springboot+security实现权限认证
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。
它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
它是一个轻量级的安全框架,它确保基于Spring的应用程序提供身份验证和授权支持。
它与Spring MVC有很好地集成,并配备了流行的安全算法实现捆绑在一起。
安全主要包括两个操作“认证”与“验证”(有时候也会叫做权限控制)。
“认证”是为用户建立一个其声明的角色的过程,这个角色可以是一个用户、一个设备或者一个系统。“验证”指的是一个用户在你的应用中能够执行某个操作。在到达授权判断之前,角色已经在身份认证过程中建立了。
实现WebSecurityConfigurerAdapter
Spring Security的核心配置类是 WebSecurityConfigurerAdapter,抽象类
这是权限管理启动的入口,这里我们自定义一个实现类去它。然后编写我们需要处理的控制逻辑。
下面是代码,里面写的注释也比较详细。在里面还依赖了几个自定义的类,都是必须配置的。分别是
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true) //全局
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private HrService hrService; //实现了UserDetailsService接口
@Autowired
private MyFilterInvocationSecurityMetadataSource filterMetadataSource; //权限过滤器(当前url所需要的访问权限)
@Autowired
private MyAccessDecisionManager myAccessDecisionManager;//权限决策器
@Autowired
private MyAccessDeniedHandler deniedHandler;//自定义错误(403)返回数据
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(hrService)
.passwordEncoder(new BCryptPasswordEncoder());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/index.html", "/static/**", "/login_p", "/favicon.ico")
// 给 swagger 放行;不需要权限能访问的资源
.antMatchers("/swagger-ui.html", "/swagger-resources/**", "/images/**", "/webjars/**", "/v2/api-docs", "/configuration/ui", "/configuration/security");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
@Override
public <O extends FilterSecurityInterceptor> O postProcess(O o) {
o.setSecurityMetadataSource(filterMetadataSource);
o.setAccessDecisionManager(myAccessDecisionManager);
return o;
}
})
.and()
.formLogin().loginPage("/login_p").loginProcessingUrl("/login")
.usernameParameter("username").passwordParameter("password")
.failureHandler(new MyAuthenticationFailureHandler())
.successHandler(new MyAuthenticationSuccessHandler())
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new MyLogoutSuccessHandler())
.permitAll()
.and().csrf().disable()
.exceptionHandling().accessDeniedHandler(deniedHandler);
}
}
1.HrService实现UserDetailsService接口中的登录方法。
HrService实现了UserDetailsService接口中的loadUserByUsername方法,方法执行成功后返回UserDetails对象,为构建Authentication对象提供必须的信息。UserDetails中包含了用户名,密码,角色等信息
@Service
@Transactional
public class HrService implements UserDetailsService {
@Autowired
private HrMapper hrMapper;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
/**
* @Author: Galen
* @Description: 查询数据库,获取登录的用户信息
**/
Hr hr = hrMapper.loadUserByUsername(s);
if (hr == null) {
throw new UsernameNotFoundException("用户名不对");
}
return hr;
}
}
2.实现FilterInvocationSecurityMetadataSource
自定义权限过滤器,继承了 SecurityMetadataSource(权限资源接口),过滤所有请求,核查这个请求需要的访问权限;主要实现Collection<ConfigAttribute> getAttributes(Object o)
方法,此方法中可编写用户逻辑,根据用户预先设定的用户权限列表,返回访问此url需要的权限列表。
@Component
public class MyFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
@Autowired
private MenuService menuService;
private AntPathMatcher antPathMatcher = new AntPathMatcher();
private static final Logger log = LoggerFactory.getLogger(MyFilterInvocationSecurityMetadataSource.class);
@Override
public Collection<ConfigAttribute> getAttributes(Object o) {
String requestUrl = ((FilterInvocation) o).getRequestUrl();
//去数据库查询资源
List<Menu> allMenu = menuService.getAllMenu();
for (Menu menu : allMenu) {
if (antPathMatcher.match(menu.getUrl(), requestUrl)
&& menu.getRoles().size() > 0) {
List<Role> roles = menu.getRoles();
int size = roles.size();
String[] values = new String[size];
for (int i = 0; i < size; i++) {
values[i] = roles.get(i).getName();
}
log.info("当前访问路径是{},这个url所需要的访问权限是{}", requestUrl, values);
return SecurityConfig.createList(values);
}
}
log.info("当前访问路径是{},这个url所需要的访问权限是{}", requestUrl, "ROLE_LOGIN");
return SecurityConfig.createList("ROLE_LOGIN");
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> aClass) {
return FilterInvocation.class.isAssignableFrom(aClass);
}
}
3.MyAccessDecisionManager
自定义权限决策管理器,需要实现AccessDecisionManager 的 void decide(Authentication auth, Object object, Collection<ConfigAttribute> cas)
方法,在上面的过滤器中,我们已经得到了访问此url需要的权限;那么,decide方法,先查询此用户当前拥有的权限,然后与上面过滤器核查出来的权限列表作对比,以此判断此用户是否具有这个访问权限,决定去留!所以顾名思义为权限决策器。
@Component
public class MyAccessDecisionManager implements AccessDecisionManager {
@Override
public void decide(Authentication auth, Object object, Collection<ConfigAttribute> cas) {
Iterator<ConfigAttribute> iterator = cas.iterator();
while (iterator.hasNext()) {
if (auth == null) {
throw new AccessDeniedException("当前访问没有权限");
}
ConfigAttribute ca = iterator.next();
//当前请求需要的权限
String needRole = ca.getAttribute();
if ("ROLE_LOGIN".equals(needRole)) {
if (auth instanceof AnonymousAuthenticationToken) {
throw new BadCredentialsException("未登录");
} else
return;
}
//当前用户所具有的权限
Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
for (GrantedAuthority authority : authorities) {
if (authority.getAuthority().equals(needRole)) {
return;
}
}
}
throw new AccessDeniedException("权限不足!");
}
@Override
public boolean supports(ConfigAttribute configAttribute) {
return true;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}
决定当前用户的去留,然后不同的逻辑启用不同的处理器。
MyAccessDeniedHandler;MyAuthenticationFailureHandler;MyAuthenticationSuccessHandler;MyLogoutSuccessHandler
之所以一起描述这几个类,因为这几个都是处理器。根据类名也很容易看得出,分别是拒签(403响应)处理器,认证失败处理器,认证成功处理器,注销成功处理器。通过上面的用户认证接口(UserDetails),过滤器,决策器;我们已经成功处理了权限的认证,决定当前用户的去留,然后不同的逻辑启用不同的处理器。
public class MyAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest httpServletRequest, HttpServletResponse resp,
AccessDeniedException e) throws IOException {
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
resp.setContentType("application/json;charset=UTF-8");
PrintWriter out = resp.getWriter();
RespBean error = RespBean.error("权限不足,请联系管理员!");
out.write(new ObjectMapper().writeValueAsString(error));
out.flush();
out.close();
}
}
/*****************************************************************************************/
public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
RespBean respBean;
if (exception instanceof BadCredentialsException ||
exception instanceof UsernameNotFoundException) {
respBean = RespBean.error("账户名或者密码输入错误!");
} else if (exception instanceof LockedException) {
respBean = RespBean.error("账户被锁定,请联系管理员!");
} else if (exception instanceof CredentialsExpiredException) {
respBean = RespBean.error("密码过期,请联系管理员!");
} else if (exception instanceof AccountExpiredException) {
respBean = RespBean.error("账户过期,请联系管理员!");
} else if (exception instanceof DisabledException) {
respBean = RespBean.error("账户被禁用,请联系管理员!");
} else {
respBean = RespBean.error("登录失败!");
}
response.setStatus(401);
new GalenWebMvcWrite().writeToWeb(response, respBean);
}
}
/*****************************************************************************************/
public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
RespBean respBean = RespBean.ok("登录成功!", HrUtils.getCurrentHr());
new GalenWebMvcWrite().writeToWeb(response, respBean);
System.out.println("登录成功!");
}
}
/*****************************************************************************************/
public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
RespBean respBean = RespBean.ok("注销成功!");
new GalenWebMvcWrite().writeToWeb(response, respBean);
System.out.println("注销成功!");
}
}
项目结构一览
分布式系统中,采用redis做共享会话,解决共享会话的问题
spring security将sessionId放在header里,用户登陆后,如何通过sessionId保证已经登陆呢
解决办法如下:
@Configuration
//maxInactiveIntervalInSeconds session超时时间,单位秒
@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 600)
public class RedisSessionConfig {
//这里有个小坑,如果服务器用的是云服务器,不加这个会报错
@Bean
public static ConfigureRedisAction configureRedisAction() {
return ConfigureRedisAction.NO_OP;
}
//session策略,这里配置的是Header方式(有提供Header,Cookie等方式)
@Bean
public HttpSessionStrategy httpSessionStrategy() {
return new HeaderHttpSessionStrategy();
}
}
从代码中,关键是HeaderHttpSessionStrategy,该代码定义了如果sessionId存在header里,且key为x-auth-token,就能保证调用的正确性