spring-boot: 2.1.4.RELEASE
spring-security-oauth3: 2.3.3.RELEASE (If you want to use the source code, do not change this version number at will, because The writing method from 2.4 up is different)
mysql: 5.7
Only postman is used for testing here, and the front-end page is not used for docking yet. Next There will be a page display for the permission allocation of the version role menu
1. Access the open interface http://localhost:7000/open/hello
2 . Access the protected interface http://localhost:7000/admin/user/info
@PostConstruct
public void init(){
super.setAuthenticationManager(authenticationManager);
super.setAccessDecisionManager(myAccessDecisionManager);
}Custom filter calls security metadata Source @Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.mySecurityMetadataSource;
} Let’s first look at the core code of the custom filter calling the secure metadata sourceThe following code is used to obtain the permissions (roles) required for the current request to come in
/**
* 获得当前请求所需要的角色
* @param object
* @return
* @throws IllegalArgumentException
*/
@Override
public Collection getAttributes(Object object) throws IllegalArgumentException {
String requestUrl = ((FilterInvocation) object).getRequestUrl();
if (IS_CHANGE_SECURITY) {
loadResourceDefine();
}
if (requestUrl.indexOf("?") > -1) {
requestUrl = requestUrl.substring(0, requestUrl.indexOf("?"));
}
UrlPathMatcher matcher = new UrlPathMatcher();
List Let’s take a look at the core code of the custom access decision manager. This code is mainly used to determine whether the currently logged in user (the role owned by the currently logged in user will be written in the last item) has the permission role@Override
public void decide(Authentication authentication, Object o, Collection configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
if(configAttributes == null){ //属于白名单的,不需要权限
return;
}
Iterator iterator = configAttributes.iterator();
while (iterator.hasNext()){
ConfigAttribute configAttribute = iterator.next();
String needPermission = configAttribute.getAttribute();
for (GrantedAuthority ga: authentication.getAuthorities()) {
if(needPermission.equals(ga.getAuthority())){ //有权限,可访问
return;
}
}
}
throw new AccessDeniedException("没有权限访问");
} 2. Customize authentication exceptions to return common results Why is this needed? If this is not configured, it will be difficult for the front end and the back end to understand the content returned by the authentication failure. It is not possible yet. Unified interpretation, without further ado, let’s first look at the return situation without configuration and configuration (1) Before customization, when accessing the protected API interface without a token, the returned result is as follows ’s
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.authenticationEntryPoint(authenticationEntryPoint) //token失效或没携带token时
.accessDeniedHandler(requestAccessDeniedHandler); //权限不足时
}
protected User user;
public SecurityUser(User user) {
this.user = user;
}
public User getUser() {
return user;
}In BaseController, each Controller will Inheriting this, we write the getUser() method in it. As long as the user brings a token to access, we can directly obtain the information of the currently logged in user. protected User getUser() {
try {
SecurityUser userDetails = (SecurityUser) SecurityContextHolder.getContext().getAuthentication()
.getPrincipal();
User user = userDetails.getUser();
log.debug("【用户:】:" + user);
return user;
} catch (Exception e) {
}
return null;
}So after the user logs in successfully, how to get the user The role collection, etc., here we need to implement the UserDetailsService interface
@Service
public class TokenUserDetailsService implements UserDetailsService{
@Autowired
private LoginService loginService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = loginService.loadUserByUsername(username); //这个我们拎出来处理
if(Objects.isNull(user))
throw new UsernameNotFoundException("用户名不存在");
return new SecurityUser(user);
}
}Then set the UserDetailsService in our security configuration class to the one we wrote above
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}Finally we only need to implement our method in loginService, and judge whether the user exists based on our actual business processing, etc.@Override
public User loadUserByUsername(String username){
log.debug(username);
Map map = new HashMap();
map.put("username",username);
map.put("is_deleted",-1);
User user = userMapper.findByUsername(map);
if(user != null){
map = new HashMap();
map.put("user_id",user.getUser_id());
//查询用户的角色
List userRoles = userRoleMapper.findAll(map);
user.setRoles(listRoles(userRoles));
//权限集合
Collection authorities = merge(userRoles);
user.setAuthorities(authorities);
return user;
}
return null;
} The database file is in this
The above is the detailed content of How does SpringBoot integrate SpringSecurityOauth2 to implement dynamic permission issues for authentication?. For more information, please follow other related articles on the PHP Chinese website!