spring boot 中spring security使用数据库保存权限

最新推荐文章于 2024-08-01 10:59:34 发布
最新推荐文章于 2024-08-01 10:59:34 发布
阅读量1.1k 收藏 2
点赞数
文章标签: spring security
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/liukai202/article/details/78883896
版权

WebSecurityConfig

package com.maven;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

import com.maven.security.MyFilterSecurityInterceptor;


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    private DataSource dataSource;

    @Autowired
    @Qualifier("myUserDetailsService")
    private UserDetailsService userDetailsService;

    @Autowired
    @Qualifier("myAccessDecisionManager")
    private AccessDecisionManager accessDecisionManager;

    @Autowired
    @Qualifier("mySecurityMetadataSource")
    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    @Autowired
    private AuthenticationManagerBuilder authenticationManagerBuilder;

    private AuthenticationManager authenticationManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http 
        //自定义过滤器,把资源配置存放到数据库中
        .addFilterBefore(filter(),FilterSecurityInterceptor.class)
            .exceptionHandling()
            .and()
        .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/home")
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .logoutSuccessUrl("/login?logout")
            .invalidateHttpSession(true)
            .deleteCookies("remember-me")
            .and()
        .rememberMe()
            .tokenRepository(tokenRepository())
            .tokenValiditySeconds(1209600)//默认2.rememberMeCookieName("remember-me")
            .userDetailsService(userDetailsService)
            .rememberMeParameter("remember-me");
    }

    private PersistentTokenRepository tokenRepository() {
        JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
        tokenRepository.setDataSource(dataSource);
        return tokenRepository;
    }

    // 配置AuthenticationManager
    @Bean
    public AuthenticationManager authenticationManagerBean() {
        authenticationManagerBuilder.authenticationProvider(authenticationProvider());
        return authenticationManagerBuilder.getOrBuild();
    }

    // 获取AuthenticationManager,避免多次调用authenticationManagerBean()
    public AuthenticationManager getAuthenticationManager() {
        if (this.authenticationManager == null) {
            return authenticationManagerBean();
        } else {
            return this.authenticationManager;
        }
    }

    // 自定义JpaFilterSecurityInterceptor过滤器
    public MyFilterSecurityInterceptor filter() throws Exception {
        MyFilterSecurityInterceptor filter = new MyFilterSecurityInterceptor();
        // 认证管理器,实现用户认证的入口
        filter.setAuthenticationManager(getAuthenticationManager());
        // 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源
        filter.setAccessDecisionManager(accessDecisionManager);
        // 资源源数据定义,即定义某一资源可以被哪些角色访问
        filter.setSecurityMetadataSource(securityMetadataSource);
        return filter;
    }

    // 配置DaoAuthenticationProvider
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        // 设置不隐藏UserNotFoundExceptions
        authenticationProvider.setHideUserNotFoundExceptions(false);
        // 设置自定义UserDetailsService
        authenticationProvider.setUserDetailsService(userDetailsService);
        // 设置密码加密方式
        BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
        authenticationProvider.setPasswordEncoder(passwordEncoder);
        return authenticationProvider;
    }

}

MyAccessDecisionManager

/**
 * copyright by liukai
 */
package com.maven.security;

import java.util.Collection;
import java.util.Iterator;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Service;

@Service("myAccessDecisionManager")
public class MyAccessDecisionManager implements AccessDecisionManager{

    private final static Logger logger = LoggerFactory.getLogger(MyAccessDecisionManager.class);

    /* (non-Javadoc)
     * @see org.springframework.security.access.AccessDecisionManager#decide(org.springframework.security.core.Authentication, java.lang.Object, java.util.Collection)
     */
    @Override
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException, InsufficientAuthenticationException {     
        if (configAttributes == null) {
            return; //如果访问资源不需要任何权限则直接通过  
        }
        //所请求的资源拥有的权限(一个资源对多个权限)
        Iterator<ConfigAttribute> ite = configAttributes.iterator();
        while (ite.hasNext()) {
            ConfigAttribute ca = ite.next();
            String needRole = ((SecurityConfig) ca).getAttribute();
            // ga 为用户所被赋予的权限。 needRole 为访问相应的资源应该具有的权限。
            for (GrantedAuthority ga : authentication.getAuthorities()) {
                logger.info("该资源所需要的权限是:"+needRole +",当前用户的权限是:"+ ga.getAuthority());
                if (needRole.trim().equals(ga.getAuthority().trim())) {
                    return;
                }
            }
        }
        logger.info("权限不足,无法访问!");
        throw new AccessDeniedException("不允许访问!");
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.AccessDecisionManager#supports(org.springframework.security.access.ConfigAttribute)
     */
    @Override
    public boolean supports(ConfigAttribute attribute) {
        return true;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.AccessDecisionManager#supports(java.lang.Class)
     */
    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }

}

MyFilterSecurityInterceptor

/**
 * copyright by liukai
 */
package com.maven.security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;


public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter{

    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    /**
     * @return the securityMetadataSource
     */
    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
        return securityMetadataSource;
    }

    /**
     * @param securityMetadataSource the securityMetadataSource to set
     */
    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
        this.securityMetadataSource = securityMetadataSource;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.intercept.AbstractSecurityInterceptor#getSecureObjectClass()
     */
    @Override
    public Class<?> getSecureObjectClass() {
        return FilterInvocation.class;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.intercept.AbstractSecurityInterceptor#obtainSecurityMetadataSource()
     */
    @Override
    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return securityMetadataSource;
    }

    /* (non-Javadoc)
     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
     */
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    /* (non-Javadoc)
     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
         FilterInvocation fi = new FilterInvocation(request, response, chain);
         invoke(fi);
    }

    public void invoke(FilterInvocation fi) throws IOException, ServletException {
        InterceptorStatusToken token = super.beforeInvocation(fi);
        try {
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        } finally {
            super.afterInvocation(token, null);
        }
    }

    /* (non-Javadoc)
     * @see javax.servlet.Filter#destroy()
     */
    @Override
    public void destroy() {

    }

}

MySecurityMetadataSource

/**
 * copyright by liukai
 */
package com.maven.security;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.stereotype.Service;
import org.springframework.util.AntPathMatcher;

import com.maven.auth.service.AuthService;

@Service("mySecurityMetadataSource")
public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource{

    private final static Logger logger = LoggerFactory.getLogger(MySecurityMetadataSource.class);

    private static Map<String, Collection<ConfigAttribute>> resourceMap = null;

     public MySecurityMetadataSource(AuthService authService) {
        //查询所有资源路径和角色
        List<Map<String,Object>> resourceRoles = authService.findAllResourceAndRole();
        //根据URL组装权限Map key为URL,集合为权限集合
        resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
        for(Map<String,Object> resourceRole :resourceRoles) {
            ConfigAttribute ca = new SecurityConfig((String) resourceRole.get("CODE"));
            String url = (String) resourceRole.get("PATH");
            if (resourceMap.containsKey(url)) {
                Collection<ConfigAttribute> value = resourceMap.get(url);
                value.add(ca);
                resourceMap.put(url, value);
            } else {
                Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
                atts.add(ca);
                resourceMap.put(url, atts);
            }
        }
     }

    /* (non-Javadoc)
     * @see org.springframework.security.access.SecurityMetadataSource#getAttributes(java.lang.Object)
     */
    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        // object 是一个URL,被用户请求的url。
        String url = ((FilterInvocation) object).getRequestUrl();

        int firstQuestionMarkIndex = url.indexOf("?");
        if (firstQuestionMarkIndex != -1) {
            url = url.substring(0, firstQuestionMarkIndex);
        }
        Iterator<String> ite = resourceMap.keySet().iterator();
        AntPathMatcher matcher = new AntPathMatcher();
        matcher.setTrimTokens(false);
        while (ite.hasNext()) {
            String resURL = ite.next();
            if (matcher.match(resURL, url)) {
                logger.info("资源配置URL为"+resURL+"请求的URL为:"+url);
                return resourceMap.get(resURL);
            }
        }
        return null;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.SecurityMetadataSource#getAllConfigAttributes()
     */
    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        // TODO Auto-generated method stub
        return null;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.SecurityMetadataSource#supports(java.lang.Class)
     */
    @Override
    public boolean supports(Class<?> clazz) {
        // TODO Auto-generated method stub
        return true;
    }

}

MyUserDetailsService


package com.maven.security;

import java.util.ArrayList;
import java.util.List;

import javax.transaction.Transactional;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import com.maven.auth.dao.UserDao;
import com.maven.auth.entity.Role;
import com.maven.auth.entity.User;

@Transactional
@Service("myUserDetailsService")
public class MyUserDetailsService implements UserDetailsService{

    @Autowired
    private UserDao userDao;

    /* (non-Javadoc)
     * @see org.springframework.security.core.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = this.userDao.findByUsername(username);
        if(user==null) {
            throw new UsernameNotFoundException("用户"+username+"不存在!");
        }
        List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        List<Role> roles = user.getRoles();
        for(Role role:roles) {
            authorities.add(new SimpleGrantedAuthority(role.getCode()));
        }
        UserDetails userDetails = new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),authorities);
        return userDetails;
    }

}
liukai202
关注
Spring Security 3 (三) 用户数据存放于数据库
weixin_34413357的博客
05-10 128
上章回顾:上一章,我们将用户名、密码以及用户对应的角色都配置于applicationContext-security.xml,基本实现了我们能控制用户的访问权限。但是在现实开发,我们不可能将用户信息硬编码在配置文件,通常我们都是存放到数据。同时我们应该对用户的密码进行加密存储。目标:1.将用户信息存放于数据库2.对用户的密码进行加密详细操作:1.其他代码参考上一章...
SpringBoot——整合数据库springSecurity,shiro、整合thymeleaf
qq_43427354的博客
10-26 921
整合数据库springSecurity,shiro、整合thymeleaf
springboot系列教程(二十九):springboot整合Security框架,实现用户权限管理
最新发布
weixin_43860634的博客
08-01 790
springboot系列教程(二十九):springboot整合Security框架,实现用户权限管理
spring boot 整合 spring security使用数据库验证
蜗牛跑的快
11-26 5436
spring boot 整合 spring security 参见上一篇文章.重写WebSecurityConfigurerAdapter的configureGlobal方法@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticat
SpringBoot整合Springsecurity实现数据库登录以及权限控制
热门推荐
qq_39620552的博客
10-16 4万+
我们今天使用SpringBoot来整合SpringSecurity,来吧,不多BB 首先呢,是一个SpringBoot 项目,连接数据库,这里我使用的是mybaties.mysql, 下面是数据库的表 DROP TABLE IF EXISTS `xy_role`; CREATE TABLE `xy_role` ( `xyr_id` int(11) NOT NULL AUTO_INCRE...
Spring Boot使用 Spring Security 构建权限系统的示例代码
08-29
Spring Boot使用Spring Security构建权限系统的示例代码 在本篇文章,我们将主要介绍如何使用Spring Security框架在Spring Boot项目构建权限系统。权限控制是非常常见的功能,在各种后台管理系统权限控制更...
youlai-boot: Spring Boot 3 + Spring Security + Vue3 权限管理系统
05-04
youlai-boot 是【有来开源组织】基于Spring Boot 3 + Spring Security 6 + JWT + Mybatis-Plus + Redis + XXL-Job + Vue3 等主流技术栈搭建的前后端分离权限管理系统。 在线预览地址:http://vue3.youlai.tech 后端...
详解如何在spring boot使用spring security防止CSRF攻击
08-27
Spring Boot 使用 Spring Security 防止 CSRF 攻击 CSRF(Cross-site request forgery),文名称:跨站请求伪造,也被称为:one click attack/session riding,缩写为:CSRF/XSRF。CSRF 攻击可以盗用用户的...
Spring Boot2.0使用Spring Security的示例代码
08-27
Spring Boot 2.0 使用 Spring Security,可以使用 Maven 引入 Spring Security 依赖项,例如: ``` <groupId>org.springframework.boot <artifactId>spring-boot-starter-security <!-- 前端模板 ...
Springboot整合SpringSecurity实现数据库认证
Tian208的博客
06-02 382
1.导入依赖 2. 创建数据库表 3.配置实体类 4.继承UserDetailsService 5.实现UserDetailsService 6.创建页面及controller映射
Spring Security 实现 Remember Me 记住密码功能
啦啦啦啦 la
11-15 1万+
Spring Boot 集成 Spring Security的简单应用,从数据库读取数据校验用户,页面使用Thymeleaf模板 创建 Spring Boot 应用添加依赖 compile('org.springframework.boot:spring-boot-starter-security') compile('org.springframework.boot:spring-b
Spring Boot + Security + Mybatis 简单权限控制(入门 + 记录篇)
温故而知新,可以为师矣。
08-22 9202
Spring Boot Security 权限 这两天研究了一下权限管理框架。。 查阅资料的过程,JAVA常用的安全框架有Shiro和Spring Security。Shiro比Spring Security学习起来更加简单,功能够用。而这两天的学习,就我自己的体会而言,学习Spring Security还是有一定难度的。虽然它的扩展性非常的好,我们可以重载它默认的类,重写方法...
spring security 使用(将权限信息放入数据库,并自定义登录认证)
pan-zy的专栏
09-17 4775
一、数据库结构
springboot整合spring security
Wenjialu1的博客
03-22 133
项目搭建 引入依赖 <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>
spring boot项目使用 Spring Security(本deom没有连接数据库
qq_41790332的博客
05-10 284
1.本项目的结构大概就是这个样子的: 2.首先创建一个spring boot的项目, 项目的version是2.1.3的在配置文件添加security以及web的依赖。 <dependency> <groupId>org.springframework.boot</groupId> &l...
SpringBoot集成SpringSecurity(十二、数据库方式配置用户)
伍妖捌的小屋
05-20 322
前言 之前已经在数据库创建好了相应的表,下面代码实现。 实体类 这里就直接通过代码生成器进行生成实体类。代码生成器如何使用在前面介绍过,这里不再进行介绍。 依赖 <dependency> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version
Spring BootSpring Security实战:集成数据库安全示例
首先,项目开始于基础设置,需要在Maven或Gradle项目集成Spring Boot的Web和Security启动器,以及H2数据库Spring Data JPA(用于持久化)和Thymeleaf(模板引擎)的依赖。 **项目准备阶段**: - 添加Spring ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值