权限管理设置
一般的信息权限管理一般分为登录和授权
权限系统的实现
实现登录功能,将用户的登录状态保存
@RestController
public class LoginController {
@Autowired
UserService userService;
@RequestMapping("login.do")
public String login(String username, String password, HttpSession session) {
UserEntity loginUser = userService.login(username, password);
session.setAttribute(Constants.SESSION_USER, loginUser);
return "登录成功";
}
}
实现登录过滤器验证是否登录
@Order(1)
@WebFilter("/*")
public class LoginFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse htttpServletResponse = (HttpServletResponse) servletResponse;
//获取请求路径
String path = httpServletRequest.getRequestURI();
if(path.endsWith("login.html") || path.endsWith("login.do")){
filterChain.doFilter(servletRequest,servletResponse);
return;
}
UserEntity loginUser = (UserEntity) httpServletRequest.getSession().getAttribute(Constants.SESSION_USER);
if(loginUser==null){
//跳转到登录页面
htttpServletResponse.sendRedirect("/login.html");
return;
}
filterChain.doFilter(servletRequest,servletResponse);
}
}
实现验证用户是否具有访问权限的过滤器
@Order(2)
@WebFilter("/*")
public class RightFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse htttpServletResponse = (HttpServletResponse) servletResponse;
//获取请求路径
String path = httpServletRequest.getRequestURI();
if(path.endsWith("login.html") || path.endsWith("login.do")){
filterChain.doFilter(servletRequest,servletResponse);
return;
}
//判断是否具备权限
System.out.println("验证的路径是:"+path);
//判断当前登录的用户是否存在访问路径的权限
UserEntity loginUser = (UserEntity) httpServletRequest.getSession().getAttribute(Constants.SESSION_USER);
for(RoleEntity roleEntity : loginUser.getRoles()){
for(RightEntity rightEntity : roleEntity.getRights()){
if(rightEntity.getRightCode().equals(path)){
//有权限
filterChain.doFilter(servletRequest,servletResponse);
return;
}
}
}
//throw new RuntimeException("用户没有权限,请联系管理员");
htttpServletResponse.setCharacterEncoding("utf-8");
htttpServletResponse.setContentType("text/html");
htttpServletResponse.getWriter().write("用户没有权限,请联系管理员");
}
}
RBAC权限模型
Role Base Access Controller:基于角色的管理控制
主要的流程包括两个部分
登录
授权
常用的权限框架:
Shiro:轻量级的权限框架,上手简单,易于修改
SpringSecurity:Spring推出的一款权限框架,功能强大实现复杂,可以和spring全家桶很好结合
SpringSecurity的基本使用
导入依赖包
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
对SpringSecurity进行相关配置
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()//授权配置
.antMatchers( "/t1").permitAll() //可以直接通过
.antMatchers("/comment/teacher").hasAnyRole("student")
.antMatchers("/score/edit").hasAnyAuthority("socre:edit")
.anyRequest().authenticated() //需要权限验证
.and().exceptionHandling().accessDeniedPage("/noright.html") //无权限的路径
.and()
.formLogin() //登录认证配置
.loginProcessingUrl("/login.action").permitAll()//登陆请求
.failureUrl("/fail.html")//登录失败的访问页面
.defaultSuccessUrl("/index.jhtml")//登录成功之后访问页面
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/login.html").permitAll() //登陆页面地址
.and()
.logout().permitAll()//退出功能
.and().csrf().disable();//禁用csrf
}
}
在application,yml中添加用户和角色
spring:
security:
user:
name: zhangsan
password: 123
roles: [user,boss,student]
SpringSecurity的一些概念
authorizeRequests:请求权限,设置用户请求权限规则
antMatchers:路径匹配器
permitAll:不需要权限
hasRole:配置是否具备角色
exceptionHanding:异常处理器
accessDeniedpage:拒绝之后的跳转页面
formLogin:登录表单
csrf:跨域攻击,Cross-site request forgery
防止csrf跨越攻击的方式,就是在服务器端生成一个token返回到提交表单中,然后再表单返回的时候需要带上token和服务器端的token进行比较防止csrf跨域攻击
jwt天然支持防止csrf跨域攻击
Authentication:登录的对象
Principal:登录账号对象,比如账号,手机,邮箱
Credentials:登录凭证,例如密码,指纹等
获得当前登录用户的相关信息
@RequestMapping("/index.jhtml")
public ModelAndView index(){
//获取登录成功的用户
//获取Security上下文
SecurityContext securityContext = SecurityContextHolder.getContext();
org.springframework.security.core.userdetails.User myuser = (User) securityContext.getAuthentication().getPrincipal();
ModelAndView mv = new ModelAndView();
mv.setViewName("index");
mv.addObject("username",myuser.getUsername());
return mv;
}