Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to solve the problem that the permission configuration of Spring Security does not take effect. It is very detailed and has a certain reference value. Interested friends must finish reading it!

Spring Security permission configuration does not take effect

When integrating Spring Security to configure interface permissions, "no permissions" or "insufficient permissions" are displayed all the time after the permissions configured to users.

1. Examples that do not take effect

Interface

@ RequestMapping ("/ admin") @ ResponseBody @ PreAuthorize ("hasRole ('ADMIN')") public String printAdmin () {return "if you see this sentence, you have a ROLE_ADMIN role";} @ RequestMapping ("/ user") @ ResponseBody @ PreAuthorize ("hasRole (' USER')") public String printUser () {return "if you see this sentence, you have a ROLE_USER role";}

SecurityConfig

.and () .authorizeRequests () .antMatrices ("/ user"). HasAnyRole ("USER") .antMatrices ("/ admin"). HasAnyRole ("ADMIN") .anyRequest (). Authenticated () / / must be authorized to range

Users carry permissions

2. Solution

After testing, only the permission field carried by the user is "ROLE_" + the permission field in the interface / configuration, it can be controlled to take effect, for example:

Change the user carrying permissions above to

Spring Security dynamic configuration permissions Import dependent org.springframework.boot spring-boot-starter-security org.springframework.boot spring-boot-starter-web org.mybatis.spring.boot mybatis-spring-boot-starter 2.1.3 com.alibaba druid-spring-boot-starter 1.1.22 mysql mysql-connector-java runtime 5.1.46 org.springframework.boot spring-boot-starter-test test Org.junit.vintage junit-vintage-engine org.springframework.security spring-security-test test

Related configuration

Application.properties

Spring.datasource.url=jdbc:mysql://127.0.0.1:3306/javaboy?useUnicode=true&characterEncoding=utf8&serverTimezone=UTCspring.datasource.username=rootspring.datasource.password=rootspring.datasource.type=com.alibaba.druid.pool.DruidDataSource

Entity class User,Role,Menu

Here you want to implement the UserDetails interface, which is like a specification. Prevent developers from defining different password variable names, resulting in springSecurity not knowing which method is your password

Public class User implements UserDetails {private Integer id; private String username; private String password; private Boolean enabled; private Boolean locked; private List roleList; @ Override public Collection select * from user where username= # {name} select * from role where id in (select rid from user_role where uid = # {uid)

MenuMapper

@ Mapperpublic interface MenuMapper {List getMenus ();}

MemuMapper.xml

Select m.futurist r.id as rid,r.name as rname,r.nameZh as rnameZh from menu_role mr left join menu m on mr.mid = m.id left join role r on mr.rid = r.id

Create UserService MenuService

Create UserService to implement UserServiceDetails interface

@ Servicepublic class UserService implements UserDetailsService {@ Autowired private UserMapper userMapper; @ Override public UserDetails loadUserByUsername (String username) throws UsernameNotFoundException {User user = userMapper.getUserByName (username); if (user = = null) {throw new UsernameNotFoundException ("user name does not exist");} user.setRoleList (userMapper.getRoleById (user.getId (); return user;}}

Create MenuService

@ Servicepublic class MenuService {@ Autowired private MenuMapper menuMapper; public List getMenus () {return menuMapper.getMenus ();}} create a CustomFilterInvocationSecurityMetadataSource

Implement interface FilterInvocationSecurityMetadataSource

Note: add @ comppent annotation to register the custom class as a spring component

The return value of supports is set to true to indicate support

Override the getAttributes () method

Invacation call, ask for help

Metadata metadata

@ Componentpublic class CustomFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {/ / ant style path matcher AntPathMatcher pathMatcher = new AntPathMatcher (); @ Autowired private MenuService menuService; / / supports return value is set to true to support @ Override public boolean supports (Class aClass) {return true;} @ Override public Collection getAttributes (Object object) throws IllegalArgumentException {/ / get url String requestUrl= ((FilterInvocation) object). GetRequestUrl () requested by the current user. / / query all paths in the database List menus = menuService.getMenus (); for (Menu menu: menus) {/ / determine whether the url requested by the user and the url of the database can match on if (pathMatcher.match (menu.getPattern (), requestUrl)) {List roles = menu.getRoles () String [] roleStr = new String [roles.size ()]; for (int I = 0; I

< roles.size(); i++) { roleStr[i]=roles.get(i).getName(); } //将筛选的url路径所具备的角色返回回去 return SecurityConfig.createList(roleStr); } } //如果没有匹配上就返回一个默认的角色，作用好比作一个标记 return SecurityConfig.createList("ROLE_def"); } @Override public Collection getAllConfigAttributes() { return null; }}创建CustomAccessDecisionManager 实现AccessDecisionManager接口 access 通道 注：加@comppent注解，把自定义类注册成spring组件 将两个supports()都设置成true 重写decide()方法 @Componentpublic class CustomAccessDecisionManager implements AccessDecisionManager { @Override public void decide(Authentication authentication, Object o, Collection collection) throws AccessDeniedException, InsufficientAuthenticationException { //configattributes里存放着CustomFilterInvocationSecurityMetadataSource过滤出来的角色 for (ConfigAttribute configAttribute : collection) { //如果你请求的url在数据库中不具备角色 if ("ROLE_def".equals(configAttribute.getAttribute())) { //在判断是不是匿名用户(也就是未登录) if (authentication instanceof AnonymousAuthenticationToken) { System.out.println(">

> anonymous users > "); throw new AccessDeniedException (" insufficient permissions to access ");} else {/ / other types of users who have logged in, directly release System.out.println (" > other types of users > "); return }} / / if the path you access has a role in the database, you will come here / / Autherntication, which stores all the information of the logged-in user Collection.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.