梦入琼楼寒有月,行过石树冻无烟

Spring security 授权

2022-04-21

controller

AdminController.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
package com.example.dome.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/admin/api")
public class AdminController {
    @GetMapping("index")
    public String index() {
        return "hello, admin";
    }
}

Userontroller.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
package com.example.dome.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/user/api")
public class UserController {
    @GetMapping("index")
    public String index() {
        return "hello, user";
    }
}

AppController.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
package com.example.dome.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/app/api")
public class AppController {
    @GetMapping("index")
    public String index() {
        return "hello, app";
    }
}

configuration

WebSecurityConfig.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
package com.example.dome.configuration;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure (HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests()
                .antMatchers("/admin/api/**").hasRole("ADMIN")
                .antMatchers("/user/aip/**").hasRole("USER")
                .antMatchers("/app/api/**").permitAll()
                .anyRequest().authenticated()
                .and()
        .formLogin();
    }
}

通过上述我们所定义的不同权限,分别为管理员、用户、匿名,所分配的权限不同,而管理员和用户是需要登入才可以访问的,匿名帐号app则可访问拥有权限下的所有资源。通过访问localhost:8080/user/api/index我们可以得知,Spring security的默认帐号角色,就是user。

HTTP 状态码(HTTP Status Code)是由RFC 2016定义的一种用于表示一个HTTP请求响应状态的规范,总共由三位数字组成。通常由2XX表示操作成功、4XX表示客户端导致的失败,5xx表示服务器引起错误。

多用户

WebSecurityConfig.java (InMemoryUserDetailsManager)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
package com.example.dome.configuration;

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure (HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests()
                .antMatchers("/admin/api/**").hasRole("ADMIN")
                .antMatchers("/user/aip/**").hasRole("USER")
                .antMatchers("/app/api/**").permitAll()
                .anyRequest().authenticated()
                .and()
        .formLogin();
    }
    @Bean
    public UserDetailsService userDetailsService() {
        InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserDetailsManager();
        inMemoryUserDetailsManager.createUser(User.withUsername("user").password("123").roles("USER").build());
        inMemoryUserDetailsManager.createUser(User.withUsername("admin").password("123").roles("USER","ADMIN").build());
        return inMemoryUserDetailsManager;
    }
    @Bean
    public static PasswordEncoder passwordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }
}

对于Spring security中的多用户,实际上spring security主要拥有三种权限,分别为管理员(admin),用户(user)以及匿名/访客(visitor),可通过数据库或Spring security中的配置类进行实现。在写项目的过程中建议这种授权情况不要使用数据库进行授权,通过配置文件就可以实现,首先确定管理员和用户,

https://gitee.com/zhongshan_union/Zhongshan-computer-port-security-joint-public-testing-platform/blob/master/src/main/java/com/example/zhongce/WebSecurityConfig.java

然后访客权限可通过antMatchers来实现访客权限可以访问的页面,这种方式也被开源项目钟山计算机端口安全联合众测平台使用。

⬅️ Go back