歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux編程 >> Linux編程

自定義Spring Security權限控制管理(實戰篇)

上篇《Spring Security權限管理(源碼)雜談》介紹了Spring Security權限控制管理的源碼及實現,然而某些情況下,它默認的實現並不能滿足我們項目的實際需求,有時候需要做一些自己的實現,本次將圍繞上次的內容進行一次項目實戰。

實戰背景

背景描述

項目中需要做細粒的權限控制,細微至url + httpmethod (滿足restful,例如: https://.../xxx/users/1, 某些角色只能查看(HTTP GET), 而無權進行增改刪(POST, PUT, DELETE))。

表設計

為避嫌,只列出要用到的關鍵字段,其余敬請自行腦補。

  1. admin_user 管理員用戶表, 關鍵字段( id, role_id )。
  2. t_role 角色表, 關鍵字段( id, privilege_id )。
  3. t_privilege 權限表, 關鍵字段( id, url, method )

三個表的關聯關系就不用多說了吧,看字段一眼就能看出。

實現前分析

我們可以逆向思考:

要實現我們的需求,最關鍵的一步就是讓Spring Security的AccessDecisionManager來判斷所請求的url + httpmethod 是否符合我們數據庫中的配置。然而,AccessDecisionManager並沒有來判定類似需求的相關Voter, 因此,我們需要自定義一個Voter的實現(默認注冊的AffirmativeBased的策略是只要有Voter投出ACCESS_GRANTED票,則判定為通過,這也正符合我們的需求)。實現voter後,有一個關鍵參數(Collection attributes),ConfigAttribute根據不同的情況,所代表的語義不一樣。我們在此也需要實現。然而,Collection attributes參數由SecurityMetadataSource獲取,因此,我們還應該實現SecurityMetadataSource。眾所周知,在Spring Security中,當前用戶認證信息都是通過Authentication表示,因此,我們還應該讓Authentication包含用戶(admin)實例。Authentication同時還包含了用戶的權限信息(GrantedAuthority), 因此還應該實現GrantedAuthority。

總結一下思路步驟:

1.自定義voter實現。

2.自定義ConfigAttribute實現。

3.自定義SecurityMetadataSource實現。

4.Authentication包含用戶實例(這個其實不用說,大家應該都已經這麼做了)。

5.自定義GrantedAuthority實現。

項目實戰

1.自定義GrantedAuthority實現

UrlGrantedAuthority.java

public class UrlGrantedAuthority implements GrantedAuthority {

    private final String httpMethod;

    private final String url;

    public UrlGrantedAuthority(String httpMethod, String url) {
        this.httpMethod = httpMethod;
        this.url = url;
    }

    @Override
    public String getAuthority() {
        return url;
    }

    public String getHttpMethod() {
        return httpMethod;
    }

    public String getUrl() {
        return url;
    }

    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
        if (o == null || getClass() != o.getClass()) return false;

        UrlGrantedAuthority target = (UrlGrantedAuthority) o;
        if (httpMethod.equals(target.getHttpMethod()) && url.equals(target.getUrl())) return true;
        return false;
    }

    @Override
    public int hashCode() {
        int result = httpMethod != null ? httpMethod.hashCode() : 0;
        result = 31 * result + (url != null ? url.hashCode() : 0);
        return result;
    }
}

2.自定義認證用戶實例

public class SystemUser implements UserDetails {

    private final Admin admin;

    private List<MenuOutput> menuOutputList;

    private final List<GrantedAuthority> grantedAuthorities;

    public SystemUser(Admin admin, List<AdminPrivilege> grantedPrivileges, List<MenuOutput> menuOutputList) {
        this.admin = admin;
        this.grantedAuthorities = grantedPrivileges.stream().map(it -> {
            String method = it.getMethod() != null ? it.getMethod().getLabel() : null;
            return new UrlGrantedAuthority(method, it.getUrl());
        }).collect(Collectors.toList());
        this.menuOutputList = menuOutputList;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return this.grantedAuthorities;
    }

    @Override
    public String getPassword() {
        return admin.getPassword();
    }

    @Override
    public String getUsername() {
        return null;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }

    public Long getId() {
        return admin.getId();
    }

    public Admin getAdmin() {
        return admin;
    }

    public List<MenuOutput> getMenuOutputList() {
        return menuOutputList;
    }

    public String getSalt() {
        return admin.getSalt();
    }
}    

####3.自定義UrlConfigAttribute實現
public class UrlConfigAttribute implements ConfigAttribute {

    private final HttpServletRequest httpServletRequest;

    public UrlConfigAttribute(HttpServletRequest httpServletRequest) {
        this.httpServletRequest = httpServletRequest;
    }


    @Override
    public String getAttribute() {
        return null;
    }

    public HttpServletRequest getHttpServletRequest() {
        return httpServletRequest;
    }
}

4.自定義SecurityMetadataSource實現

public class UrlFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        final HttpServletRequest request = ((FilterInvocation) object).getRequest();
        Set<ConfigAttribute> allAttributes = new HashSet<>();
        ConfigAttribute configAttribute = new UrlConfigAttribute(request);
        allAttributes.add(configAttribute);
        return allAttributes;
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }

}

5.自定義voter實現

public class UrlMatchVoter implements AccessDecisionVoter<Object> {

    @Override
    public boolean supports(ConfigAttribute attribute) {
        if (attribute instanceof UrlConfigAttribute) return true;
        return false;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }

    @Override
    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        if(authentication == null) {
            return ACCESS_DENIED;
        }
        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();

        for (ConfigAttribute attribute : attributes) {
            if (!(attribute instanceof UrlConfigAttribute)) continue;
            UrlConfigAttribute urlConfigAttribute = (UrlConfigAttribute) attribute;
            for (GrantedAuthority authority : authorities) {
                if (!(authority instanceof UrlGrantedAuthority)) continue;
                UrlGrantedAuthority urlGrantedAuthority = (UrlGrantedAuthority) authority;
                if (StringUtils.isBlank(urlGrantedAuthority.getAuthority())) continue;
                //如果數據庫的method字段為null,則默認為所有方法都支持
                String httpMethod = StringUtils.isNotBlank(urlGrantedAuthority.getHttpMethod()) ? urlGrantedAuthority.getHttpMethod()
                        : urlConfigAttribute.getHttpServletRequest().getMethod();
                //用Spring已經實現的AntPathRequestMatcher進行匹配,這樣我們數據庫中的url也就支持ant風格的配置了(例如:/xxx/user/**)        
                AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher(urlGrantedAuthority.getAuthority(), httpMethod);
                if (antPathRequestMatcher.matches(urlConfigAttribute.getHttpServletRequest()))
                    return ACCESS_GRANTED;
            }
        }
        return ACCESS_ABSTAIN;
    }
}

6.自定義FilterSecurityInterceptor實現

public class UrlFilterSecurityInterceptor extends FilterSecurityInterceptor {

    public UrlFilterSecurityInterceptor() {
        super();
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        super.init(arg0);
    }

    @Override
    public void destroy() {
        super.destroy();
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        super.doFilter(request, response, chain);
    }

    @Override
    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
        return super.getSecurityMetadataSource();
    }

    @Override
    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return super.obtainSecurityMetadataSource();
    }

    @Override
    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource newSource) {
        super.setSecurityMetadataSource(newSource);
    }

    @Override
    public Class<?> getSecureObjectClass() {
        return super.getSecureObjectClass();
    }

    @Override
    public void invoke(FilterInvocation fi) throws IOException, ServletException {
        super.invoke(fi);
    }

    @Override
    public boolean isObserveOncePerRequest() {
        return super.isObserveOncePerRequest();
    }

    @Override
    public void setObserveOncePerRequest(boolean observeOncePerRequest) {
        super.setObserveOncePerRequest(observeOncePerRequest);
    }
}

配置文件關鍵配置

<security:http>
    ...
    <security:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <constructor-arg>
        <list>
            <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
            <bean id="urlMatchVoter" class="com.mobisist.app.security.access.voter.UrlMatchVoter" />
        </list>
    </constructor-arg>
</bean>

<bean id="securityMetadataSource" class="com.mobisist.app.security.access.UrlFilterInvocationSecurityMetadataSource" />

<bean id="filterSecurityInterceptor"
      class="com.mobisist.app.security.access.UrlFilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="accessDecisionManager"/>
    <property name="securityMetadataSource" ref="securityMetadataSource" />
</bean>    

好啦,接下來享受你的Spring Security權限控制之旅吧。

更多Spring Security相關教程見以下內容

Spring Security 學習筆記  http://www.linuxidc.com/Linux/2016-10/135820.htm

Spring Security3.1高級詳細開發指南 PDF http://www.linuxidc.com/Linux/2016-05/131482.htm

Spring Security 學習之數據庫認證 http://www.linuxidc.com/Linux/2014-02/97407.htm

Spring Security 學習之LDAP認證 http://www.linuxidc.com/Linux/2014-02/97406.htm

Spring Security 學習之OpenID認證 http://www.linuxidc.com/Linux/2014-02/97405.htm

Spring Security 學習之X.509認證 http://www.linuxidc.com/Linux/2014-02/97404.htm

Spring Security 學習之HTTP基本認證和HTTP摘要認證 http://www.linuxidc.com/Linux/2014-02/97403.htm

Spring Security 學習之HTTP表單驗證 http://www.linuxidc.com/Linux/2014-02/97402.htm

Spring Security異常之You must provide a configuration attribute  http://www.linuxidc.com/Linux/2015-02/113364.htm

Spring Security 的詳細介紹:請點這裡
Spring Security 的下載地址:請點這裡 

Copyright © Linux教程網 All Rights Reserved