SpringBoot整合SpringSecurity补充 -(一)自定义权限管理

用户2025583573401
115 阅读1分钟

SpringSecurity环境

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <optional>true</optional>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>

    <!--   SpringSecurity 安全框架     -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <!--redis依赖配置-->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-redis</artifactId>
    </dependency>
    <!--JWT(Json Web Token)登录支持-->
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.9.1</version>
    </dependency>
    <!--Hutool Java工具包-->
    <dependency>
        <groupId>cn.hutool</groupId>
        <artifactId>hutool-all</artifactId>
        <version>5.8.0</version>
    </dependency>

    <!-- mybatis-plus -->
    <dependency>
        <groupId>com.baomidou</groupId>
        <artifactId>mybatis-plus-boot-starter</artifactId>
        <version>3.5.1</version>
    </dependency>
    <!-- mybatis-plus-generator -->
    <dependency>
        <groupId>com.baomidou</groupId>
        <artifactId>mybatis-plus-generator</artifactId>
        <version>3.5.2</version>
    </dependency>
    <!--Velocity模板引擎  mybatis-plus -->
    <dependency>
        <groupId>org.apache.velocity</groupId>
        <artifactId>velocity-engine-core</artifactId>
        <version>2.3</version>
    </dependency>
    <!--Mysql数据库驱动-->
    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.29</version>
    </dependency>
    <!--集成druid连接池-->
    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>druid-spring-boot-starter</artifactId>
        <version>1.2.9</version>
    </dependency>
    <!--   jackson默认不支持java8 LocalDateTime的序列化和反序列化问题      -->
    <dependency>
        <groupId>com.fasterxml.jackson.datatype</groupId>
        <artifactId>jackson-datatype-jsr310</artifactId>
        <version>2.13.0</version>
    </dependency>
</dependencies>

2,自定义权限管理

主要涉及 FilterInvocationSecurityMetadataSourceAccessDecisionManagerFilterSecurityInterceptor

2.1, FilterInvocationSecurityMetadataSource

权限资源获取类。用于获取该访问路径需要的权限。主要是 getAttributes()方法。

@Component
public class MyFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
    	//这边只做了简单的处理
        //可以从数据库获取访问改路径所需要的权限
    	//这里写死了全部的路径都要ROLE_ADMIN
        List<ConfigAttribute> list = new ArrayList<>();
        list.add(new ConfigAttribute() {
            @Override
            public String getAttribute() {
                return "ROLE_ADMIN";
            }
        });
        return list;
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }
}

2.2,AccessDecisionManager

认证管理器类。用于判断当前用户的权限是否在该访问路径所需的权限内。

@Component
public class MyAccessDecisionManager implements AccessDecisionManager {
    @Override
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
        //如果请求的资源不需要权限,则直接放行
        if(configAttributes == null || configAttributes.size() <= 0) {
            return;
        }

        //判断用户所拥有的权限是否是资源所需要的权限之一,如果是则放行,否则拦截
        Iterator<ConfigAttribute> iter = configAttributes.iterator();
        while(iter.hasNext()) {
            String needRole = iter.next().getAttribute();
            for(GrantedAuthority grantRole : authentication.getAuthorities()) {
                if(needRole.trim().equals(grantRole.getAuthority().trim())) {
                    return;
                }
            }
        }
        throw new AccessDeniedException("no privilege");
    }

   
}

2.3,FilterSecurityInterceptor

权限拦截器类。 这个类就是要进行配置的上面两个需要注入进来

avatar
文章
阅读
粉丝