SpringSecurity-授权示例

用户基于权限进行授权

定义用户与权限

authorities()。

package com.cms.config;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;/*** @author: coffee* @date: 2024/6/27 20:33* @description: ...*/
@Configuration
public class UserConfig {@Beanpublic UserDetailsService userDetailsService () {InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();UserDetails user1 = User.withUsername("john").password("123456").authorities("READ").build();UserDetails user2 = User.withUsername("jane").password("123456").authorities("WRITE").build();userDetailsManager.createUser(user1);userDetailsManager.createUser(user2);return userDetailsManager;}@Beanpublic PasswordEncoder passwordEncoder () {return NoOpPasswordEncoder.getInstance();}}

权限维度授权配置

package com.cms.config;import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;/*** @author: coffee* @date: 2024/6/27 20:37* @description: 基于用户权限限制所有端点的访问*/
@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {/*** 指定用户可以访问端点的条件：1.hasAuthority() 2.hasAnyAuthority()  3.access()*/@Overrideprotected void configure (HttpSecurity httpSecurity) throws Exception {httpSecurity.httpBasic();// permitAll()方法修改授权配置，无需凭据(用户名密码)也可以直接调用接口。   curl http://localhost:8080/hello// httpSecurity.authorizeRequests().anyRequest().permitAll();// 指定用户可以访问端点的条件-hasAuthority 。 发现john报403、jane正常；// httpSecurity.authorizeRequests().anyRequest().hasAuthority("WRITE");// 允许具有WRITE或者READ权限的用户访问端点-hasAnyAuthority。  发现john报正常、jane正常；httpSecurity.authorizeRequests().anyRequest().hasAnyAuthority("WRITE","READ");// access() - 为配置访问提供了无限的可能性，因为应用程序会基于SPEL构建授权规则。但是，他会让代码更难阅读和调试。所以作为次要解决方案，仅在不能使用hasAuthority和hasAnyAuthority时才使用}
}

用户基于角色进行授权

定义用户与角色

roles()。

package com.cms.config;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;/*** @author: coffee* @date: 2024/6/27 20:33* @description: ...*/
@Configuration
public class UserConfig {@Beanpublic UserDetailsService userDetailsService () {InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();// authorities：使用"ROLE_"前缀，GrantedAuthority现在就表示一个角色UserDetails user1 = User.withUsername("john").password("123456").authorities("ROLE_ADMIN").build();// roles：不需要添加"ROLE_"前缀// UserDetails user1 = User.withUsername("john").password("123456").roles("ADMIN").build();UserDetails user2 = User.withUsername("jane").password("123456").authorities("ROLE_MANAGER").build();// UserDetails user2 = User.withUsername("jane").password("123456").roles("MANAGER").build();userDetailsManager.createUser(user1);userDetailsManager.createUser(user2);return userDetailsManager;}@Beanpublic PasswordEncoder passwordEncoder () {return NoOpPasswordEncoder.getInstance();}}

角色维度授权配置

package com.cms.config;import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;/*** @author: coffee* @date: 2024/6/27 20:37* @description: 基于用户权限限制所有端点的访问*/
@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {/*** 指定用户可以访问端点的条件：1.hasAuthority() 2.hasAnyAuthority()  3.access()*/@Overrideprotected void configure (HttpSecurity httpSecurity) throws Exception {httpSecurity.httpBasic();// permitAll()方法修改授权配置，无需凭据(用户名密码)也可以直接调用接口。   curl http://localhost:8080/hello// httpSecurity.authorizeRequests().anyRequest().permitAll();// 指定用户可以访问端点的条件-hasRole 。 hasRole()方法现在会指定允许访问端点的角色。请注意，这里没有出现ROLE_前缀// httpSecurity.authorizeRequests().anyRequest().hasRole("ADMIN");// 允许具有ADMIN或者MANAGER角色权限的用户访问端点-hasAnyRole。httpSecurity.authorizeRequests().anyRequest().hasAnyRole("ADMIN","MANAGER");// access() - 为配置访问提供了无限的可能性，因为应用程序会基于SPEL构建授权规则。但是，他会让代码更难阅读和调试。所以作为次要解决方案，仅在不能使用hasRole和hasAnyRole时才使用}
}