springbootsecurity权限控制--@PreAuthorize的使⽤
1. 说明
security 鉴权⽅式常⽤的有两种配置,1、配置⽂件中配置;2、使⽤注解标注;他们都是基于 acess 表达式,如果需要⾃定义逻辑的鉴权认证,只需要⾃定义access 表达式即可。本⽂只选取注解的⽅式,来讲解默认的 access 和⾃定义的 access 表达式
2.基于注解的使⽤
2.1 使⽤前提条件:
注解默认不可⽤,通过开启注解:在配置类中开启注解 @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) @Secured:专门判断⽤户是否具有⾓⾊,可以写在⽅法或类上,参数以 ROLE_ 开头
@PreAuthorize\PostAuthorize: PreAuthorize 访问的类或⽅法执⾏前判断权限,⽽ PostAuthorize 在执⾏之后,Post 基本不⽤;允许与 ROLE_ 开头。
2.2 基于默认的access表达式
在登录的时候,需要将⽤户权限返回给security;security才能实现权限控制功能;
具体步骤:
登录时,实现 UserDetailService,重写 loadUserByUsername(String userName)⽅法。根据 userName 来实现⾃⼰的业务逻辑返回 UserDetails 的实现类,需要⾃定义User 类实现 UserDetails,⽐较重要的⽅法是 getAuthorities(),⽤来返回该⽤户所拥有的权限
@Data
public class LoginUser implements UserDetails, Serializable {
...
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
// 根据⾃定义逻辑来返回⽤户权限,如果⽤户权限返回空或者和拦截路径对应权限不同,验证不通过
if (!permissions.isEmpty()) {
List<GrantedAuthority> list = new ArrayList<GrantedAuthority>();
for (String temp : permissions) {
GrantedAuthority au = new SimpleGrantedAuthority(temp);
list.add(au);
}
return list;
}
return null;
}
}
然后在需要权限控制的controller⽅法上,添加注解@PreAuthorize("hasAuthority('..*')");其中@PreAuthorize括号中就是access表达式。具体默认的有哪些请参考官⽹。@RestController
@RequestMapping("test")
public class TestController {
@Autowired
private ISysUserService userService;
@Autowired
private PermissionService permissionService;
@PreAuthorize("hasAuthority('*.*.*')")
@RequestMapping("userList")
public ResultVo queryUserList() {
List<SysUser> list = userService.list();
List<UserVo> result = list.stream().map(item -> UserInfo(item)).List());
return ResultVo.success(result);
}
}
2.3 ⾃定义access表达式
⾃定义权限认证业务逻辑,然后将该⽅法标注到注解上
package com.nanboone.framework.security.service;
import java.util.Set;
import com.nanboonemon.utils.ServletUtils;
import com.nanboone.framework.security.domain.LoginUser;
import com.ken.JwtTokenUtils;
import org.apachemons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.CollectionUtils;
/**
* AuthorityPermissionService:⾃定义access表达式,鉴权验证。
* 可以将⾃定义的access添加到配置类中:http.anyRequest.access(aps.hasPermission(xxx,xxx));
* 也可以直接使⽤注解@PreAuthorize:@PreAuthorize(aps.hasPermission(xxx));
*
* @Author: dangbo
* @Date: 2021/5/20 10:12
*/
@Service("aps")
public class AuthorityPermissionService {
@Autowired
JwtTokenUtils jwtTokenUtils;
public boolean hasPermission(String permissions) {
if (StringUtils.isEmpty(permissions)) {
return false;
}
// ⽤户信息对象
LoginUser loginUser = Request());
if (loginUser == null || CollectionUtils.Permissions())) {
return false;
}
Set<String> authorities = Permissions();
for (String permission : permissions.split(",")) {
if (StringUtils.isNotEmpty(permission) && hasPermissions(authorities, permission)) {
return true;
}
}
return false;
}
private boolean hasPermissions(Set<String> authorities, String permission) {
ains("*.*.*") || im());
}
}
@RestController
@RequestMapping("test")
public class TestController {
spring framework@Autowired
private ISysUserService userService;
@Autowired
private PermissionService permissionService;
@PreAuthorize("@aps.hasPermission('*.*.*')")
@RequestMapping("userList")
public ResultVo queryUserList() {
List<SysUser> list = userService.list();
List<UserVo> result = list.stream().map(item -> UserInfo(item)).List());        return ResultVo.success(result);
}
}

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。