Spring Security 基于表达式的权限控制

前言

spring security 3.0已经可以使用spring el表达式来控制授权，允许在表达式中使用复杂的布尔逻辑来控制访问的权限。

常见的表达式

Spring Security可用表达式对象的基类是SecurityExpressionRoot。

部分代码：

......
private String defaultRolePrefix = "ROLE_"; //ROLE_前缀/** Allows "permitAll" expression */public final boolean permitAll = true; //全部true/** Allows "denyAll" expression */public final boolean denyAll = false; //全部false
public final boolean permitAll() {return true;}public final boolean denyAll() {return false;}public final boolean isAnonymous() {//是否是anonymousreturn trustResolver.isAnonymous(authentication);}public final boolean isRememberMe() {//是否是remembermereturn trustResolver.isRememberMe(authentication);}
......

URL安全表达式

onfig.antMatchers("/person/*").access("hasRole('ADMIN') or hasRole('USER')").anyRequest().authenticated();

这里我们定义了应用/person/*URL的范围，该URL只针对拥有ADMIN或者USER权限的用户有效。

在Web安全表达式中引用bean

config.antMatchers("/person/*").access("hasRole('ADMIN') or hasRole('USER')").antMatchers("/person/{id}").access("@rbacService.checkUserId(authentication,#id)").anyRequest().access("@rbacService.hasPermission(request,authentication)");

RbacServiceImpl

@Component("rbacService")
@Slf4j
public class RbacServiceImpl implements RbacService {/*** uri匹配工具*/private AntPathMatcher antPathMatcher = new AntPathMatcher();@Overridepublic boolean hasPermission(HttpServletRequest request, Authentication authentication) {log.info("【RbacServiceImpl】  --hasPermission={}", authentication.getPrincipal());Object principal = authentication.getPrincipal();boolean hasPermission = false;//有可能是匿名的anonymousif (principal instanceof SysUser) {//admin永远放回trueif (StringUtils.equals("admin", ((SysUser) principal).getUsername())) {hasPermission = true;} else {//读取用户所拥有权限所有的URL 在这里全部返回trueSet<String> urls = new HashSet<>();for (String url : urls) {if (antPathMatcher.match(url, request.getRequestURI())) {hasPermission = true;break;}}}}return hasPermission;}public boolean checkUserId(Authentication authentication, int id) {return true;}
}

效果如下：

Method安全表达式

针对方法级别的访问控制比较复杂，Spring Security提供了四种注解，分别是@PreAuthorize , @PreFilter , @PostAuthorize 和 @PostFilter

使用method注解

1. 开启方法级别注解的配置

   @Configuration
   @EnableGlobalMethodSecurity(prePostEnabled = true)
   public class MerryyouSecurityConfig extends WebSecurityConfigurerAdapter {
   

2. 配置相应的bean

    @Bean@Overridepublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());}@Bean@ConditionalOnMissingBean(PasswordEncoder.class)public PasswordEncoder passwordEncoder(){return new BCryptPasswordEncoder();}
   

3. 在方法上面使用注解

   /**
   * 查询所有人员 
   */ 
   @PreAuthorize(“hasRole(‘ADMIN’)”) 
   @ApiOperation(value = “获得person列表”, notes = “”) 
   @GetMapping(value = “/persons”) 
   public List getPersons() { return personService.findAll(); 
   } 

PreAuthorize

@PreAuthorize 注解适合进入方法前的权限验证

@PreAuthorize("hasRole('ADMIN')")List<Person> findAll();

PostAuthorize

@PostAuthorize 在方法执行后再进行权限验证,适合验证带有返回值的权限。Spring EL 提供 返回对象能够在表达式语言中获取返回的对象return Object。

@PostAuthorize("returnObject.name == authentication.name")Person findOne(Integer id);

PreFilter 针对参数进行过滤

//当有多个对象是使用filterTarget进行标注
@PreFilter(filterTarget="ids", value="filterObject%2==0")
public void delete(List<Integer> ids, List<String> usernames) {...}

PostFilter 针对返回结果进行过滤

 @PreAuthorize("hasRole('ADMIN')")@PostFilter("filterObject.name == authentication.name")List<Person> findAll();

效果如下：