SpringSecurity-授权示例

发布于:2024-06-27 ⋅ 阅读:(120) ⋅ 点赞:(0)

用户基于权限进行授权

定义用户与权限

authorities()。

package com.cms.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

/**
 * @author: coffee
 * @date: 2024/6/27 20:33
 * @description: ...
 */
@Configuration
public class UserConfig {

    @Bean
    public UserDetailsService userDetailsService () {
        InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();

        UserDetails user1 = User.withUsername("john").password("123456").authorities("READ").build();

        UserDetails user2 = User.withUsername("jane").password("123456").authorities("WRITE").build();

        userDetailsManager.createUser(user1);
        userDetailsManager.createUser(user2);

        return userDetailsManager;
    }

    @Bean
    public PasswordEncoder passwordEncoder () {
        return NoOpPasswordEncoder.getInstance();
    }

}

权限维度授权配置

package com.cms.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author: coffee
 * @date: 2024/6/27 20:37
 * @description: 基于用户权限限制所有端点的访问
 */
@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {

    /**
     * 指定用户可以访问端点的条件:1.hasAuthority() 2.hasAnyAuthority()  3.access()
     */
    @Override
    protected void configure (HttpSecurity httpSecurity) throws Exception {
        httpSecurity.httpBasic();

        // permitAll()方法修改授权配置,无需凭据(用户名密码)也可以直接调用接口。   curl http://localhost:8080/hello
        // httpSecurity.authorizeRequests().anyRequest().permitAll();

        // 指定用户可以访问端点的条件-hasAuthority 。 发现john报403、jane正常;
        // httpSecurity.authorizeRequests().anyRequest().hasAuthority("WRITE");

        // 允许具有WRITE或者READ权限的用户访问端点-hasAnyAuthority。  发现john报正常、jane正常;
        httpSecurity.authorizeRequests().anyRequest().hasAnyAuthority("WRITE","READ");

        // access() - 为配置访问提供了无限的可能性,因为应用程序会基于SPEL构建授权规则。但是,他会让代码更难阅读和调试。所以作为次要解决方案,仅在不能使用hasAuthority和hasAnyAuthority时才使用
    }
}

用户基于角色进行授权

定义用户与角色

roles()。

package com.cms.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

/**
 * @author: coffee
 * @date: 2024/6/27 20:33
 * @description: ...
 */
@Configuration
public class UserConfig {

    @Bean
    public UserDetailsService userDetailsService () {
        InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();

        // authorities:使用"ROLE_"前缀,GrantedAuthority现在就表示一个角色
        UserDetails user1 = User.withUsername("john").password("123456").authorities("ROLE_ADMIN").build();
        // roles:不需要添加"ROLE_"前缀
        // UserDetails user1 = User.withUsername("john").password("123456").roles("ADMIN").build();

        UserDetails user2 = User.withUsername("jane").password("123456").authorities("ROLE_MANAGER").build();
        // UserDetails user2 = User.withUsername("jane").password("123456").roles("MANAGER").build();

        userDetailsManager.createUser(user1);
        userDetailsManager.createUser(user2);

        return userDetailsManager;
    }

    @Bean
    public PasswordEncoder passwordEncoder () {
        return NoOpPasswordEncoder.getInstance();
    }

}

角色维度授权配置

package com.cms.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author: coffee
 * @date: 2024/6/27 20:37
 * @description: 基于用户权限限制所有端点的访问
 */
@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {

    /**
     * 指定用户可以访问端点的条件:1.hasAuthority() 2.hasAnyAuthority()  3.access()
     */
    @Override
    protected void configure (HttpSecurity httpSecurity) throws Exception {
        httpSecurity.httpBasic();

        // permitAll()方法修改授权配置,无需凭据(用户名密码)也可以直接调用接口。   curl http://localhost:8080/hello
        // httpSecurity.authorizeRequests().anyRequest().permitAll();

        // 指定用户可以访问端点的条件-hasRole 。 hasRole()方法现在会指定允许访问端点的角色。请注意,这里没有出现ROLE_前缀
        // httpSecurity.authorizeRequests().anyRequest().hasRole("ADMIN");

        // 允许具有ADMIN或者MANAGER角色权限的用户访问端点-hasAnyRole。
        httpSecurity.authorizeRequests().anyRequest().hasAnyRole("ADMIN","MANAGER");

        // access() - 为配置访问提供了无限的可能性,因为应用程序会基于SPEL构建授权规则。但是,他会让代码更难阅读和调试。所以作为次要解决方案,仅在不能使用hasRole和hasAnyRole时才使用
    }
}

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布