spring security自定義權限配置

    最近在項目中遇到了關於spring security的問題，所以學習一下。

需要引入依賴：

       <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>4.2.3.RELEASE</version>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework</groupId>
                    <artifactId>spring-web</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>4.2.3.RELEASE</version>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework</groupId>
                    <artifactId>spring-web</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

用戶身份認證：

自定義一個實現類MUserDetailsService來實現UserDetailsService接口。

其中需要實現一個loadUserByUsername方法，用來讀取用戶的角色。
在這裏需要從數據庫中通過用戶名來查詢用戶的信息和用戶所屬的角色
其中MGrantedAuthority實現了GrantedAuthority接口，用於構建用戶權限。
MUserDeatils實現了UserDeatils接口，用於存放用戶信息與權限。

UserDetailsService在身份認證中的作用：

    Spring Security中進行身份驗證的是AuthenticationManager接口，ProviderManager是它的一個默認實現，但它並不用來處理身份認證，而是委託給配置好的AuthenticationProvider，每個AuthenticationProvider會輪流檢查身份認證。檢查後或者返回Authentication對象或者拋出異常。驗證身份就是加載響應的UserDetails，看看是否和用戶輸入的賬號、密碼、權限等信息匹配。此步驟由實現AuthenticationProvider的DaoAuthenticationProvider（它利用UserDetailsService驗證用戶名、密碼和授權）處理。包含 GrantedAuthority 的 UserDetails對象在構建 Authentication對象時填入數據。

CasUserDetailService.class中的loadUserByUsername方法 

@Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        //查詢用戶信息
        AdminUser adminUser = adminUserService.getUserByLoginName(username);

        if (adminUser == null) {
            throw new UsernameNotFoundException("不是新應用管理平臺的用戶!請聯繫管理員添加權限!");
        }
        //構建權限
        Collection<GrantedAuthority> grantedAuthorities = new HashSet<>();

        // 每位同學都默認擁有的角色
        grantedAuthorities.add(new SimpleGrantedAuthority(SecurityConstant.ROLE_COMMON));
        //查詢用戶角色
        List<AdminUserRole> roles = this.adminUserService.getUserRoles(adminUser.getId());

        if (CollectionUtils.isNotEmpty(roles)) {
            for (AdminUserRole ur : roles) {
                GrantedAuthority ga = new SimpleGrantedAuthority(SecurityConstant.ROLE_NAME_PREFIX + ur.getRoleId());
                grantedAuthorities.add(ga);
            }
        }

        return new User(adminUser.getUserName(), StringUtils.EMPTY, grantedAuthorities);
    }

SimpleGrantedAuthority.class

public final class SimpleGrantedAuthority implements GrantedAuthority {
    private static final long serialVersionUID = 420L;
    private final String role;

    public SimpleGrantedAuthority(String role) {
        Assert.hasText(role, "A granted authority textual representation is required");
        this.role = role;
    }

    public String getAuthority() {
        return this.role;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        } else {
            return obj instanceof SimpleGrantedAuthority ? this.role.equals(((SimpleGrantedAuthority)obj).role) : false;
        }
    }

    public int hashCode() {
        return this.role.hashCode();
    }

    public String toString() {
        return this.role;
    }
}

CasUserDeatils.class

實現UserDetails接口定義好變量。

讀取資源與所屬角色

需要自定義實現類實現FilterInvocationSecurityMetadataSource接口。通過loadResourceDefine方法可以實現資源與權限的對應關係。

要使我們自定義的MFilterInvocationSecurityMetadataSource生效，我們還需要定義一個MyFilterSecurityInterceptor類。
這裏的數據需要從數據庫中取得。另外自定義接口UrlMatcher，實現類爲AntUrlPathMatcher。

MFilterInvocationSecurityMetadataSource.class

@Component
    public class MFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
    @Autowired
    public IRescAndRoleService iRescAndRoleService ;
    @Autowired
    private IUserService iUserService ;
    private UrlMatcher urlMatcher = new AntUrlPathMatcher();
    // 資源權限集合
    private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
    public void loadResourceDefine(){
        resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
        //取得用戶信息
        List<User> userList = iUserService.query();
       //取得資源與角色列表
        List<RescAndRole> resourceList = iRescAndRoleService.query();
        System.out.println(resourceList);
        for (RescAndRole resource : resourceList) {
            Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
            atts.add(new SecurityConfig(resource.getRoleName() ));
            resourceMap.put(resource.getResString(), atts);
        }
    }
    @Override
    public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
        loadResourceDefine();//防止無法注入問題
        // guess object is a URL.
        String url = ((FilterInvocation) o).getRequestUrl();
        Iterator<String> ite = resourceMap.keySet().iterator();
        while (ite.hasNext()) {
            String resURL = ite.next();
            if (urlMatcher.pathMatchesUrl(resURL, url)) {
                return resourceMap.get(resURL);
            }
        }
        return null;
    }
    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }
    @Override
    public boolean supports(Class<?> aClass) {
        return true;
    }
}

AntUrlPathMatcher.class

public class AntUrlPathMatcher implements UrlMatcher {

    private boolean requiresLowerCaseUrl;
    private PathMatcher pathMatcher;

    public AntUrlPathMatcher() {
        this(true);
    }

    public AntUrlPathMatcher(boolean requiresLowerCaseUrl) {
        this.requiresLowerCaseUrl = true;
        this.pathMatcher = new AntPathMatcher();

        this.requiresLowerCaseUrl = requiresLowerCaseUrl;
    }

    public Object compile(String path) {
        if (this.requiresLowerCaseUrl) {
            return path.toLowerCase();
        }
        return path;
    }

    public void setRequiresLowerCaseUrl(boolean requiresLowerCaseUrl) {
        this.requiresLowerCaseUrl = requiresLowerCaseUrl;
    }

    public boolean pathMatchesUrl(Object path, String url) {
        if (("/**".equals(path)) || ("**".equals(path))) {
            return true;
        }
        return this.pathMatcher.match((String) path, url);
    }

    public String getUniversalMatchPattern() {
        return "/**";
    }

    public boolean requiresLowerCaseUrl() {
        return this.requiresLowerCaseUrl;
    }

    public String toString() {
        return super.getClass().getName() + "[requiresLowerCase='"
                + this.requiresLowerCaseUrl + "']";
    }
}

MyFilterSecurityInterceptor.class

public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor
        implements Filter {
    private FilterInvocationSecurityMetadataSource securityMetadataSource;
    
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {
        FilterInvocation fi = new FilterInvocation(request, response, chain);
        invoke(fi);
    }

    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
        return this.securityMetadataSource;
    }

    public Class<? extends Object> getSecureObjectClass() {
        return FilterInvocation.class;
    }

    public void invoke(FilterInvocation fi) throws IOException,
            ServletException {
        InterceptorStatusToken token = super.beforeInvocation(fi);
        try {
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        } finally {
            super.afterInvocation(token, null);
        }
    }

    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return this.securityMetadataSource;
    }

    public void setSecurityMetadataSource(
            FilterInvocationSecurityMetadataSource newSource) {
        this.securityMetadataSource = newSource;
    }

    public void destroy() {
    }

    public void init(FilterConfig arg0) throws ServletException {
    }

}

決策管理器

自定義一個決策管理器MyAccessDecisionManager實現AccessDecisionManager接口。其中的decide方法，決定某一個用戶是否有權限訪問某個url

/* (non-Javadoc)
     * @see org.springframework.security.access.AccessDecisionManager#decide(org.springframework.security.core.Authentication, java.lang.Object, java.util.Collection)
     * 該方法決定該權限是否有權限訪問該資源，其實object就是一個資源的地址，authentication是當前用戶的
     * 對應權限，如果沒登陸就爲遊客，登陸了就是該用戶對應的權限
     */
    @Override
    public void decide(Authentication authentication, Object object,
                       Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException, InsufficientAuthenticationException {
        if(configAttributes == null) {
            return;
        }
        System.out.println(object.toString()); // object is a URL.
        //所請求的資源擁有的權限(一個資源對多個權限)
        Iterator<ConfigAttribute> iterator = configAttributes.iterator();
        while(iterator.hasNext()) {
            ConfigAttribute configAttribute = iterator.next();
            //訪問所請求資源所需要的權限
            String needPermission = configAttribute.getAttribute();
            System.out.println("訪問"+object.toString()+"需要的權限是：" + needPermission);
            //用戶所擁有的權限authentication
            Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
            for(GrantedAuthority ga : authorities) {
                if(needPermission.equals(ga.getAuthority())) {
                    return;
                }
            }
        }
        //沒有權限
        throw new AccessDeniedException(" 沒有權限訪問！ ");
    }

    @Override
    public boolean supports(ConfigAttribute attribute) {
        // TODO Auto-generated method stub
        return true;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        // TODO Auto-generated method stub
        return true;
    }

配置XML

添加Seucrity的過濾器，將攔截所有資源訪問

注意

    只能配置成 /*
    

    <!--加載Security配置文件與mybatis配置文件-->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            WEB-INF/config/security.xml
            WEB-INF/config/spring-mybatis.xml
        </param-value>
    </context-param>
    
    <!-- spring security 的過濾器配置 -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

spring-security.xml

<b:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">


    <!--登陸頁面不驗證-->
    <http pattern="/userLogin.html" security="none" />
    <!--靜態文件請求不驗證-->
    <http pattern="/js/**" security="none" />
    <http pattern="/css/**" security="none" />
    <!--restful請求-->
    <http pattern="/login" security="none" />
    <http pattern="/getGrid" security="none" />
    <!--瀏覽器會自動請求網站圖標：favicon.ico -不驗證  -->
    <http pattern="/favicon.ico" security="none" />
    <http >

        <!--自定義權限不足時顯示的頁面-->
        <access-denied-handler error-page="/accessHint.html"></access-denied-handler>
        <!-- 自定義登錄界面 -->
        <form-login
                authentication-failure-url="/userLogin.html?error=true"
                login-page="/userLogin.html"
                default-target-url="/index.html"
                login-processing-url="/j_spring_security_check" />
        <logout invalidate-session="true"
                logout-success-url="/userLogin.html"
                logout-url="/j_spring_security_logout"/>
        <!-- 通過配置custom-filter來增加過濾器，before="FILTER_SECURITY_INTERCEPTOR"表示在SpringSecurity默認的過濾器之前執行。 -->
        <custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
        <csrf disabled="true" />

    </http>

    <!-- 認證過濾器 -->
    <b:bean id="filterSecurityInterceptor"
                class="com.hand.security.utils.MyFilterSecurityInterceptor">
        <b:property name="rejectPublicInvocations" value="true"/>
        <!-- 用戶擁有的權限 -->
        <b:property name="accessDecisionManager" ref="accessDecisionManager" />
        <!-- 用戶是否擁有所請求資源的權限 -->
        <b:property name="authenticationManager" ref="authenticationManager" />
        <!-- 資源與權限對應關係 -->
        <b:property name="securityMetadataSource" ref="securityMetadataSource" />
    </b:bean>

    <!-- 2、更改驗證信息加載方式 -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider
                user-service-ref="mUserDetailsService">
            <!--如果用戶的密碼採用加密的話 <password-encoder hash="md5" /> -->
        </authentication-provider>
    </authentication-manager>

    <!-- 1、配置自定義類MUserDetailsService -->
    <b:bean id="mUserDetailsService" class="com.hand.security.service.impl.MUserDetailsService" />

    <!--訪問決策器，決定某個用戶具有的角色，是否有足夠的權限去訪問某個資源 -->
    <b:bean id="accessDecisionManager" class="com.hand.security.utils.MyAccessDecisionManager"></b:bean>

    <!--資源源數據定義，將所有的資源和權限對應關係建立起來，即定義某一資源可以被哪些角色訪問 -->
    <b:bean id="securityMetadataSource" class="com.hand.security.utils.MFilterInvocationSecurityMetadataSource" ></b:bean>

</b:beans>

 

參考：https://segmentfault.com/a/1190000010232638