Java动态分配角色权限_Spring boot security 动态角色权限

原来项目一直使用spring mvc用的一套动态权限角色控制，现在项目更换spring boot来开发，原来的权限控制不起作用，于是使用spring boot security来实现动态角色和权限的配置功能。现功能只是为了实现cms后台的控制，还没有去做接口的动态权限控制，如果下一步需要并实现了功能会分享出来。

spring boot 使用的是2.1.0.RELEASE版本，废话不多说上配置文件。

pom.xml

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

4.0.0

com.simmytech.cms

cms-platform

1.0.0-SNAPSHOT

war

cms-platform

http://maven.apache.org

org.springframework.boot

spring-boot-starter-parent

2.1.0.RELEASE

UTF-8

org.springframework.boot

spring-boot-starter-web

org.mybatis.spring.boot

mybatis-spring-boot-starter

2.0.0

mysql

mysql-connector-java

org.springframework.boot

spring-boot-starter-test

test

org.springframework.boot

spring-boot-starter-security

org.springframework.boot

spring-boot-starter-thymeleaf

org.thymeleaf.extras

thymeleaf-extras-springsecurity5

org.springframework.boot

spring-boot-devtools

true

org.springframework.boot

spring-boot-starter-tomcat

provided

cms

org.springframework.boot

spring-boot-maven-plugin

true

true

新建项目后看一下项目目录结构

目录结构

权限控制我们需要写的类有几个

1：com.simmytech.cms.config下的MyPasswordEncoder

2：com.simmytech.cms.config下的WebSecurityConfig

3：com.simmytech.cms.service下的CustomUserService

4：com.simmytech.cms.service下的MyAccessDecisionManager

5：com.simmytech.cms.service下的MyFilterSecurityInterceptor

6：com.simmytech.cms.service下的MyInvocationSecruityMetadataSourceService

下面我们先数据库用户、角色、权限表的设计和数据库的逻辑操作，然后再和secrity结合控制

数据库表一共由

数据库表

5个表组成，分别是用户表sys_user

用户表

角色表sys_role

角色表

权限表sys_permission

权限表

权限角色关联表sys_permission_role

权限角色关联表

角色用户关联表sys_role_user

角色用户关联表

现在看具体权限相关类的写法

MyPasswordEncoder类用户用户密码加密的类

package com.simmytech.cms.config;

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

import org.springframework.security.crypto.password.PasswordEncoder;

public class MyPasswordEncoder implements PasswordEncoder {

Log log = LogFactory.getLog(MyPasswordEncoder.class);

BCryptPasswordEncoder bean = new BCryptPasswordEncoder();

@Override

public String encode(CharSequence arg0) {

// TODO Auto-generated method stub

return bean.encode(arg0).toString();

}

@Override

public boolean matches(CharSequence arg0, String arg1) {

// TODO Auto-generated method stub

return bean.matches(arg0, arg1);

}

}

WebSecurityConfig类Security是否过滤的配置

package com.simmytech.cms.config;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;

import com.simmytech.cms.service.MyFilterSecurityInterceptor;

@Configuration

@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired

private MyFilterSecurityInterceptor myFilterSecurityInterceptor;

@Autowired

UserDetailsService customUserService;

@Override

protected void configure(AuthenticationManagerBuilder auth) throws Exception {

auth.userDetailsService(customUserService).passwordEncoder(new MyPasswordEncoder()); // user

// Details

// Service验证

}

@Override

protected void configure(HttpSecurity http) throws Exception {

http.headers().frameOptions().disable()

.and().authorizeRequests().antMatchers("/dist/", "/plugins/","/favicon.ico").permitAll().anyRequest().authenticated() // 任何请求,登录后可以访问

.and().formLogin().loginPage("/login").defaultSuccessUrl("/").failureUrl("/login?error").permitAll() // 登录页面用户任意访问

.and().logout().permitAll(); // 注销行为任意访问

http.addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class);

}

}

我的配置是可以iframe访问，静态资源的访问地址不拦截，登录地址，登录成功地址和登录失败的地址配置，其他访问地址全部需要经过权限拦截。

CustomUserService类登录根据用户名获取用户信息

package com.simmytech.cms.service;

import java.util.ArrayList;

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.authority.SimpleGrantedAuthority;

import org.springframework.security.core.userdetails.User;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

import org.springframework.stereotype.Service;

import com.simmytech.cms.model.SysPermission;

import com.simmytech.cms.model.SysUser;

@Service

public class CustomUserService implements UserDetailsService { // 自定义UserDetailsService

@Autowired

private UserService userService;

public UserDetails loadUserByUsername(String username) {

SysUser user = userService.getUserByUserName(username);

if (user != null) {

List permissions = userService.getPermissionByUserId(user.getId());

List grantedAuthorities = new ArrayList<>();

for (SysPermission permission : permissions) {

if (permission != null && permission.getName() != null) {

GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(permission.getName());

grantedAuthorities.add(grantedAuthority);

}

}

userService.updateUserLogintime(user.getId());

return new User(user.getUsername(), user.getPassword(), grantedAuthorities);

} else {

throw new UsernameNotFoundException("admin: " + username + " do not exist!");

}

}

}

MyAccessDecisionManager类

package com.simmytech.cms.service;

import org.springframework.security.access.AccessDecisionManager;

import org.springframework.security.access.AccessDeniedException;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.authentication.InsufficientAuthenticationException;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.stereotype.Service;

import java.util.Collection;

import java.util.Iterator;

@Service

public class MyAccessDecisionManager implements AccessDecisionManager {

@Override

public void decide(Authentication authentication, Object object, Collection configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {

if(null== configAttributes || configAttributes.size() <=0) {

throw new AccessDeniedException("当前访问没有权限");

}

ConfigAttribute c;

String needRole;

for(Iterator iter = configAttributes.iterator(); iter.hasNext(); ) {

c = iter.next();

needRole = c.getAttribute();

for(GrantedAuthority ga : authentication.getAuthorities()) {

if(needRole.trim().equals(ga.getAuthority())) {

return;

}

}

}

throw new AccessDeniedException("当前访问没有权限");

}

@Override

public boolean supports(ConfigAttribute attribute) {

return true;

}

@Override

public boolean supports(Class> clazz) {

return true;

}

}

MyFilterSecurityInterceptor类

package com.simmytech.cms.service;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.access.SecurityMetadataSource;

import org.springframework.security.access.intercept.AbstractSecurityInterceptor;

import org.springframework.security.access.intercept.InterceptorStatusToken;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

import org.springframework.stereotype.Service;

import java.io.IOException;

@Service

public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {

@Autowired

private FilterInvocationSecurityMetadataSource securityMetadataSource;

@Autowired

public void setMyAccessDecisionManager(MyAccessDecisionManager myAccessDecisionManager) {

super.setAccessDecisionManager(myAccessDecisionManager);

}

@Override

public void init(FilterConfig filterConfig) throws ServletException {

}

@Override

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

FilterInvocation fi = new FilterInvocation(request, response, chain);

invoke(fi);

}

public void invoke(FilterInvocation fi) throws IOException, ServletException {

//fi里面有一个被拦截的url

//里面调用MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限

//再调用MyAccessDecisionManager的decide方法来校验用户的权限是否足够

InterceptorStatusToken token = super.beforeInvocation(fi);

try {

//执行下一个拦截器

fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

} finally {

super.afterInvocation(token, null);

}

}

@Override

public void destroy() {

}

@Override

public Class> getSecureObjectClass() {

return FilterInvocation.class;

}

@Override

public SecurityMetadataSource obtainSecurityMetadataSource() {

return this.securityMetadataSource;

}

}

MyInvocationSecurityMetadataSourceService类

package com.simmytech.cms.service;

import java.util.ArrayList;

import java.util.Collection;

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.beans.factory.annotation.Value;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.SecurityConfig;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

import org.springframework.stereotype.Service;

import com.simmytech.cms.model.SysPermission;

import com.simmytech.cms.model.SysRole;

@Service

public class MyInvocationSecurityMetadataSourceService implements FilterInvocationSecurityMetadataSource {

@Value("${simmytech.exurl}")

private String exurl;

@Autowired

private UserService userService;

@Override

public Collection getAttributes(Object object) throws IllegalArgumentException {

// 获取当前访问url

String url = ((FilterInvocation) object).getRequestUrl();

int firstQuestionMarkIndex = url.indexOf("?");

if (firstQuestionMarkIndex != -1) {

url = url.substring(0, firstQuestionMarkIndex);

}

if(filter(url)){

return null;

}

List result = new ArrayList<>();

// 查询数据库url匹配的菜单

List menuList = userService.getPermissionByUrl(url);

if (menuList != null && menuList.size() > 0) {

for (SysPermission menu : menuList) {

// 查询拥有该菜单权限的角色列表

List roles = userService.getRoleByPermissionId(menu.getId());

if (roles != null && roles.size() > 0) {

for (SysRole role : roles) {

ConfigAttribute conf = new SecurityConfig(role.getName());

result.add(conf);

}

}

}

}

if(result.isEmpty()){

result.add(new SecurityConfig("ROLE_EMPTY"));

}

return result;

}

@Override

public Collection getAllConfigAttributes() {

return null;

}

@Override

public boolean supports(Class> clazz) {

return true;

}

private boolean filter(String url){

String[] urls=exurl.split(",");

for(String temp:urls){

if(url.indexOf(temp)==0){

return true;

}

}

return false;

}

}

下面开始看controller和登录页的配置

package com.simmytech.cms.web;

import java.util.Calendar;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Controller;

import org.springframework.ui.Model;

import org.springframework.web.bind.annotation.RequestMapping;

import com.simmytech.cms.model.SysUser;

import com.simmytech.cms.service.UserService;

import com.simmytech.cms.vo.MenuVo;

@Controller

public class HomeController {

@Autowired

private UserService userService;

@RequestMapping("/")

public String index(Model model){

return "index";

}

@RequestMapping("/login")

public String login(){

return "login";

}

}

controller包含登录页和首页

现在看登录页的登录form

Remember Me

登录

下面看登录成功首页的退出登录功能

当前文章没有包含userService的写法，当然这个可以根据自己的业务来实现。

如果有需要页面权限标签的功能我会单独的文章来展现，这里就不说明了。

动态配置用户角色权限直接的关系需要大家自己来实现了。