Shulou(Shulou.com)06/02 Report--

This article mainly explains "what is the meaning of access control in spring security". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is the meaning of access control in spring security"?

When we log in at OAuth, we get the login token, and with this token, we have the ability to access some OAuth-protected interfaces. Specifically, you can take a look at my two blog posts, OAuth3.0 username, password login resolution, OAuth3.0 get the resolution of protected resources through token.

But now we have to distinguish the specific division of labor of these landing personnel, which interfaces belong to which landing personnel can access, which is necessary to use the authority control in spring security.

First, we need an object with permission.

/ * * permission ID * / @ Datapublic class SysPermission implements Serializable {private static final long serialVersionUID = 280565233032255804L; private Long id; / / permission id private String permission; / / specific permission private String name; / / permission name private Date createTime; private Date updateTime;}

Corresponds to the permission table in the database

So the question is, what kind of permissions do we need to manage permissions? of course, we need permissions management permissions, which are saved in the database when the system is first established.

These four permissions are not written through the front end.

Now we need to add other permissions through the front-end interface and we need to use one of these four permissions.

Here we give some permissions to add, delete, change and check the mybatis dao.

Mapperpublic interface SysPermissionDao {@ Options (useGeneratedKeys = true, keyProperty = "id") @ Insert ("insert into sys_permission (permission, name, createTime, updateTime) values (# {permission}, # {name}, # {createTime}, # {createTime})") int save (SysPermission sysPermission); @ Update ("update sys_permission t set t.name = # {name}, t.permission = # {permission}, t.updateTime = # {updateTime} where t.id = # {id}") int update (SysPermission sysPermission) @ Delete ("delete from sys_permission where id = # {id}") int delete (Long id); @ Select ("select * from sys_permission t where t.id = # {id}") SysPermission findById (Long id); @ Select ("select * from sys_permission t where t.permission = # {permission}") SysPermission findByPermission (String permission); int count (Map params); List findData (Map params);}

Now we need to add a new permission to Controller

/ * * manage backend add permissions * * @ param sysPermission * @ return * / @ LogAnnotation (module = LogModule.ADD_PERMISSION) @ PreAuthorize ("hasAuthority ('back:permission:save')") @ PostMapping ("/ permissions") public SysPermission save (@ RequestBody SysPermission sysPermission) {if (StringUtils.isBlank (sysPermission.getPermission () {throw new IllegalArgumentException ("permission identity cannot be empty") } if (StringUtils.isBlank (sysPermission.getName () {throw new IllegalArgumentException ("permission name cannot be empty");} sysPermissionService.save (sysPermission); return sysPermission;}

We can see the label @ PreAuthorize ("hasAuthority ('back:permission:save')"). First of all, we access the interface through the access_ token, and the system can know which user is logged in to see if the user has access to back:permission:save.

Let's take a look at user roles.

@ Datapublic class SysRole implements Serializable {private static final long serialVersionUID =-2054359538140713354L; private Long id; / / role id private String code; / / role Encoding private String name; / / role name private Date createTime; private Date updateTime;}

The table structure in the corresponding database is as follows

And give an administrator role

Which permissions the role corresponds to. You can see all permissions here.

And which role is our user?

We can see that there are two users here, both of whom belong to the administrator role.

If we log in with one of the users now and get the user's information as follows

{

"code":

"data": {

"access_token": "aaf4cd90-497e-4c33-adde-b580ab0f0c65"

"user": {

"accountNonExpired": true

"accountNonLocked": true

"authorities": [

{

"authority": "back:menu:set2role"

}

{

"authority": "mail:update"

}

{

"authority": "back:permission:delete"

}

{

"authority": "role:permission:byroleid"

}

{

"authority": "back:menu:save"

}

{

"authority": "back:menu:query"

}

{

"authority": "ip:black:query"

}

{

"authority": "ip:black:save"

}

{

"authority": "file:del"

}

{

"authority": "ip:black:delete"

}

{

"authority": "mail:query"

}

{

"authority": "back:user:query"

}

{

"authority": "back:role:permission:set"

}

{

"authority": "sms:query"

}

{

"authority": "back:role:query"

}

{

"authority": "back:permission:query"

}

{

"authority": "back:user:role:set"

}

{

"authority": "back:role:save"

}

{

"authority": "log:query"

}

{

"authority": "file:query"

}

{

"authority": "back:menu:update"

}

{

"authority": "back:role:update"

}

{

"authority": "back:role:delete"

}

{

"authority": "back:user:password"

}

{

"authority": "ROLE_SUPER_ADMIN"

}

{

"authority": "back:menu:delete"

}

{

"authority": "back:user:update"

}

{

"authority": "menu:byroleid"

}

{

"authority": "mail:save"

}

{

"authority": "user:role:byuid"

}

{

"authority": "back:permission:save"

}

{

"authority": "back:permission:update"

}

]

"createTime": "2018-01-17T16:56:59.000+0800"

"credentialsNonExpired": true

"enabled": true

"headImgUrl":

"id": 1

"nickname": "Test 1"

"password": "$2a$10 $QpeXBJpWYetNwfWEHnkvLeK0jS0P9R6V8QqCj37zeNGroqYvdvW.C"

"permissions": [

"back:menu:set2role"

"mail:update"

"back:permission:delete"

"role:permission:byroleid"

"back:menu:save"

"back:menu:query"

"ip:black:query"

"ip:black:save"

"file:del"

"ip:black:delete"

"mail:query"

"back:user:query"

"back:role:permission:set"

"sms:query"

"back:role:query"

"back:permission:query"

"back:user:role:set"

"back:role:save"

"log:query"

"file:query"

"back:menu:update"

"back:role:update"

"back:role:delete"

"back:user:password"

"back:menu:delete"

"back:user:update"

"menu:byroleid"

"mail:save"

"user:role:byuid"

"back:permission:save"

"back:permission:update"

]

"phone":

"sex": 1

"sysRoles": [

{

"code": "SUPER_ADMIN"

"createTime": "2018-01-19T20:32:16.000+0800"

"id": 1

"name": "Super Administrator"

"updateTime": "2018-01-19T20:32:18.000+0800"

}

]

"type": "APP"

"updateTime": "2018-01-17T16:57:01.000+0800"

"username": "admin"

}

}

"msg": "Operation succeeded"

}

Through the returned information, we can see his permission and compare it with @ PreAuthorize ("hasAuthority ('back:permission:save')"). We know that the login user has this permission. You can access the interface.

There are all appetizers on top, so let's get down to business.

Let's take a look at the source code of the @ PreAuthorize tag, which is located under the org.springframework.security.access.prepost package

The annotation used to specify the method access control expression to be evaluated determines whether method calls are allowed. * * @ author Luke Taylor * @ since 3.0 * / @ Target ({ElementType.METHOD, ElementType.TYPE}) @ Retention (RetentionPolicy.RUNTIME) @ Inherited@Documentedpublic @ interface PreAuthorize {/ * @ return parses the Spring EL expression before executing this protected method * / String value ();}

Here is a Spring EL expression that is parsed. Let's take a look at what a Spring EL expression is.

Public class SpringELTest {public static void main (String [] args) {ExpressionParser parser = new SpelExpressionParser (); / / parses a string with the flavor of a piece of code Expression expression = parser.parse_Expression ("'Hello World'.bytes.length"); int length = (int) expression.getValue (); System.out.println (length);}}

This "'Hello World'.bytes.length" is a Spring EL expression. Although it is a string, it has the meaning of a piece of code and can be parsed and executed.

Running result

eleven

Then it is clear that "hasAuthority ('back:permission:save')" is a Spring EL expression that can be executed.

For the label @ PreAuthorize to take effect, we need to set the resource service settings for OAuth

/ * Resource service configuration * / @ EnableResourceServer@EnableWebSecurity@EnableGlobalMethodSecurity (prePostEnabled = true,securedEnabled = true) public class ResourceServerConfig extends ResourceServerConfigurerAdapter {@ Override public void configure (HttpSecurity http) throws Exception {http.csrf () .disable () .exceptionHandling () .authenticationEntryPoint ((request, response) AuthException)-> response.sendError (HttpServletResponse.SC_UNAUTHORIZED) .and () .authorizeRequests () .antMatchers (PermitAllUrl.permitAllUrl ("/ users-anon/**", "/ sys/login", "/ wechat/**")) .permitAll () .anyRequest () .authenticated () .and () .httpBasic () } @ Override public void configure (ResourceServerSecurityConfigurer resource) throws Exception {/ / add custom exceptions to resource.authenticationEntryPoint (new AuthExceptionEntryPoint ()) .accessDeniedHandl er (new CustomAccessDeniedHandler ());} @ Bean public BCryptPasswordEncoder bCryptPasswordEncoder () {return new BCryptPasswordEncoder ();}}

@ EnableGlobalMethodSecurity (prePostEnabled = true,securedEnabled = true) is the tag that opens @ PreAuthorize to intercept. Of course, you must set prePostEnabled = true.

Since "hasAuthority ('back:permission:save')" is a Spring EL expression, hasAuthority () must be an executable method under the SecurityExpressionRoot class, which is in the org.springframework.security.access.expression package.

The base class of the Spring Security available expression object is SecurityExpressionRoot, which supports many methods.

Expression.

Description

HasRole ([role])

Whether the current user has the specified role.

HasAnyRole ([role1,role2])

Multiple roles are a string separated by commas. Returns true if the current user has any of the specified roles.

HasAuthority ([auth])

Equivalent to hasRole

HasAnyAuthority ([auth2,auth3])

Equivalent to hasAnyRole

Principle

Principle object that represents the current user

Authentication

The current Authentication object obtained directly from SecurityContext

PermitAll

Always return true, which means that all

DenyAll

Always return false, which means to reject all

IsAnonymous ()

Whether the current user is an anonymous user

IsRememberMe ()

Indicates whether the current user is automatically logged in through Remember-Me

IsAuthenticated ()

Indicates whether the current user has successfully logged in and authenticated.

IsFullyAuthenticated ()

If the current user is neither an anonymous user nor automatically logged in through Remember-Me, true is returned.

Let's take a look at the implementation of the hasAuthority method. Only when the result returned by this method is true can we further access our interface code.

The authority passed in here is "back:permission:save"

Public final boolean hasAuthority (String authority) {return hasAnyAuthority (authority);} public final boolean hasAnyAuthority (String...) Authorities) {return hasAnyAuthorityName (null, authorities);} private boolean hasAnyAuthorityName (String prefix, String...) Roles) {/ / get all user role permissions Set roleSet = getAuthoritySet (); / / since the roles we passed here is only "back:permission:save" / / so role is "back:permission:save" and prefix is null for (String role: roles) {/ / defaultedRole is still "back:permission:save" String defaultedRole = getRoleWithDefaultPrefix (prefix, role) / / whether the permission of "back:permission:save" is included in the permission set / / according to the return information of our previous login, we can see the existence of "authority": "back:permission:save" / / so the permission can be verified here. If (roleSet.contains (defaultedRole)) {return true;}} return false;} private Set getAuthoritySet () {/ / Set roles is an attribute of SecurityExpressionRoot / / We can see that it is a set of permissions obtained from a series of user authentication if (roles = = null) {roles = new HashSet () / / authentication is a very important attribute of SecurityExpressionRoot, and it is an interface / / each method Collection that manages user authentication information.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.