默认数据库模型的认证与授权
项目结构如下
- WebSecurityConfig
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/api/**").hasAnyRole("ADMIN")
.antMatchers("/user/api/**").hasAnyRole("USER")
.antMatchers("/app/api/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
- AdminController,只有管理员才能访问
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/admin/api")
public class AdminController {
@GetMapping("/hello")
public String hello() {
return "admin hello";
}
}
- AppController,任何人都能访问
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/app/api")
public class AppController {
@GetMapping("/hello")
public String hello() {
return "app hello";
}
}
- UserController,登录用户才能访问
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/user/api")
public class UserController {
@GetMapping("/hello")
public String hello() {
return "user hello";
}
}
启动,浏览器访问http://127.0.0.1:8080/app/api/hello、http://127.0.0.1:8080/user/api/hello、http://127.0.0.1:8080/admin/api/hello
此时发现只能访问http://127.0.0.1:8080/app/api/hello,由于没有设置用户角色,所有/admin、/user都无法访问,我们需要设置用户角色
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
public class BeanConfiguration {
@Bean
public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("admin")
.password(passwordEncoder.encode("admin")).roles("ADMIN", "USER").build());
manager.createUser(User.withUsername("user")
.password(passwordEncoder.encode("user")).roles("USER").build());
return manager;
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
只需要注入一个UserDetailsService就行。
此时发现admin登录可以访问所有,user登录无法访问/admin/api/hello
使用默认数据库模型的认证与授权
- 添加依赖,这里使用的是postgresql数据库
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
<version>2.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.2.10</version>
</dependency>
- application.yml配置数据源
spring:
datasource:
url: jdbc:postgresql://127.0.0.1:5432/postgres
driver-class-name: org.postgresql.Driver
username: postgres
password: 123456
- 数据库建表
create table users(
username varchar(50) unique not null primary key,
password varchar(64) not null,
enabled boolean not null
);
create table authorities(
username varchar(50) unique not null,
authority varchar(50) not null,
constraint fk_u_a foreign key(username) references users(username)
);
- UserDetailsService更新,记得判断用户名是否存在
@Bean
public UserDetailsService userDetailsService(DataSource dataSource, PasswordEncoder passwordEncoder) {
JdbcUserDetailsManager manager = new JdbcUserDetailsManager();
manager.setDataSource(dataSource);
if (!manager.userExists("user")) {
manager.createUser(User.withUsername("user")
.password(passwordEncoder.encode("user")).roles("USER").build());
}
if (!manager.userExists("admin")) {
manager.createUser(User.withUsername("admin")
.password(passwordEncoder.encode("admin")).roles("ADMIN", "USER").build());
}
return manager;
}
启动,发现刚创建的表中的了几条数据
自定义数据库模型的认证与授权
使用默认的数据库模型的认证与授权时,灵活性欠佳,所以我们需要自定义数据库模型的认证与授权,简单说就是实现自己的UserDetailsService就行。这里使用的是JPA去操作数据库
- 创建用户表,并添加数据,密码为123456
create table users(
id varchar(32) not null primary key,
username varchar(50) unique not null,
password varchar(64) not null,
enable boolean not null,
roles varchar(255) not null
);
insert into users(id, username, password, enable, roles) values('1', 'admin', 'admin', true, 'ROLE_ADMIN, ROLE_USER');
insert into users(id, username, password, enable, roles) values('2', 'user', 'user', true, 'ROLE_USER');create table users(
id varchar(32) not null primary key,
username varchar(50) unique not null,
password varchar(64) not null,
enabled boolean not null,
roles varchar(255) not null
);
insert into users(id, username, password, enabled, roles) values('1', 'admin', '$2a$10$P8TZBQfcU6Yx6JsRu1Vmtu23tSIVyu9vNLI5dGpGpoT6fzvNy1YR.', true, 'ROLE_ADMIN, ROLE_USER');
insert into users(id, username, password, enabled, roles) values('2', 'user', '$2a$10$P8TZBQfcU6Yx6JsRu1Vmtu23tSIVyu9vNLI5dGpGpoT6fzvNy1YR.', true, 'ROLE_USER');
这里将用户和角色合成一张表了,roles代表多个角色,用","分开,这里只是一个简单的demo,所有字段类型就使用varchar了。
- 添加JPA的依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<version>2.1.0.RELEASE</version>
</dependency>
- 添加JPA的配置
spring:
datasource:
url: jdbc:postgresql://127.0.0.1:5432/postgres
driver-class-name: org.postgresql.Driver
username: postgres
password: 123456
jpa:
show-sql: true
hibernate:
ddl-auto: none
properties:
hibernate:
temp:
use_jdbc_metadata_defaults: false
- 添加Users实体,实现UserDetails,这里使用了lombok,使用@Data就不用谢getter、setter了
import lombok.Data;
import org.hibernate.annotations.GenericGenerator;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import javax.persistence.*;
import java.io.Serializable;
import java.util.Collection;
import java.util.List;
@Data
@Entity
@Table(name = "users")
public class User implements Serializable, UserDetails {
@Id
@Column(name = "id", length = 32)
@GenericGenerator(name = "generator", strategy = "uuid")
@GeneratedValue(generator = "generator")
private String id;
@Column(name = "username", length = 50)
private String username;
@Column(name = "password", length = 64)
private String password;
@Column(name = "enabled")
private Boolean enabled;
@Column(name = "roles")
private String roles;
@Transient
private List<GrantedAuthority> authorities;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return this.authorities;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return this.enabled;
}
}
isAccountNonExpired、isAccountNonLocked、isCredentialsNonExpired暂时用不到,统一返回true
isEnabled返回enabled字段值
getAuthorities,后面再做详细说明
- UserRepository,这里使用的是jpa,基本上不用写SQL语句
import com.demo.entity.User;
import org.springframework.data.jpa.repository.JpaRepository;
public interface UserRepository extends JpaRepository<User, String> {
/**
* 根据用户名查询
* @param username 用户名
* @return 数据库查询结果,为查询到返回null
*/
User findByUsername(String username);
}
- 实现自己的UserDetailService,之前的UserDetailService就可以注释掉了
import com.demo.entity.User;
import com.demo.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
@Service
public class MyUserDetailService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 数据库查询
User user = userRepository.findByUsername(username);
if (user == null) {
throw new NullPointerException("该用户不存在:" + username);
}
// 解析权限集合
user.setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList(user.getRoles()));
return user;
}
}
浏览器再次访问,http://127.0.0.1:8080/app/api/hello、http://127.0.0.1:8080/user/api/hello、http://127.0.0.1:8080/admin/api/hello,看结果