys.provider.config.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;

import javax.annotation.Resource;

/**
 * 资源配置
 *
 * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a >
 * @date 2021/1/13
 * @since 1.0.0
 */
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Resource
    RedisConnectionFactory redisConnectionFactory;
    @Resource
    private TokenStore tokenStore;

    @Bean
    public TokenStore redisTokenStore() {return new RedisTokenStore(redisConnectionFactory);
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {resources.tokenStore(tokenStore);
    }
}

角色

    /**
     * 查问单个用户
     *
     * @param query {@link UserQuery}
     *
     * @return com.fedtech.common.util.result.R<com.fedtech.sys.provider.view.UserView>
     *
     * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a >
     * @date 2021/2/20
     * @since 1.0.0
     */
    @GetMapping("select")
    @PreAuthorize("hasAuthority('admin')")
    public R<UserView> selectUser(UserQuery query) {UserDto dto = userService.selectUser(query);
        return R.successWithData(userMapper.dto2View(dto));
    }

权限

默认的是 DenyAllPermissionEvaluator，所有权限都回绝，所以要自定义

自定义解决逻辑

我是把权限放到了自定义的 userDetails 外面

package com.fedtech.common.model;

import cn.hutool.core.collection.CollUtil;
import lombok.Data;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.StringTokenizer;

/**
 * 该类返回的是平安的，可能提供给用户看到的信息，即脱敏后的信息
 *
 * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a >
 * @date 2021/1/9
 * @since 1.0.0
 */
@Data
@Slf4j
public class SecurityUser implements UserDetails {
    private static final long serialVersionUID = 8689435103879098852L;
    /**
     * 盐
     */
    private String salt;

    /**
     * 用户 token
     */
    private String token;

    /**
     * 用户状态
     */
    private String status;

    /**
     * 用户明码
     */
    private String password;

    /**
     * 用户登录账号
     */
    private String loginName;

    private Long userId;

    /**
     * 用户角色
     *
     * @date 2021/1/10
     * @since 1.0.0
     */
    private List<UserRole> roleList;
    /**
     * 权限列表
     *
     * @date 2021/1/11
     * @since 1.0.0
     */
    private List<UserPermission> permissionList;


    /**
     * 客户端用户
     *
     * @param client 客户端
     *
     * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a >
     * @date 2021/1/13
     * @since 1.0.0
     */
    public SecurityUser(OauthClientDetails client) {if (client != null) {password = client.getClientSecret();
            loginName = client.getClientId();
            String authorities = client.getAuthorities();
            StringTokenizer stringTokenizer = new StringTokenizer(authorities, ",");
            roleList = new ArrayList<>();
            if (stringTokenizer.hasMoreTokens()) {UserRole userRole = new UserRole();
                userRole.setCode(stringTokenizer.nextToken());
                roleList.add(userRole);
            }
        }
    }

    /**
     * 普通用户
     *
     * @param user           用户
     * @param roleList       角色
     * @param permissionList 权限
     *
     * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a >
     * @date 2021/1/13
     * @since 1.0.0
     */
    public SecurityUser(User user, List<UserRole> roleList, List<UserPermission> permissionList) {if (user != null) {salt = user.getSalt();
            token = user.getToken();
            status = user.getStatus();
            password = user.getPassword();
            loginName = user.getLoginName();
            userId = user.getId();
            this.roleList = roleList;
            this.permissionList = permissionList;
        }
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {Collection<GrantedAuthority> authorities = new ArrayList<>();
        if (!CollUtil.isEmpty(roleList)) {for (UserRole role : roleList) {SimpleGrantedAuthority authority = new SimpleGrantedAuthority(role.getCode());
                authorities.add(authority);
            }
        }
        log.debug("获取到的用户权限：{}", authorities);
        return authorities;
    }

    @Override
    public String getPassword() {return password;}

    @Override
    public String getUsername() {return loginName;}

    @Override
    public boolean isAccountNonExpired() {return true;}

    @Override
    public boolean isAccountNonLocked() {return true;}

    @Override
    public boolean isCredentialsNonExpired() {return true;}

    @Override
    public boolean isEnabled() {return true;}
}

package com.fedtech.common.config;

import cn.hutool.core.collection.CollUtil;
import com.fedtech.common.model.SecurityUser;
import com.fedtech.common.model.UserPermission;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;

import java.io.Serializable;
import java.util.List;


/**
 * 自定义权限解决
 *
 * @author <a href="mailto:njpkhuan@gmail.com">huan</a>
 * @version 1.0.0
 * @date 2021/2/26
 */
@Slf4j
@Configuration
public class MyPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {SecurityUser principal = (SecurityUser) authentication.getPrincipal();
        List<UserPermission> permissionList = principal.getPermissionList();
        if (CollUtil.isNotEmpty(permissionList)) {return permissionList.stream().anyMatch(x -> StringUtils.equals(x.getUrl(), (CharSequence) targetDomainObject) &&
                    StringUtils.equals(x.getCode(), (CharSequence) permission));
        }
        return false;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {return false;}
}

应用

    /**
     * 查问单个用户
     *
     * @param query {@link UserQuery}
     *
     * @return com.fedtech.common.util.result.R<com.fedtech.sys.provider.view.UserView>
     *
     * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a >
     * @date 2021/2/20
     * @since 1.0.0
     */
    @GetMapping("select")
    @PreAuthorize("hasPermission('/sys/user/insert','userInsert')")
    public R<UserView> selectUser(UserQuery query) {UserDto dto = userService.selectUser(query);
        return R.successWithData(userMapper.dto2View(dto));
    }