南宁3及分销网站制作,西安网站制作开发,网络营销教程,海南的论坛网站建设继续昨天的认证#xff0c;今天来分析 在Spring Security中#xff0c;授权是指对用户访问系统资源的限制。Spring Security提供了多种授权方式#xff0c;包括基于角色的授权、基于表达式的授权、注解授权等。 基于角色的授权是指通过为用户分配不同的角色来限制其访问系统… 继续昨天的认证今天来分析 在Spring Security中授权是指对用户访问系统资源的限制。Spring Security提供了多种授权方式包括基于角色的授权、基于表达式的授权、注解授权等。 基于角色的授权是指通过为用户分配不同的角色来限制其访问系统资源。Spring Security提供了一些默认的角色如ROLE_USER和ROLE_ADMIN等也支持开发者自定义角色。在Spring Security中我们可以使用标签intercept-url和http来配置基于角色的授权。下面是一个例子 http intercept-url pattern/admin/** accesshasRole(ROLE_ADMIN) / /http 上述配置表示只有拥有ROLE_ADMIN角色的用户才能访问/admin/**下的资源。
Spring Security还提供了注解授权、方法级授权等多种授权方式可以根据具体需求进行选择和配置。 分析前端传来的值 访问得到了json的对象 关于权限就是往数据库中放字段设置了就有 通过流的视图方式查看 代码
MyUserDtealsService package com.lya.securty.config;import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.lya.securty.pojo.*;
import com.lya.securty.service.IModuleService;
import com.lya.securty.service.IRoleModuleService;
import com.lya.securty.service.IUserRoleService;
import com.lya.securty.service.IUserService;
import com.lya.securty.service.impl.ModuleServiceImpl;
import com.lya.securty.service.impl.RoleModuleServiceImpl;
import com.lya.securty.service.impl.RoleServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;import java.util.List;
import java.util.stream.Collectors;Component
//把他编程一个组件
public class MyUserDtealsService implements UserDetailsService {Autowiredprivate IUserService userService;Autowiredprivate IUserRoleService iUserRoleService;Autowiredprivate ModuleServiceImpl moduleService;Autowiredprivate RoleServiceImpl roleService;Autowiredprivate RoleModuleServiceImpl roleModuleService;Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user userService.getOne(new QueryWrapperUser().eq(username, username));if (user null) {throw new UsernameNotFoundException(用户无效);}
// 1.查出所有的身份, map遍历返回新数据--流,将流编程list
// 2.多个id对应的权限连接权限表ListInteger role_ids iUserRoleService
// 查出所有的身份.list(new QueryWrapperUserRole().eq(user_id, user.getId()))
// .stream().map(r-r.getUserId());
// 返回新数据--流.stream().map(UserRole::getUserId)
// 将流编程list.collect(Collectors.toList());
// 用id查询身份对一的名字---比如1,2普通用户超级管理。ListString roles roleService.list(new QueryWrapperRole().in(role_id, role_ids))// 返回新数据--流.stream().map(Role::getRoleName)
// 将流编程list.collect(Collectors.toList());// 根据身份id查询权限ListInteger module_ids roleModuleService.list(new QueryWrapperRoleModule().in(role_id, role_ids))
// 返回新数据--流.stream().map(RoleModule::getModuleId)
// 将流编程list.collect(Collectors.toList());
// 根据权限id查询权限ListString moudelse moduleService.list(new QueryWrapperModule().in(id, module_ids))// 返回新数据--流.stream().map(Module::getUrl)
// .filter(Object::nonNull)
// 将流编程list.collect(Collectors.toList());// roles[权限]
// modules 访问urlroles.addAll(moudelse);ListSimpleGrantedAuthority authorities roles.stream().map(e - {return new SimpleGrantedAuthority(e);}).collect(Collectors.toList());user.setAuthorities(authorities);return user;}} WebSecurityConfig package com.lya.securty.config;import com.fasterxml.jackson.databind.ObjectMapper;
import com.lya.securty.resp.JsonResponseBody;
import com.lya.securty.resp.JsonResponseStatus;
import com.lya.securty.service.impl.UserServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.web.bind.annotation.ResponseBody;import javax.sql.DataSource;/*** author all*/
Configuration//启动配置类 spring进行管理不然加载不了这个类
EnableWebSecurity
EnableGlobalMethodSecurity(prePostEnabled true)
//开启这个类
public class WebSecurityConfig {Autowired
private DataSource dataSource;//SpringBoot自己帶的一個序列化的类Autowiredprivate ObjectMapper objectMapper;/*** 配置持久化Token方式注意tokenRepository.setCreateTableOnStartup()配置*/Beanpublic PersistentTokenRepository persistentTokenRepository(){JdbcTokenRepositoryImpl tokenRepository new JdbcTokenRepositoryImpl();tokenRepository.setDataSource(dataSource);// 设置为true要保障数据库该表不存在不然会报异常哦// 所以第二次打开服务器应用程序的时候得把它设为falsetokenRepository.setCreateTableOnStartup(false);return tokenRepository;}
// 加密类Bean
// Primarypublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}/*** 配置密码编码器首次采用明文密码方式进行比对校验*/
// Bean
// public PasswordEncoder passwordEncoder(){
// return NoOpPasswordEncoder.getInstance();
// }Autowiredprivate UserServiceImpl userService;Autowiredprivate MyUserDtealsService myUserDtealsService;
// Bean
// public UserDetailsService userDetailsService() {
// UserDetails admin User.withUsername(admin)
// .password(bcryptPasswordEncoder().encode(123456))
// .roles(ADMIN, USER).build();//权限
// UserDetails user User.withUsername(user)
// .password(bcryptPasswordEncoder().encode(123456))
// .roles(USER).build();
// return new InMemoryUserDetailsManager(admin, user);
// }/*** 获取AuthenticationManager认证管理器登录时认证使用基于数据库方式* return provider* throws Exception 异常*/Beanpublic AuthenticationManager authenticationManager() throws Exception {//创建DaoAuthenticationProviderDaoAuthenticationProvider providernew DaoAuthenticationProvider();//设置userDetailsService基于数据库方式进行身份认证provider.setUserDetailsService(myUserDtealsService);//配置密码编码器provider.setPasswordEncoder(passwordEncoder());return new ProviderManager(provider);}Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {//认证请求http.authorizeRequests()//antMatchers匹配对应的路径//permitAll允许访问.antMatchers(/toLogin).permitAll()//hasRole具备身份//hasAnyRole具备多个身份.antMatchers(/admin/**).hasRole(ADMIN).antMatchers(/user/**).hasAnyRole(ADMIN, USER)//anyRequest其余所有请求.anyRequest()//authenticated认证.authenticated().and().formLogin()//当前登录页面.loginPage(/toLogin)//设置处理登录请求的接口.loginProcessingUrl(/userLogin)//用户的数据参数.usernameParameter(username).passwordParameter(password)//转发 进入首页 地址栏不改变//.successForwardUrl(/index)//成功处理器.successHandler((req,resp,auth)-{Object user auth.getPrincipal();JsonResponseBody.success(user);//重定向 跳转首页
// resp.sendRedirect(/index);
// 这里不要直接跳应为适应前后端分离
// 通过流的方式响应数据到前端objectMapper.writeValue(resp.getOutputStream(),JsonResponseBody.success(user));})//失败处理器.failureHandler((req,resp,ex)-{//错误信息提示req.setAttribute(msg,ex.getMessage());//重定向 跳转登录req.getRequestDispatcher(/toLogin).forward(req,resp);}).and().exceptionHandling()
// .accessDeniedPage((req,resp,ex)-{
// //错误信息提示无权限
// objectMapper
// .writeValue(resp.getOutputStream(),JsonResponseBody.other(JsonResponseStatus.NO_LOGIN));
// })// 五登录.authenticationEntryPoint((req,resp,ex)-{objectMapper.writeValue(resp.getOutputStream(),JsonResponseBody.other(JsonResponseStatus.NO_LOGIN));}).and().logout().logoutUrl(/logout).logoutSuccessUrl(/).and().rememberMe()// 指定 rememberMe 的参数名用于在表单中携带 rememberMe 的值。.rememberMeParameter(remember-me)// 指定 rememberMe 的有效期单位为秒默认2周。.tokenValiditySeconds(300)// 指定 rememberMe 的 cookie 名称。.rememberMeCookieName(remember-me-cookie)// 指定 rememberMe 的 token 存储方式可以使用默认的 PersistentTokenRepository 或自定义的实现。.tokenRepository(persistentTokenRepository())// 指定 rememberMe 的认证方式需要实现 UserDetailsService 接口并在其中查询用户信息。.userDetailsService(userService);
// 防禦http.csrf().disable();http.exceptionHandling().accessDeniedPage(/noAccess);return http.build();}}UserController添加两个具有访问权限的 package com.lya.securty.controller;import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;/*** author all*/
Controller
public class UserController {RequestMapping(/toLogin)public String toLogin() {return login;}RequestMapping(/userLogin)public String userLogin(String username, String password) {System.out.println(username username ,password password);return index;}RequestMapping(/admin/toAddUser)public String toAddUser() {return admin/addUser;}RequestMapping(/admin/toListUser)public String toListUser() {return admin/listUser;}RequestMapping(/admin/toResetPwd)public String toResetPwd() {return admin/resetPwd;}RequestMapping(/admin/toUpdateUser)public String toUpdateUser() {return admin/updateUser;}RequestMapping(/user/toUpdatePwd)public String toUpdatePwd() {return user/updatePwd;}RequestMapping(/index)public String index(){return index;}ResponseBodyRequestMapping(/add)PreAuthorize(hasAuthority(book:manager:add))public String add() {return 订单新增;}ResponseBodyRequestMapping(/oradd)PreAuthorize(hasAuthority(order:manager:add))public String oradd() {return 订单新增;}RequestMapping(/noAccess)public String noAccess() {return accessDenied;}} JsonResponseBody返回前端的Json格式数据 package com.lya.securty.resp;import lombok.Data;Data
public class JsonResponseBodyT {private Integer code;private String msg;private T data;private Long total;private JsonResponseBody(JsonResponseStatus jsonResponseStatus, T data) {this.code jsonResponseStatus.getCode();this.msg jsonResponseStatus.getMsg();this.data data;}private JsonResponseBody(JsonResponseStatus jsonResponseStatus, T data, Long total) {this.code jsonResponseStatus.getCode();this.msg jsonResponseStatus.getMsg();this.data data;this.total total;}public static T JsonResponseBodyT success() {return new JsonResponseBodyT(JsonResponseStatus.OK, null);}public static T JsonResponseBodyT success(T data) {return new JsonResponseBodyT(JsonResponseStatus.OK, data);}public static T JsonResponseBodyT success(T data, Long total) {return new JsonResponseBodyT(JsonResponseStatus.OK, data, total);}public static T JsonResponseBodyT unknown() {return new JsonResponseBodyT(JsonResponseStatus.UN_KNOWN, null);}public static T JsonResponseBodyT other(JsonResponseStatus jsonResponseStatus) {return new JsonResponseBodyT(jsonResponseStatus, null);}}响应前端的msg package com.lya.securty.resp;import lombok.Getter;Getter
public enum JsonResponseStatus {OK(200, OK),UN_KNOWN(500, 未知错误),RESULT_EMPTY(1000, 查询结果为空),NO_ACCESS(3001, 没有权限),NO_LOGIN(4001, 没有登录),LOGIN_FAILURE(5001, 登录失败),;private final Integer code;private final String msg;JsonResponseStatus(Integer code, String msg) {this.code code;this.msg msg;}}
