Shulou(Shulou.com)06/01 Report--

This article will explain in detail what you should pay attention to using SpringSecurity to set roles and permissions. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

SpringSecurity setting role and permission concept

When building currently logged-in users in UserDetailsService's loadUserByUsername method, you can choose two authorization methods, namely role authorization and permission authorization. The corresponding codes are hasRole and hasAuthority, and these two methods are also different in configuration. Here is a description:

Role authorization: the authorization code needs to be prefixed with ROLE_. Do not add a prefix when using it on controller.

Permission authorization: when setting and using, the name can be maintained as soon as possible.

Use the mock code @ Componentpublic class MyUserDetailService implements UserDetailsService {@ Autowired private PasswordEncoder passwordEncoder; @ Override public UserDetails loadUserByUsername (String name) throws UsernameNotFoundException {User user = new User (name, passwordEncoder.encode ("123456"), AuthorityUtils.commaSeparatedStringToAuthorityList ("read,ROLE_USER")); / / set permissions and roles / / 1. CommaSeparatedStringToAuthorityList needs to be prefixed with ROLE_, when putting into a role, but not with ROLE_ prefix / / 2 when controller is used. When you put a permission, you cannot add a ROLE_ prefix. The hasAuthority corresponds to the name of the placed permission, and you can return user;}}.

Two authorization methods are used above, which you can refer to.

Add permission control @ GetMapping ("/ write") @ PreAuthorize ("hasAuthority ('write')") public String getWrite () {return "have a write authority";} @ GetMapping ("/ read") @ PreAuthorize ("hasAuthority (' read')") public String readDate () {return "have a read authority" to the method in controller } @ GetMapping ("/ read-or-write") @ PreAuthorize ("hasAnyAuthority ('read','write')") public String readWriteDate () {return "have a read or write authority";} @ GetMapping ("/ admin-role") @ PreAuthorize ("hasRole (' admin')") public String readAdmin () {return "have an admin role" } @ GetMapping ("/ user-role") @ PreAuthorize ("hasRole ('USER')") public String readUser () {return "have a user role";}

There are many articles about hasRole and hasAuthority on the Internet, and many of them say that there is no difference between them, but I think this is the consideration of spring designers. There is no relationship between the two kinds of independent things, one is used for role control, the other is the control of operation rights, and the two are not contradictory.

Concepts of Security roles and permissions some optional expressions in Security

PermitAll always returns true

DenyAll always returns false

Anonymous returns true if the current user is anonymous

Returns true when the current user of rememberMe is a rememberMe user

Authenticated returns true if the current user is not anonymous

FullAuthenticated returns true if the current user is neither anonymous nor rememberMe

Return true when the hasRole (role) user has the specified role permissions

HasAnyRole ([role1,role2]) user returns true when he / she has any of the specified role permissions

Return true when the hasAuthority (authority) user has the specified permissions

HasAnyAuthority ([authority1,authority2]) returns true when a user has any of the specified permissions

HasIpAddress ('192.168.1.0') request returns true if the Ip sent matches

Looking at the above expression, you should be able to find some problems. In Security, there seems to be no strict distinction between roles and permissions.

If there is no difference between roles and permissions, all you need is the hasRole () function. What is the use of hasAuthority ()?

A: the difference is that the permission name of hasRole () needs to start with "ROLE_", while hasAuthority () doesn't, and that's the whole difference.

In the usual system design, we distinguish between roles and permissions, but judging whether the user is an administrator or not, and judging whether or not they have administrator rights are in fact completely consistent in terms of code logic, and roles are a symbol of permissions, which can be seen as a kind of permissions. Therefore, it is reasonable not to distinguish between roles and permissions.

If we set aside other issues and only consider the issue of permissions, we can regard roles as a kind of permissions. However, roles are inherent attributes of users, and it is still very necessary in user management. In Security4, the code that deals with "roles" (such as RoleVoter, hasRole expressions, etc.) always adds ROLE_ prefixes, which makes it more convenient for developers to design permissions from two different dimensions.

This is the end of this article on "what are the considerations for setting roles and permissions using SpringSecurity?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.