说完了认证,就该说授权了。毕竟spring security主要的两个功能就是认证和授权。一般授权都会基于数据库实现动态URL,当然你也可以用注解(注意启动类要加配置@),直接写在webSecuriryConfig中(一定要注意基于权限和基于角色RBAC不是一回事PS:注意基于角色的时候角色的统一命名规则是ROLE_XXX),这里就只介绍动态的了。
动态的就是从实现FilterInvocationSecurityMetadataSource这个接口的类(你自己写)中的getAttributes(getAttributes)这个方法来获得你请求的URL(String requestUrl = ((FilterInvocation) o).getRequestUrl();
)//这么获取URL
需要的角色,然后返回一个collation。
然后很明显就需要另一个类来判断是否有权限。这个类实现AccessDecisionManager。
下面是数据库的见表思路(其实咋建表都行,看个人)
下面是AccessDecisionManager,FilterInvocationSecurityMetadataSource
@Component
public class CustomizeFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
AntPathMatcher antPathMatcher = new AntPathMatcher();
@Autowired
SysPermissionService sysPermissionService;
@Override
public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
//获取请求地址
String requestUrl = ((FilterInvocation) o).getRequestUrl();
//查询具体某个接口的权限
List<SysPermission> permissionList = sysPermissionService.selectListByPath(requestUrl);
if(permissionList == null || permissionList.size() == 0){
//请求路径没有配置权限,表明该请求接口可以任意访问
return null;
}
String[] attributes = new String[permissionList.size()];
for(int i = 0;i<permissionList.size();i++){
attributes[i] = permissionList.get(i).getPermissionCode();
}
return SecurityConfig.createList(attributes);
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}
@Component
public class CustomizeAccessDecisionManager implements AccessDecisionManager {
@Override
public void decide(Authentication authentication, Object o, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
Iterator<ConfigAttribute> iterator = collection.iterator();
while (iterator.hasNext()) {
ConfigAttribute ca = iterator.next();
//当前请求需要的权限
String needRole = ca.getAttribute();
//当前用户所具有的权限
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (GrantedAuthority authority : authorities) {
if (authority.getAuthority().equals(needRole)) {
return;
}
}
}
throw new AccessDeniedException("权限不足!");
}
@Override
public boolean supports(ConfigAttribute configAttribute) {
return true;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}