1.在我们想要控制权限的接口是哪个添加注解
@PreAuthorize(" hasRole('admin')")
表示只有admin这个角色才能使用这个接口
@PreAuthorize(" hasAuthority('sys:user:list')")
表示必须有这个授权才能使用
2.在我们校验用户的类UserDetailsServiceImpl 上添加
不知道怎么定义UserDetailsServiceImpl 的可以看这个
怎么自定义spring security对用户信息进行校验及密码的加密校验-CSDN博客
package com.lzy.security;
import com.lzy.entity.SysUser;
import com.lzy.service.ISysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.List;
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
ISysUserService sysUserService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//根据用户名查询用户信息
SysUser sysUser = sysUserService.getByUsername(username);
if (sysUser == null) {
throw new UsernameNotFoundException("用户名不存在");
}
return new AccountUser(sysUser.getId(),sysUser.getUsername(),sysUser.getPassword(),getUserAuthority(sysUser.getId()));
}
//在这里获取用户的权限
public List<GrantedAuthority> getUserAuthority(Long userId) {
//根据用户id查询用户权限
String authority = sysUserService.getUserAuthorityInfo(userId);
//将权限放入GrantedAuthority中
return AuthorityUtils.commaSeparatedStringToAuthorityList(authority);
}
}
添加
return new AccountUser(sysUser.getId(),sysUser.getUsername(),sysUser.getPassword(),getUserAuthority(sysUser.getId()));
//添加这个getUserAuthority(sysUser.getId())
3.写getUserAuthorityInfo方法
@Override
public String getUserAuthorityInfo(Long userId) {
String authority = "";
//获取角色
List<SysRole> roles = sysRoleService.list(new QueryWrapper<SysRole>().inSql("id", "select role_id from sys_user_role where user_id = " + userId));
if (roles.size() > 0) {
String roleCodes = roles.stream().map(r -> "ROLE_"+ r.getCode()).collect(Collectors.joining(","));
authority = roleCodes.concat(",");
}
//获取菜单操作权限编码
List<Long> menuId = sysUserMapper.getNavMenuIds(userId);
if (menuId.size() > 0) {
List<SysMenu> sysMenus = sysMenuService.listByIds(menuId);
String percodes = sysMenus.stream().map(m -> m.getPerms()).collect(Collectors.joining(","));
authority = authority.concat(percodes);
}
return authority;
}
4.写getNavMenuIds方法和sql语句
<select id="getNavMenuIds" resultType="java.lang.Long">
select Distinct rm.menu_id
from sys_user_role ur
left join sys_role_menu rm on ur.role_id = rm.role_id
where ur.user_id = #{userId};
</select>
5.完成之后在jwt的校验类中填写
package com.lzy.security;
import cn.hutool.core.util.StrUtil;
import com.lzy.entity.SysUser;
import com.lzy.service.ISysUserService;
import com.lzy.util.JwtUtil;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
@Autowired
JwtUtil jwtUtil;
@Autowired
UserDetailsServiceImpl userDetailsService;
@Autowired
ISysUserService sysUserService;
public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
//重写父类方法
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
//调用父类方法
String jwt = request.getHeader("Authorization");
//判断jwt是否为空
if(StrUtil.isBlankOrUndefined(jwt)){
chain.doFilter(request,response);
return;
}
//解析jwt
Claims claims = null;
try {
claims = jwtUtil.parseJwt(jwt);
} catch (Exception e) {
throw new RuntimeException(e);
}
if(claims == null){
throw new JwtException("token无效");
}
if (jwtUtil.isJwtExpired(claims)) {
throw new JwtException("token已过期");
}
//获取用户名
String username = claims.getSubject();
SysUser byUsername = sysUserService.getByUsername(username);
//获取权限信息
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, null, userDetailsService.getUserAuthority(byUsername.getId()));
//将用户名和权限信息放入SecurityContextHolder
SecurityContextHolder.getContext().setAuthentication(token);
//继续执行过滤器链
chain.doFilter(request,response);
}
}
因为我们这里传入的是username,所以我们还需要根据username获取对应的对象
@Autowired
UserDetailsServiceImpl userDetailsService;
SysUser byUsername = sysUserService.getByUsername(username);
写入
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, null, userDetailsService.getUserAuthority(byUsername.getId()));
//在这里填写userDetailsService.getUserAuthority(byUsername.getId())