自己写一个RBAC实现基于spring security

2024-08-29 08:18
文章标签 java 实现 spring security rbac

本文主要是介绍自己写一个RBAC实现基于spring security,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

终于看完慕课网的一个实战视频http://coding.imooc.com/class/134.html
下面来做一个简单的使用springsecurity +JWT的rbac实现
首先创建pom项目

  <dependencyManagement><dependencies><!--管理版本--><dependency><groupId>io.spring.platform</groupId><artifactId>platform-bom</artifactId><version>Brussels-SR4</version><type>pom</type><scope>import</scope></dependency><!--使用spring cloud--><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-dependencies</artifactId><version>Dalston.SR2</version><type>pom</type><scope>import</scope></dependency></dependencies></dependencyManagement><build><plugins><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><version>3.2</version><configuration><source>1.8</source>                <target>1.8</target><encoding>UTF-8</encoding></configuration></plugin></plugins></build>

创建子项目

<dependencies><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-oauth2</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-redis</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-jdbc</artifactId></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId></dependency><dependency><groupId>org.springframework.social</groupId><artifactId>spring-social-config</artifactId></dependency><dependency><groupId>org.springframework.social</groupId><artifactId>spring-social-core</artifactId></dependency><dependency><groupId>org.springframework.social</groupId><artifactId>spring-social-security</artifactId></dependency><dependency><groupId>org.springframework.social</groupId><artifactId>spring-social-web</artifactId></dependency><dependency><groupId>commons-lang</groupId><artifactId>commons-lang</artifactId></dependency><dependency><groupId>commons-collections</groupId><artifactId>commons-collections</artifactId></dependency><dependency><groupId>commons-beanutils</groupId><artifactId>commons-beanutils</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-configuration-processor</artifactId></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.7.0</version></dependency></dependencies>  

创建一个springboot启动类(略)

创建一个Bean注册的类

@Configuration
public class SecurityBeanConfig {@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}
}

创建一个搜索比较用户名密码的类

@Component
public class MyUserDetailsService implements UserDetailsService {private static final Logger logger = LoggerFactory.getLogger(MyUserDetailsService.class);@Autowiredprivate PasswordEncoder passwordEncoder;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {return new User(username, passwordEncoder.encode("123456"), AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));}}

创建一个安全框架的配置类

//@Configuration
public class SecurityConfig extends  WebSecurityConfigurerAdapter{@Autowiredprivate AuthenticationSuccessHandler authenticationSuccessHandler;@Autowiredprivate AuthenticationFailureHandler authenticationFailureHandler;@Autowiredprivate UserDetailsService userDetailsService;@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.formLogin().loginPage("/authentication/require").loginProcessingUrl("/authentication/form").successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler).and().authorizeRequests().antMatchers("/authentication/form","/authentication/require").permitAll().anyRequest().authenticated().and().csrf().disable();}}

创建一个oauth2的配置类

@Configuration
@EnableResourceServer
@EnableAuthorizationServer//这个注解实现了认证服务器
public class SecurityTokenConfig implements ResourceServerConfigurer,AuthorizationServerConfigurer {@Autowiredprivate AuthenticationSuccessHandler authenticationSuccessHandler;@Autowiredprivate AuthenticationFailureHandler authenticationFailureHandler;@Autowiredprivate AuthenticationManager authenticationManager;@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate TokenStore tokenStore;@Autowiredprivate JwtAccessTokenConverter jwtAccessTokenConverter;@Overridepublic void configure(AuthorizationServerSecurityConfigurer security) throws Exception {}@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.inMemory().withClient("liyq").secret("liyqSecret").accessTokenValiditySeconds(7200)//单位是秒.authorizedGrantTypes("refresh_token","password")//指定授权模式.scopes("all","read","write")//这里指定了,发请求可以不带,或者在集合内;}@Overridepublic void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {endpoints.tokenStore(tokenStore).authenticationManager(authenticationManager).userDetailsService(userDetailsService);TokenEnhancerChain enhancerChain  = new  TokenEnhancerChain();List<TokenEnhancer> enhancers = new ArrayList<TokenEnhancer>();enhancers.add(jwtAccessTokenConverter);enhancerChain.setTokenEnhancers(enhancers);endpoints.tokenEnhancer(enhancerChain).accessTokenConverter(jwtAccessTokenConverter);}@Overridepublic void configure(ResourceServerSecurityConfigurer resources) throws Exception {}@Overridepublic void configure(HttpSecurity http) throws Exception {http.formLogin().loginPage("/authentication/require")//配置跳转.loginProcessingUrl("/authentication/form")//from 表单的url.successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler)//密码登录配置.and().authorizeRequests().antMatchers("/authentication/require","/authentication/form").permitAll().and().csrf().disable() //关闭csrf防护;}}

这里最好将ResourceServerConfigurer和WebSecurityConfigurerAdapter的实现类和并一下,
只保留一个public void configure(HttpSecurity http) 方法进行配置。

自定义URL

@RestController
public class AuthenticationController {private static final Logger logger = LoggerFactory.getLogger(AuthenticationController.class);//把当前请求缓存到session中private RequestCache RequestCache = new HttpSessionRequestCache();//这个做跳转private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();@RequestMapping("/authentication/require")public SimpleResponse requireAuthentication(HttpServletRequest request,HttpServletResponse response) throws IOException {//从session中拿到引发跳转的请求SavedRequest savedRequest = RequestCache.getRequest(request, response);if(savedRequest!=null) {String target = savedRequest.getRedirectUrl();logger.info("引发跳转的请求是:"+target);if(StringUtils.endsWithIgnoreCase(target, ".html")) {logger.debug("url:"+target);redirectStrategy.sendRedirect(request, response, target);}}return new SimpleResponse("访问的服务需要身份认证,请引导用户到登录页");}
}

再创建一个JWT的配置类

@Configuration
public class JwtTokenConfig {@Beanpublic TokenStore JwtTokeStore() {return new JwtTokenStore(jwtAccessTokenConverter());}@Beanpublic JwtAccessTokenConverter jwtAccessTokenConverter(){JwtAccessTokenConverter accessTokenConverter = new JwtAccessTokenConverter();accessTokenConverter.setSigningKey("liyq");return accessTokenConverter;}
}

还有一个成功处理器和一个失败处理器

@Component
public class MyFailureHandler implements AuthenticationFailureHandler{private static final Logger logger = LoggerFactory.getLogger(MyFailureHandler.class);private ObjectMapper objectMapper = new ObjectMapper();@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,AuthenticationException exception) throws IOException, ServletException {logger.info("失败");response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());response.setContentType("application/json;charset=UTF-8");response.getWriter().write(objectMapper.writeValueAsString(new SimpleResponse(exception.getMessage())));}}
@Component
public class MySucessHandler implements AuthenticationSuccessHandler{private static final Logger logger = LoggerFactory.getLogger(MySucessHandler.class);private ObjectMapper objectMapper = new ObjectMapper();@Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,Authentication authentication) throws IOException, ServletException {logger.info("成功");response.setContentType("application/json;charset=UTF-8");response.getWriter().write(objectMapper.writeValueAsString(authentication));}}

最后是安全框架跨域请求的问题
一个Filter 配置到WebMvcConfigurer中,
和添加到http.addFilterBefore(myFilter, ChannelProcessingFilter.class)
忽略options请求
builder.ignoring().antMatchers(HttpMethod.OPTIONS);

再然后就是写一个rbac的权限判断方法

@Component("rbacService")
public class RbacServiceImpl implements RbacService{private AntPathMatcher antPathMatcher = new  AntPathMatcher();@Overridepublic boolean hasPermission(HttpServletRequest request, Authentication authentication) {boolean hasPermission = false;Object principe = authentication.getPrincipal();if(principe instanceof UserDetails) {String username  = ((UserDetails)principe).getUsername();//拿到用户名后可以拿到用户角色和用户所有的权限//读取用户所有的urlSet<String> urls = new HashSet<>();for(String url : urls) {if(antPathMatcher.match(url, request.getRequestURI())) {hasPermission = true;break;}}}return hasPermission;}}

添加配置

config.anyRequest().access("@rbacService.hasPermission(request,authentication)");

这篇关于自己写一个RBAC实现基于spring security的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1117337

相关文章

JVM 的类初始化机制

前言 当你在 Java 程序中new对象时,有没有考虑过 JVM 是如何把静态的字节码(byte code)转化为运行时对象的呢,这个问题看似简单,但清楚的同学相信也不会太多,这篇文章首先介绍 JVM 类初始化的机制,然后给出几个易出错的实例来分析,帮助大家更好理解这个知识点。 JVM 将字节码转化为运行时对象分为三个阶段,分别是:loading 、Linking、initialization

Spring Security 基于表达式的权限控制

前言 spring security 3.0已经可以使用spring el表达式来控制授权,允许在表达式中使用复杂的布尔逻辑来控制访问的权限。 常见的表达式 Spring Security可用表达式对象的基类是SecurityExpressionRoot。 表达式描述hasRole([role])用户拥有制定的角色时返回true (Spring security默认会带有ROLE_前缀),去

Security OAuth2 单点登录流程

单点登录(英语:Single sign-on,缩写为 SSO),又译为单一签入,一种对于许多相互关连,但是又是各自独立的软件系统,提供访问控制的属性。当拥有这项属性时,当用户登录时,就可以获取所有系统的访问权限,不用对每个单一系统都逐一登录。这项功能通常是以轻型目录访问协议(LDAP)来实现,在服务器上会将用户信息存储到LDAP数据库中。相同的,单一注销(single sign-off)就是指

浅析Spring Security认证过程

类图 为了方便理解Spring Security认证流程,特意画了如下的类图,包含相关的核心认证类 概述 核心验证器 AuthenticationManager 该对象提供了认证方法的入口,接收一个Authentiaton对象作为参数; public interface AuthenticationManager {Authentication authenticate(Authenti

Spring Security--Architecture Overview

1 核心组件 这一节主要介绍一些在Spring Security中常见且核心的Java类,它们之间的依赖,构建起了整个框架。想要理解整个架构,最起码得对这些类眼熟。 1.1 SecurityContextHolder SecurityContextHolder用于存储安全上下文(security context)的信息。当前操作的用户是谁,该用户是否已经被认证,他拥有哪些角色权限…这些都被保

Spring Security基于数据库验证流程详解

Spring Security 校验流程图 相关解释说明(认真看哦) AbstractAuthenticationProcessingFilter 抽象类 /*** 调用 #requiresAuthentication(HttpServletRequest, HttpServletResponse) 决定是否需要进行验证操作。* 如果需要验证,则会调用 #attemptAuthentica

Spring Security 从入门到进阶系列教程

Spring Security 入门系列 《保护 Web 应用的安全》 《Spring-Security-入门(一):登录与退出》 《Spring-Security-入门(二):基于数据库验证》 《Spring-Security-入门(三):密码加密》 《Spring-Security-入门(四):自定义-Filter》 《Spring-Security-入门(五):在 Sprin

Java架构师知识体认识

源码分析 常用设计模式 Proxy代理模式Factory工厂模式Singleton单例模式Delegate委派模式Strategy策略模式Prototype原型模式Template模板模式 Spring5 beans 接口实例化代理Bean操作 Context Ioc容器设计原理及高级特性Aop设计原理Factorybean与Beanfactory Transaction 声明式事物

Java进阶13讲__第12讲_1/2

多线程、线程池 1.  线程概念 1.1  什么是线程 1.2  线程的好处 2.   创建线程的三种方式 注意事项 2.1  继承Thread类 2.1.1 认识  2.1.2  编码实现  package cn.hdc.oop10.Thread;import org.slf4j.Logger;import org.slf4j.LoggerFactory

hdu1043(八数码问题,广搜 + hash(实现状态压缩) )

利用康拓展开将一个排列映射成一个自然数,然后就变成了普通的广搜题。 #include<iostream>#include<algorithm>#include<string>#include<stack>#include<queue>#include<map>#include<stdio.h>#include<stdlib.h>#include<ctype.h>#inclu