Spring Security權限註解

啓用註解

@EnableGlobalMethodSecurity(prePostEnabled = true)

正常啓用開啓那個註解就行，下面放下我的配置

package com.fedtech.sys.provider.config.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;

import javax.annotation.Resource;

/**
 * 資源配置
 *
 * @author <a href = "mailto:[email protected]" > huan </a >
 * @date 2021/1/13
 * @since 1.0.0
 */
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Resource
    RedisConnectionFactory redisConnectionFactory;
    @Resource
    private TokenStore tokenStore;

    @Bean
    public TokenStore redisTokenStore() {
        return new RedisTokenStore(redisConnectionFactory);
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.tokenStore(tokenStore);
    }
}

角色

    /**
     * 查詢單個用戶
     *
     * @param query {@link UserQuery}
     *
     * @return com.fedtech.common.util.result.R<com.fedtech.sys.provider.view.UserView>
     *
     * @author <a href = "mailto:[email protected]" > huan </a >
     * @date 2021/2/20
     * @since 1.0.0
     */
    @GetMapping("select")
    @PreAuthorize("hasAuthority('admin')")
    public R<UserView> selectUser(UserQuery query) {
        UserDto dto = userService.selectUser(query);
        return R.successWithData(userMapper.dto2View(dto));
    }

權限

默認的是DenyAllPermissionEvaluator，所有權限都拒絕，所以要自定義

自定義處理邏輯

我是把權限放到了自定義的userDetails裏面

package com.fedtech.common.model;

import cn.hutool.core.collection.CollUtil;
import lombok.Data;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.StringTokenizer;

/**
 * 該類返回的是安全的，能夠提供給用戶看到的信息，即脫敏後的信息
 *
 * @author <a href = "mailto:[email protected]" > huan </a >
 * @date 2021/1/9
 * @since 1.0.0
 */
@Data
@Slf4j
public class SecurityUser implements UserDetails {
    private static final long serialVersionUID = 8689435103879098852L;
    /**
     * 鹽
     */
    private String salt;

    /**
     * 用戶token
     */
    private String token;

    /**
     * 用戶狀態
     */
    private String status;

    /**
     * 用戶密碼
     */
    private String password;

    /**
     * 用戶登錄賬號
     */
    private String loginName;

    private Long userId;

    /**
     * 用戶角色
     *
     * @date 2021/1/10
     * @since 1.0.0
     */
    private List<UserRole> roleList;
    /**
     * 權限列表
     *
     * @date 2021/1/11
     * @since 1.0.0
     */
    private List<UserPermission> permissionList;


    /**
     * 客戶端用戶
     *
     * @param client 客戶端
     *
     * @author <a href = "mailto:[email protected]" > huan </a >
     * @date 2021/1/13
     * @since 1.0.0
     */
    public SecurityUser(OauthClientDetails client) {
        if (client != null) {
            password = client.getClientSecret();
            loginName = client.getClientId();
            String authorities = client.getAuthorities();
            StringTokenizer stringTokenizer = new StringTokenizer(authorities, ", ");
            roleList = new ArrayList<>();
            if (stringTokenizer.hasMoreTokens()) {
                UserRole userRole = new UserRole();
                userRole.setCode(stringTokenizer.nextToken());
                roleList.add(userRole);
            }
        }
    }

    /**
     * 普通用戶
     *
     * @param user           用戶
     * @param roleList       角色
     * @param permissionList 權限
     *
     * @author <a href = "mailto:[email protected]" > huan </a >
     * @date 2021/1/13
     * @since 1.0.0
     */
    public SecurityUser(User user, List<UserRole> roleList, List<UserPermission> permissionList) {
        if (user != null) {
            salt = user.getSalt();
            token = user.getToken();
            status = user.getStatus();
            password = user.getPassword();
            loginName = user.getLoginName();
            userId = user.getId();
            this.roleList = roleList;
            this.permissionList = permissionList;
        }
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        Collection<GrantedAuthority> authorities = new ArrayList<>();
        if (!CollUtil.isEmpty(roleList)) {
            for (UserRole role : roleList) {
                SimpleGrantedAuthority authority = new SimpleGrantedAuthority(role.getCode());
                authorities.add(authority);
            }
        }
        log.debug("獲取到的用戶權限：{}", authorities);
        return authorities;
    }

    @Override
    public String getPassword() {
        return password;
    }

    @Override
    public String getUsername() {
        return loginName;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

package com.fedtech.common.config;

import cn.hutool.core.collection.CollUtil;
import com.fedtech.common.model.SecurityUser;
import com.fedtech.common.model.UserPermission;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;

import java.io.Serializable;
import java.util.List;


/**
 * 自定義權限處理
 *
 * @author <a href="mailto:[email protected]">huan</a>
 * @version 1.0.0
 * @date 2021/2/26
 */
@Slf4j
@Configuration
public class MyPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        SecurityUser principal = (SecurityUser) authentication.getPrincipal();
        List<UserPermission> permissionList = principal.getPermissionList();
        if (CollUtil.isNotEmpty(permissionList)) {
            return permissionList.stream().anyMatch(x -> StringUtils.equals(x.getUrl(), (CharSequence) targetDomainObject) &&
                    StringUtils.equals(x.getCode(), (CharSequence) permission));
        }
        return false;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        return false;
    }
}

使用

    /**
     * 查詢單個用戶
     *
     * @param query {@link UserQuery}
     *
     * @return com.fedtech.common.util.result.R<com.fedtech.sys.provider.view.UserView>
     *
     * @author <a href = "mailto:[email protected]" > huan </a >
     * @date 2021/2/20
     * @since 1.0.0
     */
    @GetMapping("select")
    @PreAuthorize("hasPermission('/sys/user/insert','userInsert')")
    public R<UserView> selectUser(UserQuery query) {
        UserDto dto = userService.selectUser(query);
        return R.successWithData(userMapper.dto2View(dto));
    }