权限控制
Spring Security配置文件中添加如下注解:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
...
}
在UserDetailService
中,我们给当前登录用户授予了admin
的权限,我们将这块代码改造一下:当登录用户为admin
的时候,其拥有”admin”权限,其他用户则只有”test”权限:
@Configuration
public class UserDetailService implements UserDetailsService {
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 模拟一个用户,替代数据库获取逻辑
MyUser user = new MyUser();
user.setUserName(username);
user.setPassword(this.passwordEncoder.encode("123456"));
// 输出加密后的密码
System.out.println(user.getPassword());
List<GrantedAuthority> authorities = new ArrayList<>();
if (StringUtils.equalsIgnoreCase("admin", username)) {
authorities = AuthorityUtils.commaSeparatedStringToAuthorityList("admin");
} else {
authorities = AuthorityUtils.commaSeparatedStringToAuthorityList("test");
}
return new User(username, user.getPassword(), user.isEnabled(),
user.isAccountNonExpired(), user.isCredentialsNonExpired(),
user.isAccountNonLocked(), authorities);
}
}
添加一个方法,并且使用权限注解标明只有拥有“admin”权限的人才能访问:
@GetMapping("/auth/admin")
@PreAuthorize("hasAuthority('admin')")
public String authenticationTest() {
return "您拥有admin权限,可以查看";
}
我们可以自定义权限不足处理器来处理权限不足时候的操作。
新增一个处理器MyAuthenticationAccessDeniedHandler
,实现AccessDeniedHandler
接口:
@Component
public class MyAuthenticationAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
response.setContentType("application/json;charset=utf-8");
response.getWriter().write("很抱歉,您没有该访问权限");
}
}
然后将这个处理器添加到Spring Security配置链中:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.accessDeniedHandler(authenticationAccessDeniedHandler)
.and()
......
}
没有配置前:
配置之后: