spring-security–基础–4.4–案例:资源权限访问
代码位置
https://gitee.com/DanShenGuiZu/learnDemo/tree/master/spring-security-learn
1、授权
1.1、调用accessDecisionManager进行授权决策
1.2、方式
-
web授权
- 通过url拦截进行授权
- 拦截器为FilterSecurityInterceptor
-
方法授权
- 通过方法拦截进行授权
- 拦截器为MethodSecurityInterceptor
-
同时通过web授权和方法授权
- 先执行web授权,再执行方法授权,最后决策通过则允许访问资源,否则将禁止访问
2、查询数据库用户权限完成授权
2.1、代码结构
2.2、数据库
SET FOREIGN_KEY_CHECKS=0;
DROP TABLE IF EXISTS user;
CREATE TABLE user(
id bigint(12)NOT NULL AUTO_INCREMENT COMMENT '主键id',
user_name varchar(250)DEFAULT NULL COMMENT '名称',
password varchar(250)DEFAULT NULL COMMENT '密码',
PRIMARY KEY(id)
)ENGINE=InnoDB AUTO_INCREMENT=512794071417499657 DEFAULT CHARSET=utf8 COMMENT='文章表';
INSERT INTO user VALUES('1', 'user', '$2a$10$82imG0H/aJzplJsDlOsjheLRN60AGS.hH7E4kNRB/cQmgbbvD6ig6');
INSERT INTO user VALUES('6', 'admin', '$2a$10$R3sj4vOOa11CApJmGwTm7u5AhGFUToRYL3jhhW1hkmLqPts43hdhS');
DROP TABLE IF EXISTS user_authorize;
CREATE TABLE user_authorize(
id bigint(12)NOT NULL AUTO_INCREMENT COMMENT '主键id',
user_id bigint(250)DEFAULT NULL COMMENT '用户id',
authorize_code varchar(250)DEFAULT NULL COMMENT '权限吗',
PRIMARY KEY(id)
)ENGINE=InnoDB AUTO_INCREMENT=512794071417499659 DEFAULT CHARSET=utf8 COMMENT='用户权限表';
INSERT INTO user_authorize VALUES('1', '1', 'p2');
INSERT INTO user_authorize VALUES('2', '6', 'p1');
2.3、核心代码
UserAuthorizeBean
@Data
public class UserAuthorizeBean {
private Long id;
private Long userId;
private String authorizeCode;
}
UserDao
@Repository
public class UserDao {
@Autowired
JdbcTemplate jdbcTemplate;
// 根据账号查询用户信息
public UserBean getUserByUsername(String username){
String sql = "select * from user where user_name = ?";
// 连接数据库查询用户
List<UserBean> list = jdbcTemplate.query(sql, new Object[] { username },
new BeanPropertyRowMapper<>(UserBean.class));
if(list != null && list.size()== 1){
return list.get(0);
}
return null;
}
// 根据用户id查询用户权限
public List<String> getAuthorize(Long userId){
String sql = "SELECT * FROM user_authorize WHERE user_id =?";
List<UserAuthorizeBean> list = jdbcTemplate.query(sql, new Object[] { userId },
new BeanPropertyRowMapper<>(UserAuthorizeBean.class));
List<String> authorizes = new ArrayList<>();
list.forEach(c -> authorizes.add(c.getAuthorizeCode()));
return authorizes;
}
}
SpringDataUserDetailsService
@Service
public class SpringDataUserDetailsService implements UserDetailsService {
@Autowired
UserDao userDao;
// 根据账号查询用户信息,
// 通过@Service将SpringDataUserDetailsService注入容器,通过UserDetailsService接口表明该类的类型是UserDetailsService
@Override
public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException {
// 将来连接数据库根据账号查询用户信息
UserBean bean = userDao.getUserByUsername(username);
if(bean == null){
// 如果用户查不到,返回null,由provider来抛出异常
return null;
}
//查询当前数据库的用户资源权限
List<String> authorize = userDao.getAuthorize(bean.getId());
String[] authorizeArr = new String[authorize.size()];
authorize.toArray(authorizeArr);
//添加权限
UserDetails userDetails = User.withUsername(bean.getUserName()).password(bean.getPassword())
.authorities(authorizeArr).build();
return userDetails;
}
}
3、web授权
- 就是对WebSecurityConfigurerAdapter的configure方法进行配置
- 是对url的拦截
4、方法授权
- @PreAuthorize:方法调用前进行权限检查
- @PostAuthorize:方法调用后进行权限检查
- @Secured:权限控制
- @EnableGlobalMethodSecurity:启用基于注解的安全性。
4.1、案例
4.1.1、代码结构
4.1.2、核心注解