Shulou(Shulou.com)06/03 Report--

This article mainly introduces "the role inheritance analysis of SpringSecurity". In the daily operation, I believe that many people have doubts about the role inheritance analysis of SpringSecurity. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "role inheritance analysis of SpringSecurity". Next, please follow the editor to study!

Today, I would like to talk with my friends about the role inheritance in Spring Security.

Role inheritance is actually a very common requirement, because most corporate governance may be pyramid, the boss may have some or even all the permissions of subordinates, this reality is reflected in our code, is the role inheritance.

Spring Security provides developers with a relevant role inheritance solution, but the use of this solution has changed in the recent Spring Security version changes. Today, in addition to sharing the role inheritance with my friends, I also want to talk about this change by the way to avoid the trampling of my buddies, and those who have bought my book should also note that the book is based on Spring Boot2.0.4, which is a little different from the latest version of Spring Boot.

The previous way of writing

The previous writing here refers to the writing before SpringBoot2.0.8 (inclusive). In the previous writing, role inheritance only requires the developer to provide an instance of the RoleHierarchy interface, such as the following:

@ BeanRoleHierarchy roleHierarchy () {RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl (); String hierarchy = "ROLE_dba > ROLE_admin ROLE_admin > ROLE_user"; roleHierarchy.setHierarchy (hierarchy); return roleHierarchy;}

Here we provide an example of RoleHierarchy interface, which uses strings to describe the inheritance relationship between roles. ROLE_dba has all the permissions of ROLE_admin, while ROLE_admin has all the permissions of ROLE_user. Inheritance and inheritance are separated by a space. After providing this Bean, all resources that can only be accessed by ROLE_user role can be accessed by ROLE_dba and ROLE_admin, and resources that can only be accessed by ROLE_amdin role can be accessed by ROLE_dba.

The present way of writing

However, the above writing is limited to the previous version of Spring Boot2.0.8 (inclusive). In later versions, it is not supported, and the new version is written as follows:

@ BeanRoleHierarchy roleHierarchy () {RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl (); String hierarchy = "ROLE_dba > ROLE_admin\ nROLE_admin > ROLE_user"; roleHierarchy.setHierarchy (hierarchy); return roleHierarchy;}

The main change is the delimiter, which separates the place originally separated by a space and now uses a newline character. The meaning of the expression here is still the same as above, so I won't repeat it.

The above two different ways of writing are to configure the inheritance relationship of roles. After the configuration is completed, you can specify the corresponding relationship between roles and resources, as follows:

@ Overrideprotected void configure (HttpSecurity http) throws Exception {http.authorizeRequests (). AntMatchers ("/ admin/**") .hasRole ("admin") .antMatch.hasRole ("dba") .antMatrices ("/ user/**") .hasRole ("user") .and () .formLogin () .loginProcessingUrl ("/ doLogin") .permitAll () .and () .csrf (). Disable ();}

The path in / db/** format requires a dba role to access, a path in / admin/** format requires an admin role to access, and a path in / user/** format requires a user role to access. When the relevant interface is provided, you will find that dba can also access / admin/** and / user/** in addition to / db/** The admin role can also access / user/** in addition to / admin/**, while the user role can only access / user/**.

Source code analysis

These two different ways of writing actually correspond to two different resolution strategies. The resolution of role inheritance relationship is in the buildRolesReachableInOneStepMap method of the RoleHierarchyImpl class. The source code of this method before Spring Boot2.0.8 (inclusive) is as follows:

Private void buildRolesReachableInOneStepMap () {Pattern pattern = Pattern.compile ("(\\ s * ([^\ s >] +)\\ s * >\\ s * ([^\ s >] +))"); Matcher roleHierarchyMatcher = pattern.matcher (this.roleHierarchyStringRepresentation); this.rolesReachableInOneStepMap = new HashMap (); while (roleHierarchyMatcher.find ()) {GrantedAuthority higherRole = new SimpleGrantedAuthority (roleHierarchyMatcher.group (2)); GrantedAuthority lowerRole = new SimpleGrantedAuthority (roleHierarchyMatcher.group (3)); Set rolesReachableInOneStepSet If (! this.rolesReachableInOneStepMap.containsKey (higherRole)) {rolesReachableInOneStepSet = new HashSet (); this.rolesReachableInOneStepMap.put (higherRole,rolesReachableInOneStepSet);} else {rolesReachableInOneStepSet = this.rolesReachableInOneStepMap.get (higherRole);} addReachableRoles (rolesReachableInOneStepSet, lowerRole); logger.debug ("buildRolesReachableInOneStepMap ()-From role" + higherRole+ "one can reach role" + lowerRole + "in one step.");}}

From this source code, we can see that the inheritance relationship of the role is parsed by regular expressions, segmented by spaces, and then the corresponding map is built.

After Spring Boot2.1.0 (inclusive), the source code of this method is as follows:

Private void buildRolesReachableInOneStepMap () {this.rolesReachableInOneStepMap = new HashMap (); try (BufferedReader bufferedReader = new BufferedReader (new StringReader (this.roleHierarchyStringRepresentation) {for (String readLine; (readLine = bufferedReader.readLine ())! = null;) {String [] roles = readLine.split (">"); for (int I = 1; I < roles.length; iTunes +) {GrantedAuthority higherRole = new SimpleGrantedAuthority (int [I-1] .replaceAll ("^\ s + |\\ s $", "") GrantedAuthority lowerRole = new SimpleGrantedAuthority (roles.replaceAll ("^\\ s + |\ s+$Set rolesReachableInOneStepSet;if (! this.rolesReachableInOneStepMap.containsKey (higherRole) {rolesReachableInOneStepSet = new HashSet (); this.rolesReachableInOneStepMap.put (higherRole, rolesReachableInOneStepSet);} else {rolesReachableInOneStepSet = this.rolesReachableInOneStepMap.get (higherRole);} addReachableRoles (rolesReachableInOneStepSet, lowerRole); if (logger.isDebugEnabled ()) {logger.debug (" buildRolesReachableInOneStepMap ()-From role "+ higherRole+" one can reach role "+ lowerRole +" in one step. ") Catch (IOException e) {throw new IllegalStateException (e);}}

From here we can see that instead of using regular expressions, we first convert the role inheritance string into a BufferedReader, then read it line by line, parse it, and finally build the corresponding map. From here we can see why the previous and later versions have different ways of writing this.

At this point, the study of "role inheritance Analysis of SpringSecurity" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.