用户基于权限进行授权
定义用户与权限
authorities()。
package com.cms.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
/**
* @author: coffee
* @date: 2024/6/27 20:33
* @description: ...
*/
@Configuration
public class UserConfig {
@Bean
public UserDetailsService userDetailsService () {
InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
UserDetails user1 = User.withUsername("john").password("123456").authorities("READ").build();
UserDetails user2 = User.withUsername("jane").password("123456").authorities("WRITE").build();
userDetailsManager.createUser(user1);
userDetailsManager.createUser(user2);
return userDetailsManager;
}
@Bean
public PasswordEncoder passwordEncoder () {
return NoOpPasswordEncoder.getInstance();
}
}
权限维度授权配置
package com.cms.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author: coffee
* @date: 2024/6/27 20:37
* @description: 基于用户权限限制所有端点的访问
*/
@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {
/**
* 指定用户可以访问端点的条件:1.hasAuthority() 2.hasAnyAuthority() 3.access()
*/
@Override
protected void configure (HttpSecurity httpSecurity) throws Exception {
httpSecurity.httpBasic();
// permitAll()方法修改授权配置,无需凭据(用户名密码)也可以直接调用接口。 curl http://localhost:8080/hello
// httpSecurity.authorizeRequests().anyRequest().permitAll();
// 指定用户可以访问端点的条件-hasAuthority 。 发现john报403、jane正常;
// httpSecurity.authorizeRequests().anyRequest().hasAuthority("WRITE");
// 允许具有WRITE或者READ权限的用户访问端点-hasAnyAuthority。 发现john报正常、jane正常;
httpSecurity.authorizeRequests().anyRequest().hasAnyAuthority("WRITE","READ");
// access() - 为配置访问提供了无限的可能性,因为应用程序会基于SPEL构建授权规则。但是,他会让代码更难阅读和调试。所以作为次要解决方案,仅在不能使用hasAuthority和hasAnyAuthority时才使用
}
}
用户基于角色进行授权
定义用户与角色
roles()。
package com.cms.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
/**
* @author: coffee
* @date: 2024/6/27 20:33
* @description: ...
*/
@Configuration
public class UserConfig {
@Bean
public UserDetailsService userDetailsService () {
InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
// authorities:使用"ROLE_"前缀,GrantedAuthority现在就表示一个角色
UserDetails user1 = User.withUsername("john").password("123456").authorities("ROLE_ADMIN").build();
// roles:不需要添加"ROLE_"前缀
// UserDetails user1 = User.withUsername("john").password("123456").roles("ADMIN").build();
UserDetails user2 = User.withUsername("jane").password("123456").authorities("ROLE_MANAGER").build();
// UserDetails user2 = User.withUsername("jane").password("123456").roles("MANAGER").build();
userDetailsManager.createUser(user1);
userDetailsManager.createUser(user2);
return userDetailsManager;
}
@Bean
public PasswordEncoder passwordEncoder () {
return NoOpPasswordEncoder.getInstance();
}
}
角色维度授权配置
package com.cms.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author: coffee
* @date: 2024/6/27 20:37
* @description: 基于用户权限限制所有端点的访问
*/
@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {
/**
* 指定用户可以访问端点的条件:1.hasAuthority() 2.hasAnyAuthority() 3.access()
*/
@Override
protected void configure (HttpSecurity httpSecurity) throws Exception {
httpSecurity.httpBasic();
// permitAll()方法修改授权配置,无需凭据(用户名密码)也可以直接调用接口。 curl http://localhost:8080/hello
// httpSecurity.authorizeRequests().anyRequest().permitAll();
// 指定用户可以访问端点的条件-hasRole 。 hasRole()方法现在会指定允许访问端点的角色。请注意,这里没有出现ROLE_前缀
// httpSecurity.authorizeRequests().anyRequest().hasRole("ADMIN");
// 允许具有ADMIN或者MANAGER角色权限的用户访问端点-hasAnyRole。
httpSecurity.authorizeRequests().anyRequest().hasAnyRole("ADMIN","MANAGER");
// access() - 为配置访问提供了无限的可能性,因为应用程序会基于SPEL构建授权规则。但是,他会让代码更难阅读和调试。所以作为次要解决方案,仅在不能使用hasRole和hasAnyRole时才使用
}
}