一、前言
本篇文章將講述Spring Security 動態分配url權限,未登錄權限控制,登錄過后根據登錄用戶角色授予訪問url權限
基本環境
- spring-boot 2.1.8
- mybatis-plus 2.2.0
- mysql 數據庫
- maven項目
Spring Security入門學習可參考之前文章:
- SpringBoot集成Spring Security入門體驗(一)
https://blog.csdn.net/qq_38225558/article/details/101754743 - Spring Security 自定義登錄認證(二)
https://blog.csdn.net/qq_38225558/article/details/102542072
二、數據庫建表
表關系簡介:
- 用戶表
t_sys_user關聯 角色表t_sys_role兩者建立中間關系表t_sys_user_role - 角色表
t_sys_role關聯 權限表t_sys_permission兩者建立中間關系表t_sys_role_permission - 最終體現效果為當前登錄用戶所具備的角色關聯能訪問的所有url,只要給角色分配相應的url權限即可
溫馨小提示:這里邏輯根據個人業務來定義,小編這里講解案例只給用戶對應的角色分配訪問權限,像其它的 直接給用戶分配權限等等可以自己實現
表模擬數據如下:
三、Spring Security 動態權限控制
1、未登錄訪問權限控制
自定義AdminAuthenticationEntryPoint類實現AuthenticationEntryPoint類
這里是認證權限入口 -> 即在未登錄的情況下訪問所有接口都會攔截到此(除了放行忽略接口)
溫馨小提示:
ResponseUtils和ApiResult是小編這里模擬前后端分離情況下返回json格式數據所使用工具類,具體實現可參考文末給出的demo源碼
@Component
public class AdminAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) {
ResponseUtils.out(response, ApiResult.fail("未登錄!!!"));
}
}
2、自定義過濾器MyAuthenticationFilter繼承OncePerRequestFilter實現訪問鑒權
每次訪問接口都會經過此,我們可以在這里記錄請求參數、響應內容,或者處理前后端分離情況下,以token換用戶權限信息,token是否過期,請求頭類型是否正確,防止非法請求等等
logRequestBody()方法:記錄請求消息體logResponseBody()方法:記錄響應消息體
【注:請求的HttpServletRequest流只能讀一次,下一次就不能讀取了,因此這里要使用自定義的MultiReadHttpServletRequest工具解決流只能讀一次的問題,響應同理,具體可參考文末demo源碼實現】
@Slf4j
@Component
public class MyAuthenticationFilter extends OncePerRequestFilter {
private final UserDetailsServiceImpl userDetailsService;
protected MyAuthenticationFilter(UserDetailsServiceImpl userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
System.out.println("請求頭類型: " + request.getContentType());
if ((request.getContentType() == null && request.getContentLength() > 0) || (request.getContentType() != null && !request.getContentType().contains(Constants.REQUEST_HEADERS_CONTENT_TYPE))) {
filterChain.doFilter(request, response);
return;
}
MultiReadHttpServletRequest wrappedRequest = new MultiReadHttpServletRequest(request);
MultiReadHttpServletResponse wrappedResponse = new MultiReadHttpServletResponse(response);
StopWatch stopWatch = new StopWatch();
try {
stopWatch.start();
// 記錄請求的消息體
logRequestBody(wrappedRequest);
// String token = "123";
// 前后端分離情況下,前端登錄后將token儲存在cookie中,每次訪問接口時通過token去拿用戶權限
String token = wrappedRequest.getHeader(Constants.REQUEST_HEADER);
log.debug("后台檢查令牌:{}", token);
if (StringUtils.isNotBlank(token)) {
// 檢查token
SecurityUser securityUser = userDetailsService.getUserByToken(token);
if (securityUser == null || securityUser.getCurrentUserInfo() == null) {
throw new AccessDeniedException("TOKEN已過期,請重新登錄!");
}
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(securityUser, null, securityUser.getAuthorities());
// 全局注入角色權限信息和登錄用戶基本信息
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(wrappedRequest, wrappedResponse);
} finally {
stopWatch.stop();
long usedTimes = stopWatch.getTotalTimeMillis();
// 記錄響應的消息體
logResponseBody(wrappedRequest, wrappedResponse, usedTimes);
}
}
private String logRequestBody(MultiReadHttpServletRequest request) {
MultiReadHttpServletRequest wrapper = request;
if (wrapper != null) {
try {
String bodyJson = wrapper.getBodyJsonStrByJson(request);
String url = wrapper.getRequestURI().replace("//", "/");
System.out.println("-------------------------------- 請求url: " + url + " --------------------------------");
Constants.URL_MAPPING_MAP.put(url, url);
log.info("`{}` 接收到的參數: {}",url , bodyJson);
return bodyJson;
} catch (Exception e) {
e.printStackTrace();
}
}
return null;
}
private void logResponseBody(MultiReadHttpServletRequest request, MultiReadHttpServletResponse response, long useTime) {
MultiReadHttpServletResponse wrapper = response;
if (wrapper != null) {
byte[] buf = wrapper.getBody();
if (buf.length > 0) {
String payload;
try {
payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
} catch (UnsupportedEncodingException ex) {
payload = "[unknown]";
}
log.info("`{}` 耗時:{}ms 返回的參數: {}", Constants.URL_MAPPING_MAP.get(request.getRequestURI()), useTime, payload);
}
}
}
}
3、自定義UserDetailsServiceImpl實現UserDetailsService 和 自定義SecurityUser實現UserDetails 認證用戶詳情
這個在上一篇文章中也提及過,但上次未做角色權限處理,這次我們來一起加上吧
@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Autowired
private RoleMapper roleMapper;
@Autowired
private UserRoleMapper userRoleMapper;
/***
* 根據賬號獲取用戶信息
* @param username:
* @return: org.springframework.security.core.userdetails.UserDetails
*/
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 從數據庫中取出用戶信息
List<User> userList = userMapper.selectList(new EntityWrapper<User>().eq("username", username));
User user;
// 判斷用戶是否存在
if (!CollectionUtils.isEmpty(userList)) {
user = userList.get(0);
} else {
throw new UsernameNotFoundException("用戶名不存在!");
}
// 返回UserDetails實現類
return new SecurityUser(user, getUserRoles(user.getId()));
}
/***
* 根據token獲取用戶權限與基本信息
*
* @param token:
* @return: com.zhengqing.config.security.dto.SecurityUser
*/
public SecurityUser getUserByToken(String token) {
User user = null;
List<User> loginList = userMapper.selectList(new EntityWrapper<User>().eq("token", token));
if (!CollectionUtils.isEmpty(loginList)) {
user = loginList.get(0);
}
return user != null ? new SecurityUser(user, getUserRoles(user.getId())) : null;
}
/**
* 根據用戶id獲取角色權限信息
*
* @param userId
* @return
*/
private List<Role> getUserRoles(Integer userId) {
List<UserRole> userRoles = userRoleMapper.selectList(new EntityWrapper<UserRole>().eq("user_id", userId));
List<Role> roleList = new LinkedList<>();
for (UserRole userRole : userRoles) {
Role role = roleMapper.selectById(userRole.getRoleId());
roleList.add(role);
}
return roleList;
}
}
這里再說下自定義SecurityUser 是因為Spring Security自帶的 UserDetails (存儲當前用戶基本信息) 有時候可能不滿足我們的需求,因此我們可以自己定義一個來擴展我們的需求
getAuthorities()方法:即授予當前用戶角色權限信息
@Data
@Slf4j
public class SecurityUser implements UserDetails {
/**
* 當前登錄用戶
*/
private transient User currentUserInfo;
/**
* 角色
*/
private transient List<Role> roleList;
public SecurityUser() { }
public SecurityUser(User user) {
if (user != null) {
this.currentUserInfo = user;
}
}
public SecurityUser(User user, List<Role> roleList) {
if (user != null) {
this.currentUserInfo = user;
this.roleList = roleList;
}
}
/**
* 獲取當前用戶所具有的角色
*
* @return
*/
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> authorities = new ArrayList<>();
if (!CollectionUtils.isEmpty(this.roleList)) {
for (Role role : this.roleList) {
SimpleGrantedAuthority authority = new SimpleGrantedAuthority(role.getCode());
authorities.add(authority);
}
}
return authorities;
}
@Override
public String getPassword() {
return currentUserInfo.getPassword();
}
@Override
public String getUsername() {
return currentUserInfo.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
4、自定義UrlFilterInvocationSecurityMetadataSource實現FilterInvocationSecurityMetadataSource重寫getAttributes()方法 獲取訪問該url所需要的角色權限信息
執行完之后到 下一步 UrlAccessDecisionManager 中認證權限
@Component
public class UrlFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
@Autowired
PermissionMapper permissionMapper;
@Autowired
RolePermissionMapper rolePermissionMapper;
@Autowired
RoleMapper roleMapper;
/***
* 返回該url所需要的用戶權限信息
*
* @param object: 儲存請求url信息
* @return: null:標識不需要任何權限都可以訪問
*/
@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
// 獲取當前請求url
String requestUrl = ((FilterInvocation) object).getRequestUrl();
// TODO 忽略url請放在此處進行過濾放行
if ("/login".equals(requestUrl) || requestUrl.contains("logout")) {
return null;
}
// 數據庫中所有url
List<Permission> permissionList = permissionMapper.selectList(null);
for (Permission permission : permissionList) {
// 獲取該url所對應的權限
if (requestUrl.equals(permission.getUrl())) {
List<RoleMenu> permissions = rolePermissionMapper.selectList(new EntityWrapper<RoleMenu>().eq("permission_id", permission.getId()));
List<String> roles = new LinkedList<>();
if (!CollectionUtils.isEmpty(permissions)){
Integer roleId = permissions.get(0).getRoleId();
Role role = roleMapper.selectById(roleId);
roles.add(role.getCode());
}
// 保存該url對應角色權限信息
return SecurityConfig.createList(roles.toArray(new String[roles.size()]));
}
}
// 如果數據中沒有找到相應url資源則為非法訪問,要求用戶登錄再進行操作
return SecurityConfig.createList(Constants.ROLE_LOGIN);
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> aClass) {
return FilterInvocation.class.isAssignableFrom(aClass);
}
}
5、自定義UrlAccessDecisionManager實現AccessDecisionManager重寫decide()方法 對訪問url進行權限認證處理
此處小編的處理邏輯是只要包含其中一個角色即可訪問
@Component
public class UrlAccessDecisionManager implements AccessDecisionManager {
/**
* @param authentication: 當前登錄用戶的角色信息
* @param object: 請求url信息
* @param collection: `UrlFilterInvocationSecurityMetadataSource`中的getAttributes方法傳來的,表示當前請求需要的角色(可能有多個)
* @return: void
*/
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> collection) throws AccessDeniedException, AuthenticationException {
// 遍歷角色
for (ConfigAttribute ca : collection) {
// ① 當前url請求需要的權限
String needRole = ca.getAttribute();
if (Constants.ROLE_LOGIN.equals(needRole)) {
if (authentication instanceof AnonymousAuthenticationToken) {
throw new BadCredentialsException("未登錄!");
} else {
throw new AccessDeniedException("未授權該url!");
}
}
// ② 當前用戶所具有的角色
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (GrantedAuthority authority : authorities) {
// 只要包含其中一個角色即可訪問
if (authority.getAuthority().equals(needRole)) {
return;
}
}
}
throw new AccessDeniedException("請聯系管理員分配權限!");
}
@Override
public boolean supports(ConfigAttribute configAttribute) {
return true;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}
6、自定義無權限處理器 UrlAccessDeniedHandler實現AccessDeniedHandler重寫handle()方法
在這里自定義403無權限響應內容,登錄過后的權限處理
【 注:要和未登錄時的權限處理區分開哦~ 】
@Component
public class UrlAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException {
ResponseUtils.out(response, ApiResult.fail(403, e.getMessage()));
}
}
7、最后在Security 核心配置類中配置以上處理
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 訪問鑒權 - 認證token、簽名...
*/
private final MyAuthenticationFilter myAuthenticationFilter;
/**
* 訪問權限認證異常處理
*/
private final AdminAuthenticationEntryPoint adminAuthenticationEntryPoint;
/**
* 用戶密碼校驗過濾器
*/
private final AdminAuthenticationProcessingFilter adminAuthenticationProcessingFilter;
// 上面是登錄認證相關 下面為url權限相關 - ========================================================================================
/**
* 獲取訪問url所需要的角色信息
*/
private final UrlFilterInvocationSecurityMetadataSource urlFilterInvocationSecurityMetadataSource;
/**
* 認證權限處理 - 將上面所獲得角色權限與當前登錄用戶的角色做對比,如果包含其中一個角色即可正常訪問
*/
private final UrlAccessDecisionManager urlAccessDecisionManager;
/**
* 自定義訪問無權限接口時403響應內容
*/
private final UrlAccessDeniedHandler urlAccessDeniedHandler;
public SecurityConfig(MyAuthenticationFilter myAuthenticationFilter, AdminAuthenticationEntryPoint adminAuthenticationEntryPoint, AdminAuthenticationProcessingFilter adminAuthenticationProcessingFilter, UrlFilterInvocationSecurityMetadataSource urlFilterInvocationSecurityMetadataSource, UrlAccessDeniedHandler urlAccessDeniedHandler, UrlAccessDecisionManager urlAccessDecisionManager) {
this.myAuthenticationFilter = myAuthenticationFilter;
this.adminAuthenticationEntryPoint = adminAuthenticationEntryPoint;
this.adminAuthenticationProcessingFilter = adminAuthenticationProcessingFilter;
this.urlFilterInvocationSecurityMetadataSource = urlFilterInvocationSecurityMetadataSource;
this.urlAccessDeniedHandler = urlAccessDeniedHandler;
this.urlAccessDecisionManager = urlAccessDecisionManager;
}
/**
* 權限配置
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.antMatcher("/**").authorizeRequests();
// 禁用CSRF 開啟跨域
http.csrf().disable().cors();
// 未登錄認證異常
http.exceptionHandling().authenticationEntryPoint(adminAuthenticationEntryPoint);
// 登錄過后訪問無權限的接口時自定義403響應內容
http.exceptionHandling().accessDeniedHandler(urlAccessDeniedHandler);
// url權限認證處理
registry.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
@Override
public <O extends FilterSecurityInterceptor> O postProcess(O o) {
o.setSecurityMetadataSource(urlFilterInvocationSecurityMetadataSource);
o.setAccessDecisionManager(urlAccessDecisionManager);
return o;
}
});
// 不創建會話 - 即通過前端傳token到后台過濾器中驗證是否存在訪問權限
// http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 標識訪問 `/home` 這個接口,需要具備`ADMIN`角色
// registry.antMatchers("/home").hasRole("ADMIN");
// 標識只能在 服務器本地ip[127.0.0.1或localhost] 訪問 `/home` 這個接口,其他ip地址無法訪問
registry.antMatchers("/home").hasIpAddress("127.0.0.1");
// 允許匿名的url - 可理解為放行接口 - 多個接口使用,分割
registry.antMatchers("/login", "/index").permitAll();
// registry.antMatchers("/**").access("hasAuthority('admin')");
// OPTIONS(選項):查找適用於一個特定網址資源的通訊選擇。 在不需執行具體的涉及數據傳輸的動作情況下, 允許客戶端來確定與資源相關的選項以及 / 或者要求, 或是一個服務器的性能
registry.antMatchers(HttpMethod.OPTIONS, "/**").denyAll();
// 自動登錄 - cookie儲存方式
registry.and().rememberMe();
// 其余所有請求都需要認證
registry.anyRequest().authenticated();
// 防止iframe 造成跨域
registry.and().headers().frameOptions().disable();
// 自定義過濾器在登錄時認證用戶名、密碼
http.addFilterAt(adminAuthenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(myAuthenticationFilter, BasicAuthenticationFilter.class);
}
/**
* 忽略攔截url或靜態資源文件夾 - web.ignoring(): 會直接過濾該url - 將不會經過Spring Security過濾器鏈
* http.permitAll(): 不會繞開springsecurity驗證,相當於是允許該路徑通過
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HttpMethod.GET,
"/favicon.ico",
"/*.html",
"/**/*.css",
"/**/*.js");
}
}
四、編寫測試代碼
控制層:
@Slf4j
@RestController
public class IndexController {
@GetMapping("/")
public ModelAndView showHome() {
return new ModelAndView("home.html");
}
@GetMapping("/index")
public String index() {
return "Hello World ~";
}
@GetMapping("/login")
public ModelAndView login() {
return new ModelAndView("login.html");
}
@GetMapping("/home")
public String home() {
String name = SecurityContextHolder.getContext().getAuthentication().getName();
log.info("登陸人:" + name);
return "Hello~ " + name;
}
@GetMapping(value ="/admin")
// 訪問路徑`/admin` 具有`ADMIN`角色權限 【這種是寫死方式】
// @PreAuthorize("hasPermission('/admin','ADMIN')")
public String admin() {
return "Hello~ 管理員";
}
@GetMapping("/test")
public String test() {
return "Hello~ 測試權限訪問接口";
}
}
頁面和其它相關代碼這里就不貼出來了,具體可參考文末demo源碼
五、運行訪問測試效果
1、未登錄時
2、登錄過后如果有權限則正常訪問
3、登錄過后,沒有權限
這里我們可以修改數據庫角色權限關聯表t_sys_role_permission來進行測試哦 ~
Security 動態url權限也就是依賴這張表來判斷的,只要修改這張表分配角色對應url權限資源,用戶訪問url時就會動態的去判斷,無需做其他處理,如果是將權限信息放在了緩存中,修改表數據時及時更新緩存即可!
4、登錄過后,訪問數據庫中沒有配置的url 並且 在Security中沒有忽略攔截的url時
六、總結
- 自定義未登錄權限處理器
AdminAuthenticationEntryPoint- 自定義未登錄時訪問無權限url響應內容 - 自定義訪問鑒權過濾器
MyAuthenticationFilter- 記錄請求響應日志、是否合法訪問,驗證token過期等 - 自定義
UrlFilterInvocationSecurityMetadataSource- 獲取訪問該url所需要的角色權限 - 自定義
UrlAccessDecisionManager- 對訪問url進行權限認證處理 - 自定義
UrlAccessDeniedHandler- 登錄過后訪問無權限url失敗處理器 - 自定義403無權限響應內容 - 在
Security核心配置類中配置以上處理器和過濾器
Security動態權限相關代碼:
