Spring Boot（九）整合Spring Security实现动态权限控制

我就是我 2023-06-25 03:09 59阅读 0赞

### 文章目录 ###

*   *  Spring Security简介
     *  项目结构
     *  Springboot中 Spring Security的使用
     *   *  引入依赖
     *  数据库表设计
     *  application.yml配置信息
     *  spirngsecurity核心配置类
     *  查询用户权限核心mapper
     *  UserDetails
     *  设置springboot自定义错误页面
     *  订单测试OrderController
     *  启动类：SecurityApplication
     *  测试

## Spring Security简介 ##

> 安全框架，权限管理  
> [官方文档][Link 1]

## 项目结构 ##

![在这里插入图片描述][20191227133330734.png]

## Springboot中 Spring Security的使用 ##

### 引入依赖 ###

<dependencies>
            
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-security</artifactId>
            </dependency>
            
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-freemarker</artifactId>
            </dependency>
            <dependency>
                <groupId>mysql</groupId>
                <artifactId>mysql-connector-java</artifactId>
                <version>${ mysql.version}</version>
            </dependency>
            
            <dependency>
                <groupId>com.alibaba</groupId>
                <artifactId>druid-spring-boot-starter</artifactId>
                <version>${ druid.version}</version>
            </dependency>
            <dependency>
                <groupId>org.mybatis.spring.boot</groupId>
                <artifactId>mybatis-spring-boot-starter</artifactId>
                <version>${ mybatis.version}</version>
            </dependency>
        </dependencies>

核心依赖为:

<dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-security</artifactId>
            </dependency>

## 数据库表设计 ##

总共五张表：  
权限表、用户表、角色表、用户角色表、角色权限表  
![在这里插入图片描述][2019122713530112.png]

## application.yml配置信息 ##

server:
      port: 8011
      servlet:
        context-path: /shopping-security
    spring:
      application:
        name: shopping-security
    
      freemarker:
        # 设置模板后缀名
        suffix: .ftl
        # 设置文档类型
        content-type: text/html
        # 设置页面编码格式
        charset: UTF-8
        # 设置页面缓存
        cache: false
        # 设置ftl文件路径
        template-loader-path:
          - classpath:/templates
        request-context-attribute: request
        # 设置静态文件路径，js,css等
    
      mvc:
        static-path-pattern: /static/** datasource: url: jdbc:mysql://127.0.0.1:3306/security?useUnicode=true&characterEncoding=utf-8&useSSL=true&serverTimezone=UTC username: root password: 123456 # druid 连接池 type: com.alibaba.druid.pool.DruidDataSource driver-class-name: com.mysql.jdbc.Driver

## spirngsecurity核心配置类 ##

*  SpringSecurityConf

@Component
    @EnableWebSecurity
    @Slf4j
    public class SpringSecurityConf extends WebSecurityConfigurerAdapter { 
    
        @Autowired
        private PermissionMapper permissionMapper;
        @Autowired
        private MyUserDetailService myUserDetailService;
    
    
        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
            auth.userDetailsService(myUserDetailService).passwordEncoder(new PasswordEncoder() { 
    
                @Override
                public boolean matches(CharSequence rawPassword, String encodedPassword) { 
                    String encode = MD5Util.encode((String) rawPassword);
                    encodedPassword=encodedPassword.replace("\r\n", "");
                    boolean result = encodedPassword.equals(encode);
                    return result;
                }
                @Override
                public String encode(CharSequence rawPassword) { 
                    return MD5Util.encode((String) rawPassword);
                }
            });
        }
    
    
        /** * * @param http * @throws Exception * */
        @Override
        protected void configure(HttpSecurity http) throws Exception { 
            //查询所有权限,动态权限认证
            List<Permission> permissions = permissionMapper.findAllPermission();
            ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests = http
                    .authorizeRequests();
            permissions.forEach(permission ->
            { 
                log.info("获取权限为" + permission.getPermTag());
                authorizeRequests.antMatchers(permission.getUrl()).hasAnyAuthority(permission.getPermTag());
            });
            authorizeRequests.
                    antMatchers("/login").permitAll().// 登录跳转 URL 无需认证
                    antMatchers("/**").
                    fullyAuthenticated().
                    and().
                    formLogin()//表单认证
                    .loginPage("/login").
                    and().csrf().disable();
        }
    
    
    
    
    }

*  MyUserDetailService

package com.zou.security.service;
    
    import com.zou.security.mapper.UserMapper;
    import com.zou.security.module.Permission;
    import com.zou.security.module.User;
    import lombok.extern.slf4j.Slf4j;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.core.GrantedAuthority;
    import org.springframework.security.core.authority.SimpleGrantedAuthority;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.core.userdetails.UsernameNotFoundException;
    import org.springframework.stereotype.Component;
    import org.springframework.stereotype.Service;
    import org.springframework.util.ObjectUtils;
    
    import java.util.ArrayList;
    import java.util.List;
    
    /** * @author WH * @version 1.0 * @date 2019/12/26 20:01 */
    @Component
    @Slf4j
    public class MyUserDetailService implements UserDetailsService { 
        @Autowired
        private UserMapper userMapper;
    
        /** * 认证 用户登入会先被拦截到这个页面 * @param username * @return * @throws UsernameNotFoundException */
        @Override
        public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 
            //根据用户名查询用户信息
            User user = userMapper.findByUsername(username);
            if (ObjectUtils.isEmpty(user)) { 
                log.info("用户" + username +"不存在");
                throw new UsernameNotFoundException("用户不存在");
            }
            //查询用户权限
            List<GrantedAuthority> authorities = new ArrayList<>();
            List<Permission> permissions = userMapper.findPermissionByUsername(username);
            permissions.forEach(permission ->
                    authorities.add(new SimpleGrantedAuthority(permission.getPermTag())));
            //设置用户权限
            user.setAuthorities(authorities);
            return user;
    
    
        }
    }

## 查询用户权限核心mapper ##

*  UserMapper

package com.zou.security.mapper;
    
    import com.zou.security.module.Permission;
    import com.zou.security.module.User;
    import org.apache.ibatis.annotations.Param;
    import org.apache.ibatis.annotations.Select;
    
    import java.util.List;
    
    public interface UserMapper { 
    
    	/** * 查询用户信息 * @param userName * @return */
    	@Select(" select * from sys_user where username = #{userName}")
    	User findByUsername(@Param("userName") String userName);
    
    
    	/** * 查询用户的权限 * @param userName * @return */
    	@Select(" select permission.* from sys_user user" + " inner join sys_user_role user_role"
    			+ " on user.id = user_role.user_id inner join "
    			+ "sys_role_permission role_permission on user_role.role_id = role_permission.role_id "
    			+ " inner join sys_permission permission on role_permission.perm_id = permission.id where user.username = #{userName};")
    	List<Permission> findPermissionByUsername(@Param("userName") String userName);
    }

*  PermissionMapper

package com.zou.security.mapper;
    
    import com.zou.security.module.Permission;
    import org.apache.ibatis.annotations.Select;
    
    import java.util.List;
    
    public interface PermissionMapper { 
    
    	@Select(" select * from sys_permission ")
    	List<Permission> findAllPermission();
    
    }

## UserDetails ##

*  user

package com.zou.security.module;
    
    import lombok.Data;
    import org.springframework.security.core.GrantedAuthority;
    import org.springframework.security.core.userdetails.UserDetails;
    
    import java.util.ArrayList;
    import java.util.Collection;
    import java.util.Date;
    import java.util.List;
    
    /** * @author wh * @version 1.0 * @date 2019-12-25 10:04 */
    @Data
    public class User implements UserDetails { 
        /** * 主键 */
        private Integer id;
        /** * 用户名 */
        private String username;
        /** * 别名 */
        private String realname;
        /** *密码 */
        private String password;
        /** *创建时间 */
        private Date createDate;
        /** *最后登入时间 */
        private Date lastLoginTime;
        /** * */
        private boolean enabled;
        private boolean accountNonExpired;
        private boolean accountNonLocked;
        private boolean credentialsNonExpired;
        /** * 用户所有权限 */
        private List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    
        /** * 封装了权限信息 * @return */
        @Override
        public Collection<? extends GrantedAuthority> getAuthorities() { 
            return authorities;
        }
    
    }

## 设置springboot自定义错误页面 ##

*  WebServerAutoConfiguration

package com.zou.security.config;
    
    import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
    import org.springframework.boot.web.server.ErrorPage;
    import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.http.HttpStatus;
    
    /** * 自定义 WEB 服务器参数 可以配置默认错误页面 * @author WH * @version 1.0 * @date 2019/12/26 19:48 */
    @Configuration
    public class WebServerAutoConfiguration { 
    
        @Bean
        public ConfigurableServletWebServerFactory webServerFactory() { 
            TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
            ErrorPage errorPage400 = new ErrorPage(HttpStatus.BAD_REQUEST, "/error/400");
            ErrorPage errorPage401 = new ErrorPage(HttpStatus.UNAUTHORIZED, "/error/401");
            ErrorPage errorPage403 = new ErrorPage(HttpStatus.FORBIDDEN, "/error/403");
            ErrorPage errorPage404 = new ErrorPage(HttpStatus.NOT_FOUND, "/error/404");
            ErrorPage errorPage415 = new ErrorPage(HttpStatus.UNSUPPORTED_MEDIA_TYPE, "/error/415");
            ErrorPage errorPage500 = new ErrorPage(HttpStatus.INTERNAL_SERVER_ERROR, "/error/500");
            factory.addErrorPages(errorPage400, errorPage401, errorPage403, errorPage404, errorPage415, errorPage500);
            return factory;
        }
    
    }

*  ErrorController

package com.zou.security.controller;
    
    import org.springframework.stereotype.Controller;
    import org.springframework.web.bind.annotation.RequestMapping;
    
    /** * @author WH * @version 1.0 * @date 2019/12/26 19:47 */
    @Controller
    public class ErrorController { 
    
    	// 403权限不足页面
    	@RequestMapping("/error/403")
    	public String error() { 
    		return "/error/403";
    	}
    
    }

## 订单测试OrderController ##

package com.zou.security.controller;
    
    import com.zou.security.mapper.UserMapper;
    import com.zou.security.module.User;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.stereotype.Controller;
    import org.springframework.web.bind.annotation.GetMapping;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.ResponseBody;
    
    /** * @author WH * @version 1.0 * @date 2019/12/26 19:47 */
    @Controller
    public class OrderController { 
    
        @Autowired
        private UserMapper userMapper;
        // 首页
        @RequestMapping("/")
        public String index() { 
            return "index";
        }
    
        // 查询订单
        @RequestMapping("/showOrder")
        public String showOrder() { 
            return "showOrder";
        }
    
        // 添加订单
        @RequestMapping("/addOrder")
        public String addOrder() { 
            return "addOrder";
        }
    
        // 修改订单
        @RequestMapping("/updateOrder")
        public String updateOrder() { 
            return "updateOrder";
        }
    
        // 删除订单
        @RequestMapping("/deleteOrder")
        public String deleteOrder() { 
            return "deleteOrder";
        }
    
        // 自定义登陆页面
        @GetMapping("/login")
        public String login() { 
            return "login";
        }
    
    
    
        @RequestMapping("/findUser")
        @ResponseBody
        public User findUser(String userName) { 
            return userMapper.findByUsername(userName);
        }
    }

## 启动类：SecurityApplication ##

*  SecurityApplication

package com.zou.security;
    
    import org.mybatis.spring.annotation.MapperScan;
    import org.springframework.boot.SpringApplication;
    import org.springframework.boot.autoconfigure.SpringBootApplication;
    
    /** * @author wh * @version 1.0 * @date 2019-12-25 9:37 */
    @SpringBootApplication
    @MapperScan("com.zou.security.mapper")
    public class SecurityApplication { 
    
    
        public static void main(String[] args) { 
            SpringApplication.run(SecurityApplication.class, args);
        }
    }

## 测试 ##

访问： http://localhost:8011/shopping-security/login  
账号密码：user        123456  
![在这里插入图片描述][20191227133750639.png]

![在这里插入图片描述][20191227134254367.png]

访问查询订单，可以正常访问，访问删除订单，显示权限不足

\#\#项目源码  
[源码及SQL][SQL]

[Link 1]: https://spring.io/projects/spring-security#learn
[20191227133330734.png]: https://img-blog.csdnimg.cn/20191227133330734.png
[2019122713530112.png]: https://img-blog.csdnimg.cn/2019122713530112.png
[20191227133750639.png]: https://img-blog.csdnimg.cn/20191227133750639.png
[20191227134254367.png]: https://img-blog.csdnimg.cn/20191227134254367.png
[SQL]: https://github.com/weihubeats/springcloud-shopping-parent/tree/master/springcloud-shopping-security