SpringSecurity

权限管理设置

        一般的信息权限管理一般分为登录和授权

权限系统的实现

        实现登录功能,将用户的登录状态保存

@RestController
public class LoginController {
    @Autowired
    UserService userService;

    @RequestMapping("login.do")
    public String login(String username, String password, HttpSession session) {
        UserEntity loginUser = userService.login(username, password);
        session.setAttribute(Constants.SESSION_USER, loginUser);
        return "登录成功";
    }
}

        实现登录过滤器验证是否登录

@Order(1)
@WebFilter("/*")
public class LoginFilter implements Filter {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse htttpServletResponse = (HttpServletResponse) servletResponse;
        //获取请求路径
        String path = httpServletRequest.getRequestURI();
        if(path.endsWith("login.html") || path.endsWith("login.do")){
            filterChain.doFilter(servletRequest,servletResponse);
            return;
        }


        UserEntity loginUser = (UserEntity) httpServletRequest.getSession().getAttribute(Constants.SESSION_USER);
        if(loginUser==null){
            //跳转到登录页面
            htttpServletResponse.sendRedirect("/login.html");
            return;
        }
        filterChain.doFilter(servletRequest,servletResponse);
    }
}

        实现验证用户是否具有访问权限的过滤器

@Order(2)
@WebFilter("/*")
public class RightFilter implements Filter {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse htttpServletResponse = (HttpServletResponse) servletResponse;
        //获取请求路径
        String path = httpServletRequest.getRequestURI();
        if(path.endsWith("login.html") || path.endsWith("login.do")){
            filterChain.doFilter(servletRequest,servletResponse);
            return;
        }
        //判断是否具备权限
        System.out.println("验证的路径是:"+path);
        //判断当前登录的用户是否存在访问路径的权限
        UserEntity loginUser = (UserEntity) httpServletRequest.getSession().getAttribute(Constants.SESSION_USER);
        for(RoleEntity roleEntity : loginUser.getRoles()){
            for(RightEntity rightEntity : roleEntity.getRights()){
                if(rightEntity.getRightCode().equals(path)){
                    //有权限
                    filterChain.doFilter(servletRequest,servletResponse);
                    return;
                }
            }
        }
        //throw new RuntimeException("用户没有权限，请联系管理员");
        htttpServletResponse.setCharacterEncoding("utf-8");
        htttpServletResponse.setContentType("text/html");
        htttpServletResponse.getWriter().write("用户没有权限，请联系管理员");
    }
}

RBAC权限模型

        Role Base Access Controller:基于角色的管理控制

                主要的流程包括两个部分

                        登录

                        授权

                常用的权限框架:

                        Shiro:轻量级的权限框架,上手简单,易于修改

                        SpringSecurity:Spring推出的一款权限框架,功能强大实现复杂,可以和spring全家桶很好结合

SpringSecurity的基本使用

        导入依赖包

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

对SpringSecurity进行相关配置

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()//授权配置
                .antMatchers( "/t1").permitAll() //可以直接通过
                .antMatchers("/comment/teacher").hasAnyRole("student")
                .antMatchers("/score/edit").hasAnyAuthority("socre:edit")
                .anyRequest().authenticated() //需要权限验证
                .and().exceptionHandling().accessDeniedPage("/noright.html") //无权限的路径

                .and()
                .formLogin() //登录认证配置
                .loginProcessingUrl("/login.action").permitAll()//登陆请求
                .failureUrl("/fail.html")//登录失败的访问页面
                .defaultSuccessUrl("/index.jhtml")//登录成功之后访问页面
                .usernameParameter("username")
                .passwordParameter("password")
                .loginPage("/login.html").permitAll() //登陆页面地址
                .and()
                .logout().permitAll()//退出功能
                .and().csrf().disable();//禁用csrf
    }
}

在application,yml中添加用户和角色

spring:
  security:
    user:
      name: zhangsan
      password: 123
      roles: [user,boss,student]

SpringSecurity的一些概念

        authorizeRequests:请求权限,设置用户请求权限规则

        antMatchers:路径匹配器

        permitAll:不需要权限

        hasRole:配置是否具备角色

        exceptionHanding:异常处理器

        accessDeniedpage:拒绝之后的跳转页面

        formLogin:登录表单

        csrf:跨域攻击,Cross-site request forgery

                防止csrf跨越攻击的方式,就是在服务器端生成一个token返回到提交表单中,然后再表单返回的时候需要带上token和服务器端的token进行比较防止csrf跨域攻击

                jwt天然支持防止csrf跨域攻击

        Authentication:登录的对象

        Principal:登录账号对象,比如账号,手机,邮箱

        Credentials:登录凭证,例如密码,指纹等

获得当前登录用户的相关信息

    @RequestMapping("/index.jhtml")
    public ModelAndView index(){
        //获取登录成功的用户
        //获取Security上下文
        SecurityContext securityContext = SecurityContextHolder.getContext();
        org.springframework.security.core.userdetails.User myuser = (User) securityContext.getAuthentication().getPrincipal();

        ModelAndView mv = new ModelAndView();
        mv.setViewName("index");
        mv.addObject("username",myuser.getUsername());
        return mv;
    }