Spring Security 自定义后台权限过滤的方案

大概思路#

其实方案有好几种，比如注解权限 @PreAuthorize("hasRole('ROLE_admin') and hasAnyRole('ROLE_user')")，类似这种注解式的，还有在配置里的 hasRole 之类的。

我的其中一种思路#

1
@Service
2
@RequiredArgsConstructor
3
public class InyaaAccessDecisionManager implements AuthorizationManager<RequestAuthorizationContext> {
4

5
    private final SecurityMetadataSource securityMetadataSource;
6

7
    @Override
8
    public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
9
        Collection<ConfigAttribute> collection = this.securityMetadataSource.getAttributes(context);
10
        // 遍历角色
11
        for (ConfigAttribute ca : collection) {
12
            // ① 当前url请求需要的权限
13
            String needRole = ca.getAttribute();
14
            if ("ROLE_ANY".equals(needRole)) {
15
                return new AuthorizationDecision(true);
16
            } else {
17
                // ② 当前用户所具有的角色
18
                Collection<? extends GrantedAuthority> authorities = authentication.get().getAuthorities();
19
                for (GrantedAuthority authority : authorities) {
20
                    if ("ROLE_ANONYMOUS".equals(authority.getAuthority())) {
21
                        return new AuthorizationDecision(false);
22
                    } else {
23
                        return new AuthorizationDecision(true);
24
                    }
25
                }
26
            }
27
        }
28
        return new AuthorizationDecision(false);
29
    }
30
}

1
@Service
2
@RequiredArgsConstructor
3
public class InyaaFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
4

5
    private final CacheService cacheService;
6

7
    /***
8
     * 返回该url所需要的用户权限信息
9
     *
10
     * @param object: 储存请求url信息
11
     * @return: null：标识不需要任何权限都可以访问
12
     */
13
    @Override
14
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
15
        HttpServletRequest request = ((RequestAuthorizationContext) object).getRequest();
16
        Map<String, Collection<ConfigAttribute>> cacheMap = cacheService.getConfigAttributeMap();
17
        for (String url : cacheMap.keySet()) {
18
            if (new AntPathRequestMatcher(url).matches(request)) {
19
                return cacheMap.get(url);
20
            }
21
        }
22
        throw new AccessDeniedException("当前访问没有权限！");
23
    }
24

25
    @Override
26
    public Collection<ConfigAttribute> getAllConfigAttributes() {
27
        return null;
28
    }
29

30
    @Override
31
    public boolean supports(Class<?> aClass) {
32
        return FilterInvocation.class.isAssignableFrom(aClass);
33
    }
34
}

AuthorizationManager<RequestAuthorizationContext> 主要是对角色的验证，他加载 FilterInvocationSecurityMetadataSource 接口的数据。而 FilterInvocationSecurityMetadataSource 接口主要是做权限的匹配，其中我用到了缓存来加载所有的权限，然后通过 URL 去匹配。

而缓存内的加载大致如下：

1
public Map<String, Collection<ConfigAttribute>> getConfigAttributeMap() {
2
    if (AuthCache.size() < 1) {
3
        List<InyawSysApi> list = inyawSysApiDao.findAll();
4
        for (InyawSysApi api : list) {
5
            List<ConfigAttribute> configAttributeList = new ArrayList<>();
6
            ConfigAttribute configAttribute;
7
            switch (api.getType()) {
8
                case 0 -> configAttribute = new SecurityConfig("ROLE_ANY");
9
                case 1 -> configAttribute = new SecurityConfig("ROLE_LOGIN");
10
                case 2 -> {
11
                    InyawSysRole role = inyawSysRoleService.getById(api.getId());
12
                    configAttribute = new SecurityConfig(role.getRoleKey());
13
                }
14
                default -> throw new IllegalStateException("错误的类型: " + api.getType());
15
            }
16
            configAttributeList.add(configAttribute);
17
            AuthCache.put(api.getUrl(), configAttributeList);
18
        }
19
    }
20
    return AuthCache;
21
}

其余的不多做解释了，代码水平也一般。大概就是 API 表按 type 来判断具体的角色权限，因为我当时没想好具体的权限表如何设计，我现实没这样的需求。

最后是配置类#

1
http
2
    .authorizeHttpRequests((authorize) -> authorize
3
        .anyRequest().access(inyaaAccessDecisionManager)
4
    )
5
    .csrf(AbstractHttpConfigurer::disable)
6
    .oauth2ResourceServer(httpSecurityOAuth2ResourceServerConfigurer ->
7
        httpSecurityOAuth2ResourceServerConfigurer.jwt(Customizer.withDefaults()))
8
    .sessionManagement((session) ->
9
        session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
10
    .exceptionHandling((exceptions) -> exceptions
11
        .authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
12
        .accessDeniedHandler(new BearerTokenAccessDeniedHandler())
13
    );

这个配置类是官方 Demo 的 JWT 方案的配置类，权限代码具体有用的就只有前几行 csrf 前边那部分。

音乐

音乐

大概思路#

我的其中一种思路#

最后是配置类#

支持与分享

音乐

文章目录