返回
热点新闻
新旧版本SpringSecurity使用对比
2023-07-06 12:01  浏览:1413  搜索引擎搜索“手机闹展网”
温馨提示:信息一旦丢失不一定找得到,请务必收藏信息以备急用!本站所有信息均是注册会员发布如遇到侵权请联系文章中的联系方式或客服删除!
联系我时,请说明是在手机闹展网看到的信息,谢谢。
展会发布 展会网站大全 报名观展合作 软文发布

1 SpringSecurity新旧版本使用

前不久Spring Boot 2.7.0 刚刚发布,Spring Security 也升级到了5.7.1 。升级后发现,原来一直在用的Spring Security配置方法,居然已经被弃用了,今天带大家体验下Spring Security的最新用法,看看是不是够优雅!

1.1 基本使用

我们先对比下Spring Security提供的基本功能登录认证,来看看新版用法是不是更好。

1.1.1 升级版本

首先修改项目的pom.xml文件,把Spring Boot版本升级至2.7.0版本。

<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.7.0</version> <relativePath/> <!-- lookup parent from repository --> </parent>

1.1.2 旧用法

Spring Boot 2.7.0 之前的版本中,我们需要写个配置类继承WebSecurityConfigurerAdapter,然后重写Adapter中的三个方法进行配置;

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class OldSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UmsAdminService adminService; @Override protected void configure(HttpSecurity httpSecurity) throws Exception { //省略HttpSecurity的配置 } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService()) .passwordEncoder(passwordEncoder()); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } }

如果你在SpringBoot 2.7.0版本中进行使用的话,就会发现WebSecurityConfigurerAdapter已经被弃用了,看样子Spring Security要坚决放弃这种用法了!




image.png

1.1.3 新用法

新用法非常简单,无需再继承WebSecurityConfigurerAdapter,只需直接声明配置类,再配置一个生成SecurityFilterChainBean的方法,把原来的HttpSecurity配置移动到该方法中即可。

@Configuration public class SecurityConfig { @Bean SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception { //省略HttpSecurity的配置 return httpSecurity.build(); } }

新用法感觉非常简洁干脆,避免了继承WebSecurityConfigurerAdapter并重写方法的操作

1.2 高级使用

升级 Spring Boot 2.7.0版本后,Spring Security对于配置方法有了大的更改,那么其他使用有没有影响呢?其实是没啥影响的,这里再聊聊如何使用Spring Security实现动态权限控制!

1.2.1 基于方法的动态权限

首先来聊聊基于方法的动态权限控制,这种方式虽然实现简单,但却有一定的弊端。

在配置类上使用@EnableGlobalMethodSecurity来开启它;

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class OldSecurityConfig extends WebSecurityConfigurerAdapter { }

然后在方法中使用@PreAuthorize配置访问接口需要的权限;

@Controller @Api(tags = "PmsProductController", description = "商品管理") @RequestMapping("/product") public class PmsProductController { @Autowired private PmsProductService productService; @ApiOperation("创建商品") @RequestMapping(value = "/create", method = RequestMethod.POST) @ResponseBody @PreAuthorize("hasAuthority('pms:product:create')") public CommonResult create(@RequestBody PmsProductParam productParam, BindingResult bindingResult) { int count = productService.create(productParam); if (count > 0) { return CommonResult.success(count); } else { return CommonResult.failed(); } } }

再从数据库中查询出用户所拥有的权限值设置到UserDetails对象中去,这种做法虽然实现方便,但是把权限值写死在了方法上,并不是一种优雅的做法。

@Service public class UmsAdminServiceImpl implements UmsAdminService { @Override public UserDetails loadUserByUsername(String username){ //获取用户信息 UmsAdmin admin = getAdminByUsername(username); if (admin != null) { List<UmsPermission> permissionList = getPermissionList(admin.getId()); return new AdminUserDetails(admin,permissionList); } throw new UsernameNotFoundException("用户名或密码错误"); } }

1.2.2 基于路径的动态权限

其实每个接口对应的路径都是唯一的,通过路径来进行接口的权限控制才是更优雅的方式。

首先我们需要创建一个动态权限的过滤器,这里注意下doFilter方法,用于配置放行OPTIONS和白名单请求,它会调用super.beforeInvocation(fi)方法,此方法将调用AccessDecisionManager中的decide方法来进行鉴权操作;

public class DynamicSecurityFilter extends AbstractSecurityInterceptor implements Filter { @Autowired private DynamicSecuritymetadataSource dynamicSecuritymetadataSource; @Autowired private IgnoreUrlsConfig ignoreUrlsConfig; @Autowired public void setMyAccessDecisionManager(DynamicAccessDecisionManager dynamicAccessDecisionManager) { super.setAccessDecisionManager(dynamicAccessDecisionManager); } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; FilterInvocation fi = new FilterInvocation(servletRequest, servletResponse, filterChain); //OPTIONS请求直接放行 if(request.getMethod().equals(HttpMethod.OPTIONS.toString())){ fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); return; } //白名单请求直接放行 PathMatcher pathMatcher = new AntPathMatcher(); for (String path : ignoreUrlsConfig.getUrls()) { if(pathMatcher.match(path,request.getRequestURI())){ fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); return; } } //此处会调用AccessDecisionManager中的decide方法进行鉴权操作 InterceptorStatusToken token = super.beforeInvocation(fi); try { fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } finally { super.afterInvocation(token, null); } } @Override public void destroy() { } @Override public Class<?> getSecureObjectClass() { return FilterInvocation.class; } @Override public SecuritymetadataSource obtainSecuritymetadataSource() { return dynamicSecuritymetadataSource; } }

接下来我们就需要创建一个类来继承AccessDecisionManager,通过decide方法对访问接口所需权限和用户拥有的权限进行匹配,匹配则放行;

public class DynamicAccessDecisionManager implements AccessDecisionManager { @Override public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException { // 当接口未被配置资源时直接放行 if (CollUtil.isEmpty(configAttributes)) { return; } Iterator<ConfigAttribute> iterator = configAttributes.iterator(); while (iterator.hasNext()) { ConfigAttribute configAttribute = iterator.next(); //将访问所需资源或用户拥有资源进行比对 String needAuthority = configAttribute.getAttribute(); for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) { if (needAuthority.trim().equals(grantedAuthority.getAuthority())) { return; } } } throw new AccessDeniedException("抱歉,您没有访问权限"); } @Override public boolean supports(ConfigAttribute configAttribute) { return true; } @Override public boolean supports(Class<?> aClass) { return true; } }

由于上面的decide方法中的configAttributes属性是从FilterInvocationSecuritymetadataSourcegetAttributes方法中获取的,我们还需创建一个类继承它,getAttributes方法可用于获取访问当前路径所需权限值;

public class DynamicSecuritymetadataSource implements FilterInvocationSecuritymetadataSource { private static Map<String, ConfigAttribute> configAttributeMap = null; @Autowired private DynamicSecurityService dynamicSecurityService; @PostConstruct public void loadDataSource() { configAttributeMap = dynamicSecurityService.loadDataSource(); } public void clearDataSource() { configAttributeMap.clear(); configAttributeMap = null; } @Override public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException { if (configAttributeMap == null) this.loadDataSource(); List<ConfigAttribute> configAttributes = new ArrayList<>(); //获取当前访问的路径 String url = ((FilterInvocation) o).getRequestUrl(); String path = URLUtil.getPath(url); PathMatcher pathMatcher = new AntPathMatcher(); Iterator<String> iterator = configAttributeMap.keySet().iterator(); //获取访问该路径所需资源 while (iterator.hasNext()) { String pattern = iterator.next(); if (pathMatcher.match(pattern, path)) { configAttributes.add(configAttributeMap.get(pattern)); } } // 未设置操作请求权限,返回空集合 return configAttributes; } @Override public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } @Override public boolean supports(Class<?> aClass) { return true; } }

这里需要注意的是,所有路径对应的权限值数据来自于自定义的DynamicSecurityService

public interface DynamicSecurityService { Map<String, ConfigAttribute> loadDataSource(); } 一切准备就绪,把动态权限过滤器添加到FilterSecurityInterceptor之前; @Configuration public class SecurityConfig { @Autowired private DynamicSecurityService dynamicSecurityService; @Autowired private DynamicSecurityFilter dynamicSecurityFilter; @Bean SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception { //省略若干配置... //有动态权限配置时添加动态权限校验过滤器 if(dynamicSecurityService!=null){ registry.and().addFilterBefore(dynamicSecurityFilter, FilterSecurityInterceptor.class); } return httpSecurity.build(); } }

如果你看过这篇仅需四步,整合SpringSecurity+JWT实现登录认证 ! 的话,就知道应该要配置这两个Bean了,一个负责获取登录用户信息,另一个负责获取存储的动态权限规则,为了适应Spring Security的新用法,我们不再继承SecurityConfig,简洁了不少

@Configuration public class MallSecurityConfig { @Autowired private UmsAdminService adminService; @Bean public UserDetailsService userDetailsService() { //获取登录用户信息 return username -> { AdminUserDetails admin = adminService.getAdminByUsername(username); if (admin != null) { return admin; } throw new UsernameNotFoundException("用户名或密码错误"); }; } @Bean public DynamicSecurityService dynamicSecurityService() { return new DynamicSecurityService() { @Override public Map<String, ConfigAttribute> loadDataSource() { Map<String, ConfigAttribute> map = new ConcurrentHashMap<>(); List<UmsResource> resourceList = adminService.getResourceList(); for (UmsResource resource : resourceList) { map.put(resource.getUrl(), new org.springframework.security.access.SecurityConfig(resource.getId() + ":" + resource.getName())); } return map; } }; } }

1.3 效果测试

接下来启动我们的示例项目mall-tiny-security,使用如下账号密码登录,该账号只配置了访问/brand/listAll的权限,访问地址:http://localhost:8088/swagger-ui/




image.png

然后把返回的token放入到Swagger的认证头中;





image.png

当我们访问有权限的接口时可以正常获取到数据;





image.png

当我们访问没有权限的接口时,返回没有访问权限的接口提示。





image.png

转载于:https://mp.weixin.qq.com/s/zUjao08IPW8KirEJhy2YlA

展开全文+
使用手机闹展网APP查看详情
发布人:3f1a****    IP:117.173.23.***     举报/删稿
打赏
展会推荐
- MORE -
让朕来说2句
评论
收藏
点赞
转发