1.簡介

? 基于角色的權限訪問控制（Role-Based Access Control）作為傳統訪問控制（自主訪問，強制訪問）的有前景的代替受到廣泛的關注。在RBAC中，權限與角色相關聯，用戶通過成為適當角色的成員而得到這些角色的權限。這就極大地簡化了權限的管理。在一個組織中，角色是為了完成各種工作而創造，用戶則依據它的責任和資格來被指派相應的角色，用戶可以很容易地從一個角色被指派到另一個角色。角色可依新的需求和系統的合并而賦予新的權限，而權限也可根據需要而從某角色中回收。角色與角色的關系可以建立起來以囊括更廣泛的客觀情況。

2.授權前臺頁面對接流程

3.代碼相關

新建工程 authorize:

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>com.city.security</groupId><artifactId>city-security</artifactId><version>1.0.0-SNAPSHOT</version></parent><artifactId>city-security-authorize</artifactId><dependencies><dependency><groupId>javax.servlet</groupId><artifactId>javax.servlet-api</artifactId></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-core</artifactId></dependency></dependencies></project>

RbacService

public interface RbacService {boolean hasPermission(HttpServletRequest request, Authentication authentication);
}

RbacServiceImpl

@Component("rbacService")
public class RbacServiceImpl implements RbacService {@Autowiredprivate AntPathMatcher antPathMatcher = new AntPathMatcher();@Overridepublic boolean hasPermission(HttpServletRequest request, Authentication authentication) {Object principal = authentication.getPrincipal();boolean hasPermission = false;if (principal instanceof UserDetails) {//說明我從數據庫查到信息放到這個principal里面String username = ((UserDetails) principal).getUsername();//讀取用戶所擁有的權限Set<String> urls = new HashSet<String>();for (String url : urls) {if(antPathMatcher.match(url,request.getRequestURI())){hasPermission=true;break;}}}return hasPermission;}
}

修改DemoAuthorizeConifgProvider:

@Component
@Order(Integer.MAX_VALUE)//表示最后讀取
public class DemoAuthorizeConifgProvider implements AuthorizeConfigProvider {@Overridepublic void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {System.out.println("---DemoAuthorizeConifgProvider------");config.anyRequest().access("@rbacService.hasPermission(request,authentication)");}}

@Order修改順序:

//配置permitAll的路徑
@Component
@Order(Integer.MIN_VALUE)//最先讀取
public class CityAuthorizeConfigProvider implements AuthorizeConfigProvider {@Autowiredprivate SecurityProperties securityProperties;@Overridepublic void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {config.antMatchers("/static/**","/page/login","/page/failure","/page/mobilePage","/code/image","/code/sms","/authentication/mobile",securityProperties.getBrower().getSignUPUrl(),"/user/register","/page/registerPage","/page/invalidSession","/page/logoutSuccess",securityProperties.getBrower().getSignOutUrl()).permitAll();}
}

4.基于方法的控制表達式

1. 開啟使用方法注解的配置

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
2.四種方法注解:@PreAuthorize、@PostAuthorize、@PreFilter和、PostFilter

1. 用法

@PreAuthorize 注解適合進入方法前的權限驗證

@PreAuthorize("hasRole('ROLE_ADMIN')")
@GetMapping("/admin")
@ResponseBody
public Object admin(Principal principal) {return principal;
}
@PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER') and principal.username.equals(#username)")
@GetMapping("/test/{username}")
@ResponseBody
public Object test(@PathVariable String username) {return "Hello test";
}

@PostAuthorize 在方法執行后再進行權限驗證,適合驗證帶有返回值的權限

// 這里的returnObject就代表返回的對象
@PostAuthorize("returnObject.username.equals(principal.username)")
@GetMapping("/demo2")
public Object demo2() {User user = new User("lzc","lzc",AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));return user;
}

@PreFilter可以對集合類型的參數進行過濾，@PostFilter可以對集合類型返回值進行過濾，用法跟上面兩種方式類似。

轉載于:https://www.cnblogs.com/charlypage/p/10813914.html

總結

以上是生活随笔為你收集整理的Spring Security的RBAC数据模型嵌入的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。