2. 程式人生 > >spring boot 中spring security使用資料庫儲存許可權

spring boot 中spring security使用資料庫儲存許可權

阿新 發佈:2019-01-23

WebSecurityConfig

package com.maven;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration
 
;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders
 
.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 
;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

import com.maven.security.MyFilterSecurityInterceptor;


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    private DataSource dataSource;

    @Autowired
    @Qualifier("myUserDetailsService")
    private UserDetailsService userDetailsService;

    @Autowired
    @Qualifier("myAccessDecisionManager")
    private AccessDecisionManager accessDecisionManager;

    @Autowired
    @Qualifier("mySecurityMetadataSource")
    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    @Autowired
    private AuthenticationManagerBuilder authenticationManagerBuilder;

    private AuthenticationManager authenticationManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http 
        //自定義過濾器,把資源配置存放到資料庫中
        .addFilterBefore(filter(),FilterSecurityInterceptor.class)
            .exceptionHandling()
            .and()
        .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/home")
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .logoutSuccessUrl("/login?logout")
            .invalidateHttpSession(true)
            .deleteCookies("remember-me")
            .and()
        .rememberMe()
            .tokenRepository(tokenRepository())
            .tokenValiditySeconds(1209600)//預設2.rememberMeCookieName("remember-me")
            .userDetailsService(userDetailsService)
            .rememberMeParameter("remember-me");
    }

    private PersistentTokenRepository tokenRepository() {
        JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
        tokenRepository.setDataSource(dataSource);
        return tokenRepository;
    }

    // 配置AuthenticationManager
    @Bean
    public AuthenticationManager authenticationManagerBean() {
        authenticationManagerBuilder.authenticationProvider(authenticationProvider());
        return authenticationManagerBuilder.getOrBuild();
    }

    // 獲取AuthenticationManager,避免多次呼叫authenticationManagerBean()
    public AuthenticationManager getAuthenticationManager() {
        if (this.authenticationManager == null) {
            return authenticationManagerBean();
        } else {
            return this.authenticationManager;
        }
    }

    // 自定義JpaFilterSecurityInterceptor過濾器
    public MyFilterSecurityInterceptor filter() throws Exception {
        MyFilterSecurityInterceptor filter = new MyFilterSecurityInterceptor();
        // 認證管理器,實現使用者認證的入口
        filter.setAuthenticationManager(getAuthenticationManager());
        // 訪問決策器,決定某個使用者具有的角色,是否有足夠的許可權去訪問某個資源
        filter.setAccessDecisionManager(accessDecisionManager);
        // 資源源資料定義,即定義某一資源可以被哪些角色訪問
        filter.setSecurityMetadataSource(securityMetadataSource);
        return filter;
    }

    // 配置DaoAuthenticationProvider
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        // 設定不隱藏UserNotFoundExceptions
        authenticationProvider.setHideUserNotFoundExceptions(false);
        // 設定自定義UserDetailsService
        authenticationProvider.setUserDetailsService(userDetailsService);
        // 設定密碼加密方式
        BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
        authenticationProvider.setPasswordEncoder(passwordEncoder);
        return authenticationProvider;
    }

}

MyAccessDecisionManager

/**
 * copyright by liukai
 */
package com.maven.security;

import java.util.Collection;
import java.util.Iterator;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Service;

@Service("myAccessDecisionManager")
public class MyAccessDecisionManager implements AccessDecisionManager{

    private final static Logger logger = LoggerFactory.getLogger(MyAccessDecisionManager.class);

    /* (non-Javadoc)
     * @see org.springframework.security.access.AccessDecisionManager#decide(org.springframework.security.core.Authentication, java.lang.Object, java.util.Collection)
     */
    @Override
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException, InsufficientAuthenticationException {     
        if (configAttributes == null) {
            return; //如果訪問資源不需要任何許可權則直接通過  
        }
        //所請求的資源擁有的許可權(一個資源對多個許可權)
        Iterator<ConfigAttribute> ite = configAttributes.iterator();
        while (ite.hasNext()) {
            ConfigAttribute ca = ite.next();
            String needRole = ((SecurityConfig) ca).getAttribute();
            // ga 為使用者所被賦予的許可權。 needRole 為訪問相應的資源應該具有的許可權。
            for (GrantedAuthority ga : authentication.getAuthorities()) {
                logger.info("該資源所需要的許可權是:"+needRole +",當前使用者的許可權是:"+ ga.getAuthority());
                if (needRole.trim().equals(ga.getAuthority().trim())) {
                    return;
                }
            }
        }
        logger.info("許可權不足,無法訪問!");
        throw new AccessDeniedException("不允許訪問!");
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.AccessDecisionManager#supports(org.springframework.security.access.ConfigAttribute)
     */
    @Override
    public boolean supports(ConfigAttribute attribute) {
        return true;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.AccessDecisionManager#supports(java.lang.Class)
     */
    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }

}

MyFilterSecurityInterceptor

/**
 * copyright by liukai
 */
package com.maven.security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;


public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter{

    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    /**
     * @return the securityMetadataSource
     */
    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
        return securityMetadataSource;
    }

    /**
     * @param securityMetadataSource the securityMetadataSource to set
     */
    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
        this.securityMetadataSource = securityMetadataSource;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.intercept.AbstractSecurityInterceptor#getSecureObjectClass()
     */
    @Override
    public Class<?> getSecureObjectClass() {
        return FilterInvocation.class;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.intercept.AbstractSecurityInterceptor#obtainSecurityMetadataSource()
     */
    @Override
    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return securityMetadataSource;
    }

    /* (non-Javadoc)
     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
     */
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    /* (non-Javadoc)
     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
         FilterInvocation fi = new FilterInvocation(request, response, chain);
         invoke(fi);
    }

    public void invoke(FilterInvocation fi) throws IOException, ServletException {
        InterceptorStatusToken token = super.beforeInvocation(fi);
        try {
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        } finally {
            super.afterInvocation(token, null);
        }
    }

    /* (non-Javadoc)
     * @see javax.servlet.Filter#destroy()
     */
    @Override
    public void destroy() {

    }

}

MySecurityMetadataSource

/**
 * copyright by liukai
 */
package com.maven.security;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.stereotype.Service;
import org.springframework.util.AntPathMatcher;

import com.maven.auth.service.AuthService;

@Service("mySecurityMetadataSource")
public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource{

    private final static Logger logger = LoggerFactory.getLogger(MySecurityMetadataSource.class);

    private static Map<String, Collection<ConfigAttribute>> resourceMap = null;

     public MySecurityMetadataSource(AuthService authService) {
        //查詢所有資源路徑和角色
        List<Map<String,Object>> resourceRoles = authService.findAllResourceAndRole();
        //根據URL組裝許可權Map key為URL,集合為許可權集合
        resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
        for(Map<String,Object> resourceRole :resourceRoles) {
            ConfigAttribute ca = new SecurityConfig((String) resourceRole.get("CODE"));
            String url = (String) resourceRole.get("PATH");
            if (resourceMap.containsKey(url)) {
                Collection<ConfigAttribute> value = resourceMap.get(url);
                value.add(ca);
                resourceMap.put(url, value);
            } else {
                Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
                atts.add(ca);
                resourceMap.put(url, atts);
            }
        }
     }

    /* (non-Javadoc)
     * @see org.springframework.security.access.SecurityMetadataSource#getAttributes(java.lang.Object)
     */
    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        // object 是一個URL,被使用者請求的url。
        String url = ((FilterInvocation) object).getRequestUrl();

        int firstQuestionMarkIndex = url.indexOf("?");
        if (firstQuestionMarkIndex != -1) {
            url = url.substring(0, firstQuestionMarkIndex);
        }
        Iterator<String> ite = resourceMap.keySet().iterator();
        AntPathMatcher matcher = new AntPathMatcher();
        matcher.setTrimTokens(false);
        while (ite.hasNext()) {
            String resURL = ite.next();
            if (matcher.match(resURL, url)) {
                logger.info("資源配置URL為"+resURL+"請求的URL為:"+url);
                return resourceMap.get(resURL);
            }
        }
        return null;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.SecurityMetadataSource#getAllConfigAttributes()
     */
    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        // TODO Auto-generated method stub
        return null;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.access.SecurityMetadataSource#supports(java.lang.Class)
     */
    @Override
    public boolean supports(Class<?> clazz) {
        // TODO Auto-generated method stub
        return true;
    }

}

MyUserDetailsService


package com.maven.security;

import java.util.ArrayList;
import java.util.List;

import javax.transaction.Transactional;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import com.maven.auth.dao.UserDao;
import com.maven.auth.entity.Role;
import com.maven.auth.entity.User;

@Transactional
@Service("myUserDetailsService")
public class MyUserDetailsService implements UserDetailsService{

    @Autowired
    private UserDao userDao;

    /* (non-Javadoc)
     * @see org.springframework.security.core.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = this.userDao.findByUsername(username);
        if(user==null) {
            throw new UsernameNotFoundException("使用者"+username+"不存在!");
        }
        List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        List<Role> roles = user.getRoles();
        for(Role role:roles) {
            authorities.add(new SimpleGrantedAuthority(role.getCode()));
        }
        UserDetails userDetails = new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),authorities);
        return userDetails;
    }

}

相關推薦

spring boot spring security使用資料庫儲存許可權

WebSecurityConfig package com.maven; import javax.sql.DataSource; import org.springframework.beans.factory.annotation.Autowire

Spring Boot使用MongoDB資料庫實戰

 一 MongoDB簡介 MongoDB是一個基於分散式檔案儲存的資料庫,它是一個介於關係資料庫和非關係資料庫之間的產品,其主要目標是在鍵/值儲存方式(提供了高效能和高度伸縮性)和傳統的RDBMS系統(具有豐富的功能)之間架起一座橋樑,它集兩者的優勢於一身。 MongoDB支援

Spring Boot使用Redis資料庫實戰

一 新增依賴 <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>

Spring Boot使用MongoDB資料庫

我們在網際網路產品中經常會用到另外一款著名的NoSQL資料庫MongoDB。 下面就來簡單介紹一下MongoDB,並且通過一個例子來介紹Spring Boot中對MongoDB訪問的配置和使用。 MongoDB簡介 MongoDB是一個基於分散式檔案儲存的資料庫,它

spring bootspring security實現單點登入,傳統模式(一)

單點登入是什麼? 一個系統中可能會引用別的很多系統。單點登入就是解決,一次登入,就可以訪問所有的系統。 每次瀏覽器向一個域名傳送http請求,會去查詢域名的cookie資訊拼接到http的header中傳送到伺服器。 cookie不能跨域。這個域是瀏覽器請求的域名,哪怕他們都是訪問一

Spring Boot引入HBase資料庫

使用HBase API對資料庫的基本操作,包括建立表、查詢表資料等。 1、HBase配置 pom.xml <!-- Apache HBase Client --> <dependency> <groupId>org.apache.hbase&

spring boot Spring data jpa數據庫表字段命名策略

_id -s ber data 駝峰命名 org body strategy 命名 spring boot 中Spring data jpa命名策略 數據庫,表字段命名是駝峰命名法(UserID),Spring data jpa 自動更新之後是 user_id, 表字段不對

spring-bootspring.jackson.date-format失效及解決辦法

spring-boot 版本 <parent> <groupId>org.sp

Spring Boot使用Spring Security實現許可權控制

Spring Boot框架我們前面已經介紹了很多了,相信看了前面的部落格的小夥伴對Spring Boot應該有一個大致的瞭解了吧,如果有小夥伴對Spring Boot尚不熟悉,可以先移步這裡從SpringMVC到Spring Boot,老司機請略過。OK,那我們

企業分布式微服務雲SpringCloud SpringBoot mybatis (六)Spring Boot使用Spring Security進行安全控制

spring ron public 控制 應用 app ebs cloud 來源 準備工作 首先,構建一個簡單的Web工程,以用於後續添加安全控制,也可以用之前Chapter3-1-2做為基礎工程。若對如何使用Spring Boot構建Web應用,可以先閱讀《Spring

Spring Boot使用Spring Security實現權限控制

unicode then add sta spa 攔截器 nco throw views Spring Boot框架我們前面已經介紹了很多了,相信看了前面的博客的小夥伴對Spring Boot應該有一個大致的了解了吧,如果有小夥伴對Spring Boot尚不熟悉

spring bootsecurity安全退出如何跳轉指定頁面,iframe與安全器相容性問題

分享一下這這次專案中自己學到的一些東西(還沒學完,技術很菜,寫的有問題希望大家指出來,希望大家可以一起學習,一起努力)       在WebSecurityConfig中配置:        http.log

Spring Boot使用JdbcTemplate訪問資料庫

一 資料來源的配置 1 pom中引入JDBC的支援 <dependency> <groupId>org.springframework.boot</groupI

Spring Boot使用Spring Security進行安全控制

一 點睛 我們在編寫Web應用時,經常需要對頁面做一些安全控制,比如:對於沒有訪問許可權的使用者需要轉到登入表單頁面。要實現訪問控制的方法多種多樣,可以通過Aop、攔截器實現,也可以通過框架實現(如:Apache Shiro、Spring Security)。 本篇將具體

Spring Boot使用使用Spring Security和JWT

 目標 1.Token鑑權 2.Restful API 3.Spring Security+JWT 開始 自行新建Spring Boot工程 引入相關依賴 <dependency> <groupId>org.springfr

Spring boot java.util.Date 在json、資料庫之間格式的相互轉換

首先使用springboot開發網站時,經常會涉及到日期的形式,那麼在程式碼中使用java.util.Date來轉化為json格式的字串,應該怎樣轉化呢?將Date型別存入資料庫有應該怎樣實現呢? Date與json的相互轉換 實現Date轉換為json格

Spring Boot整合Spring Security並自定義驗證程式碼

最終效果 1、實現頁面訪問許可權限制 2、使用者角色區分,並按照角色區分頁面許可權 3、實現在資料庫中儲存使用者資訊以及角色資訊 4、自定義驗證程式碼 效果如下: 1、免驗證頁面 2、登陸頁面 在使用者未登入時,訪問任意有

Spring Boot引入Neo4j圖形資料庫

建立節點(node),查詢節點,為了好的展示效果,對關係(relation)的處理後續再說。 1、Neo4j配置 pom.xml <dependency> <groupId>org.springframework.boot</groupId>

Spring Boot使用Spring Security自定義驗證

因為網上關於這個springboot+security自定義驗證有好多寫的有點雜亂,在仿寫的過程中總是出現莫名其妙的bug,所以專門寫一篇最基礎的出來。 本篇還是使用熟悉的springboot+mybatis+thymeleaf來搭最基礎的架構,當然不用資

Spring boot 整合Spring Security過程的出現的關於Session scope的異常排查及解決方案

背景介紹 最近做的一個專案,其一需要用到Spring 的oauth認證功能, 其二需要對spring 的ContextRefreshedEvent 這個事件進行監聽,實現一部分自定義註解的功能(具體功能不作贅述),本來以為毫不相關的兩個功能,卻出現了一些意料之