实现基于Spring Security的权限管理系统

微赚淘客系统开发者

于 2024-07-06 13:02:48 发布

阅读量1.4k

点赞数 23

文章标签： spring java 后端

本文链接：https://blog.csdn.net/u010405836/article/details/140201068

版权

实现基于Spring Security的权限管理系统

大家好，我是免费搭建查券返利机器人省钱赚佣金就用微赚淘客系统3.0的小编，也是冬天不穿秋裤，天冷也要风度的程序猿！

在现代Web应用中，权限管理系统是至关重要的组成部分。通过有效的权限管理，可以确保应用程序的安全性，防止未经授权的用户访问敏感数据。Spring Security是一个强大且灵活的安全框架，能够帮助我们轻松实现复杂的权限管理系统。本文将详细介绍如何使用Spring Security实现一个基于角色和权限的权限管理系统。

1. Spring Security概述

Spring Security是Spring框架的一个子项目，提供了全面的安全服务，包括身份验证和授权。其核心概念包括用户、角色和权限。用户可以拥有多个角色，每个角色可以拥有多种权限。通过Spring Security，我们可以对Web应用的访问进行细粒度控制。

2. 项目依赖

首先，我们需要在pom.xml中添加Spring Security相关的依赖：

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <scope>runtime</scope>
    </dependency>
</dependencies>

3. 数据库设计

我们设计一个简单的数据库模型，包括用户、角色和权限三个实体。

package cn.juwatech.model;

import javax.persistence.*;
import java.util.Set;

@Entity
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String username;
    private String password;
    
    @ManyToMany(fetch = FetchType.EAGER)
    @JoinTable(
        name = "user_roles",
        joinColumns = @JoinColumn(name = "user_id"),
        inverseJoinColumns = @JoinColumn(name = "role_id")
    )
    private Set<Role> roles;

    // getters and setters
}

package cn.juwatech.model;

import javax.persistence.*;
import java.util.Set;

@Entity
public class Role {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String name;
    
    @ManyToMany(fetch = FetchType.EAGER)
    @JoinTable(
        name = "role_permissions",
        joinColumns = @JoinColumn(name = "role_id"),
        inverseJoinColumns = @JoinColumn(name = "permission_id")
    )
    private Set<Permission> permissions;

    // getters and setters
}

package cn.juwatech.model;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

@Entity
public class Permission {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String name;

    // getters and setters
}

4. 用户认证与授权

我们需要实现UserDetailsService接口来加载用户信息。

package cn.juwatech.service;

import cn.juwatech.model.User;
import cn.juwatech.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("User not found");
        }
        return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), user.getAuthorities());
    }
}

5. 安全配置

配置Spring Security来处理请求的认证与授权。

package cn.juwatech.config;

import cn.juwatech.service.CustomUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**").hasRole("USER")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

6. 控制器

实现简单的控制器来处理请求。

package cn.juwatech.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class HomeController {

    @GetMapping("/")
    public String home() {
        return "home";
    }

    @GetMapping("/admin")
    public String admin() {
        return "admin";
    }

    @GetMapping("/user")
    public String user() {
        return "user";
    }

    @GetMapping("/login")
    public String login() {
        return "login";
    }
}

7. 前端页面

创建简单的HTML页面来展示不同的视图。

home.html：

<!DOCTYPE html>
<html>
<head>
    <title>Home</title>
</head>
<body>
    <h1>Welcome to the Home Page</h1>
    <a href="/user">User Page</a>
    <a href="/admin">Admin Page</a>
    <a href="/logout">Logout</a>
</body>
</html>

admin.html：

<!DOCTYPE html>
<html>
<head>
    <title>Admin</title>
</head>
<body>
    <h1>Welcome to the Admin Page</h1>
    <a href="/">Home</a>
    <a href="/logout">Logout</a>
</body>
</html>

user.html：

<!DOCTYPE html>
<html>
<head>
    <title>User</title>
</head>
<body>
    <h1>Welcome to the User Page</h1>
    <a href="/">Home</a>
    <a href="/logout">Logout</a>
</body>
</html>

login.html：

<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
</head>
<body>
    <h1>Login Page</h1>
    <form method="post" action="/login">
        <label for="username">Username:</label>
        <input type="text" id="username" name="username">
        <br>
        <label for="password">Password:</label>
        <input type="password" id="password" name="password">
        <br>
        <button type="submit">Login</button>
    </form>
</body>
</html>

8. 数据初始化

使用data.sql文件初始化数据库。

INSERT INTO user (username, password) VALUES ('admin', '$2a$10$WzAqEJdKzHQ9E.o/qT41f.J.oPjDNCRK0AejsbTiKCN.p6qMjr8ru'); -- 密码: password
INSERT INTO user (username, password) VALUES ('user', '$2a$10$WzAqEJdKzHQ9E.o/qT41f.J.oPjDNCRK0AejsbTiKCN.p6qMjr8ru'); -- 密码: password

INSERT INTO role (name) VALUES ('ROLE_ADMIN');
INSERT INTO role (name) VALUES ('ROLE_USER');

INSERT INTO user_roles (user_id, role_id) VALUES (1, 1); -- admin -> ROLE_ADMIN
INSERT INTO user_roles (user_id, role_id) VALUES (2, 2); -- user -> ROLE_USER