Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the difference between hasRole and hasAuthority in Spring Security". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what's the difference between hasRole and hasAuthority in Spring Security"?

I am sure that many young people will be troubled by this problem when they come into contact with Spring Security for the first time, such as the following two paragraphs:

Http.authorizeRequests ()

.antMatch ("/ admin/**") .hasAuthority ("admin")

.antMatch ("/ user/**") .hasAuthority ("user")

.anyRequest () .authenticated ()

And

Http.authorizeRequests ()

.antMatch ("/ admin/**") .hasRole ("admin")

.antMatch ("/ user/**") .hasRole ("user")

.anyRequest () .authenticated ()

So what's the difference between the two configurations?

Today we are going to talk to you about this problem.

1. Source code analysis

Simply from the source code analysis, you will find that these two things seem to be the same, first take a look at hasAuthority.

Public ExpressionInterceptUrlRegistry hasAuthority (String authority) {

Return access (ExpressionUrlAuthorizationConfigurer.hasAuthority (authority))

}

Private static String hasAuthority (String authority) {

Return "hasAuthority ('" + authority + "')"

}

Finally, the access method is called, passing in the permission expression hasAuthority ('xxx').

Take a look at hasRole:

Public ExpressionInterceptUrlRegistry hasRole (String role) {

Return access (ExpressionUrlAuthorizationConfigurer.hasRole (role))

}

Private static String hasRole (String role) {

Assert.notNull (role, "role cannot be null")

If (role.startsWith ("ROLE_")) {

Throw new IllegalArgumentException (

"role should not start with 'ROLE_' since it is automatically inserted. Got'"

+ role + "'")

}

Return "hasRole ('ROLE_" + role + "')"

}

As you can see, the processing logic of hasRole seems to be exactly the same as hasAuthority, except that hasRole automatically prefixes the incoming string with ROLE_, so the permission string in the database needs to be prefixed with ROLE_. That is, if the user role stored in the database is ROLE_admin, this is admin.

When we call the hasAuthority method, if the data is queried from the database, the permissions here are the same as those saved in the database, without the ROLE_ prefix. That is, if the user role stored in the database is admin, this is admin.

In other words, the use of hasAuthority is more consistent, you do not have to consider whether to add the ROLE_ prefix, the database is what it is! HasRole is different. If admin is written in the code, the framework will automatically be prefixed with ROLE_, so the database must be ROLE_admin.

It seems that the only difference between hasAuthority and hasRole is whether or not there is a ROLE_ prefix.

In the final permission comparison, it is even more excessive that both hasAuthority and hasRole end up calling the hasAnyAuthorityName method (SecurityExpressionRoot class):

Public final boolean hasAuthority (String authority) {

Return hasAnyAuthority (authority)

}

Public final boolean hasAnyAuthority (String... Authorities) {

Return hasAnyAuthorityName (null, authorities)

}

Public final boolean hasRole (String role) {

Return hasAnyRole (role)

}

Public final boolean hasAnyRole (String... Roles) {

Return hasAnyAuthorityName (defaultRolePrefix, roles)

}

Private boolean hasAnyAuthorityName (String prefix, String... Roles) {

Set roleSet = getAuthoritySet ()

For (String role: roles) {

String defaultedRole = getRoleWithDefaultPrefix (prefix, role)

If (roleSet.contains (defaultedRole)) {

Return true

}

}

Return false

}

HasAnyRole sets the ROLE_ prefix when calling the hasAnyAuthorityName method, and hasAnyAuthority does not set the prefix when calling the hasAnyAuthorityName method.

So from a purely source point of view, the functions of hasRole and hasAuthority seem to be exactly the same, except for the prefix.

So why would Spring Security designers make two things that look exactly the same?

two。 Design concept

In terms of design, these are two different things. The purpose of providing both role and authority is to make it easier for developers to design permissions from two different dimensions, so there is no conflict.

Authority describes a specific permission, such as query or delete permission for a certain item of data. It is a permission, such as read_employee, delete_employee, update_employee and so on. I believe everyone can understand that these are specific permissions.

Role is a collection of permission, and its naming convention starts with ROLE_, for example, the ROLE we define is ROLE_ADMIN, ROLE_USER, and so on. We can see the special handling of Role in many places in Spring Security. For example, in the voter and decision maker we talked about in the previous article, RoleVoter automatically adds the ROLE_ prefix when dealing with Role.

In a project, we can associate users with roles, roles with permissions, permissions with resources.

Reflected in the code, it looks like this:

Suppose we use the SimpleGrantedAuthority provided by Spring Security to represent authority, and then we customize a Role as follows:

Public class Role implements GrantedAuthority {

Private String name

Private List allowedOperations = new ArrayList ()

@ Override

Public String getAuthority () {

Return name

}

Public List getAllowedOperations () {

Return allowedOperations

}

Public void setAllowedOperations (List allowedOperations) {

This.allowedOperations = allowedOperations

}

}

A Role is a collection of some authority, and then the roles collection is defined in the User.

Public class User implements UserDetails {

Private List roles = new ArrayList ()

Public List getRoles () {

Return roles

}

Public void setRoles (List roles) {

This.roles = roles

}

@ Override

Public Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.