《Spring實(shí)戰(zhàn)》-第十四章:保護(hù)方法(Security)(1)-使用注解保護(hù)方法

慢來(lái)比較快,虛心學(xué)技術(shù)

盡管Spring Security為我們提供了Web層的安全保護(hù),我們依舊有可能會(huì)疏忽而導(dǎo)致用戶通過(guò)正常訪問(wèn)路徑訪問(wèn)到不應(yīng)該訪問(wèn)的方法,所以除了在web層實(shí)施保護(hù)以外,我們還需要給底層的方法施加保護(hù)層。這樣就能保證如果用戶不具備權(quán)限的話,就無(wú)法執(zhí)行相應(yīng)的邏輯

Spring Security 提供了三種不同的安全注解:

  1. Spring Security 自帶的 @Secured 注解;
  2. JSR-250 的 @RolesAllowed 注解;
  3. 表達(dá)式驅(qū)動(dòng)的注解,包括 @PreAuthorize 、 @PostAuthorize 、 @PreFilter 和 @PostFilter 。

其中,@Secured@RolesAllowed 方案非常類似,能夠基于用戶所授予的權(quán)限限制對(duì)方法的訪問(wèn)

基礎(chǔ)環(huán)境:(詳細(xì)配置解釋請(qǐng)參考第九章文章)

<!--定義spring版本信息-->
<properties>
    <org.springframework.version>5.1.3.RELEASE</org.springframework.version>
    <spring.security.version>5.1.3.RELEASE</spring.security.version>
</properties>

<dependencies>
    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>4.12</version>
        <scope>test</scope>
    </dependency>

    <!-- servlet -->
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>3.1.0</version>
        <scope>provided</scope>
    </dependency>

    <!-- jstl -->
    <dependency>
        <groupId>jstl</groupId>
        <artifactId>jstl</artifactId>
        <version>1.2</version>
    </dependency>

    <!--lombok引入,用于精簡(jiǎn)代碼,bean類使用注解默認(rèn)攜帶setter和getter方法等-->
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <version>1.18.4</version>
    </dependency>

    <!--    Spring基礎(chǔ)框架引入   -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>${org.springframework.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context</artifactId>
        <version>${org.springframework.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-test</artifactId>
        <version>${org.springframework.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-aop</artifactId>
        <version>${org.springframework.version}</version>
    </dependency>

    <dependency>
        <groupId>org.aspectj</groupId>
        <artifactId>aspectjweaver</artifactId>
        <version>1.8.13</version>
    </dependency>

    <!-- Spring MVC -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>${org.springframework.version}</version>
    </dependency>

    <!--     Spring Security依賴       -->
    <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-com.my.spring.config -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
</dependencies>

配置web環(huán)境

  • 配置SpringMVC默認(rèn)DispatcherServlet
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    private final Logger logger = LoggerFactory.getLogger(this.getClass());

    /*AbstractAnnotationConfigDispatcherServletInitializer 會(huì)同時(shí)創(chuàng)
    建 DispatcherServlet 和 ContextLoaderListener 。 GetServlet-ConfigClasses() 方法返回的帶有 @Configuration 注解的
    類將會(huì)用來(lái)定義 DispatcherServlet 應(yīng)用上下文中的 bean 。 getRootConfigClasses() 方法返回的帶有 @Configuration 注解的類將
    會(huì)用來(lái)配置 ContextLoaderListener 創(chuàng)建的應(yīng)用上下文中的 bean 。*/

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[]{RootConfig.class};
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class[]{WebConfig.class};
    }

    @Override
    protected String[] getServletMappings() {
        logger.debug("DispatcherServlet獲取匹配的前端控制器。。。。。。");
        return new String[]{"/"};
    }
}
  • 創(chuàng)建Spring Security的DelegatingFilterProxy,自動(dòng)加載springSecurityFilterChain 
/**
 *  攔截發(fā)往應(yīng)用中的請(qǐng)求,并將請(qǐng)求委托給 ID 為 springSecurityFilterChain的bean
 *  springSecurityFilterChain 本身是另一個(gè)特殊的 Filter,它也被稱為 FilterChainProxy.它可以鏈接任意一個(gè)或多個(gè)其他的 Filter。
 *  Spring Security 依賴一系列 Servlet Filter 來(lái)提供不同的安全特性。
 **/
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {}
  • 配置SpringMVC的根配置和Web配置
@Configuration
@ComponentScan(basePackages ={"com.my.spring"},excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = {EnableWebMvc.class})})
public class RootConfig {
}

@EnableWebMvc
@Configuration
@ComponentScan(basePackages = {"com.my.spring.controller"})
@Import(SecurityConfig.class)//引入Spring Security的配置
public class WebConfig extends WebMvcConfigurationSupport {

    /**
     * 定義一個(gè)視圖解析器
     *
     * @return org.springframework.web.servlet.ViewResolver
     *
     * @author lai.guanfu 2019/3/5
     * @version 1.0
     **/
    @Bean
    public ViewResolver viewResolver(){
        InternalResourceViewResolver resourceViewResolver = new InternalResourceViewResolver();
        resourceViewResolver.setPrefix("/WEB-INF/view/");
        resourceViewResolver.setSuffix(".jsp");
        resourceViewResolver.setExposeContextBeansAsAttributes(true);
        resourceViewResolver.setViewClass(JstlView.class);
        return resourceViewResolver;
    }

    @Override
    protected void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
        configurer.enable();
    }
}
  • SecurityConfig.java:開(kāi)啟Spring Security并配置基本攔截和用戶信息,增加兩個(gè)用戶
@Configuration
@EnableWebSecurity//啟用Spring Security
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    /**
     * 設(shè)置攔截路徑
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                //配置攔截路徑以及認(rèn)證通過(guò)的身份,此處指定訪問(wèn)/user/**的請(qǐng)求會(huì)被攔截認(rèn)證,必須以DBA或者ADMIN的身份登錄
                .antMatchers("/user/**").access("hasAnyRole('ROLE_DBA','ROLE_ADMIN')")
                //表明除了上述路徑需要攔截認(rèn)證外,其余路徑全部不進(jìn)行認(rèn)證
                .anyRequest().permitAll()
                //add()方法用于連接各種配置指令
                .and() 
                //當(dāng)重寫(xiě)configure(HttpSecurity http)方法后,將失去Spring Security的默認(rèn)登錄頁(yè),可以使用formLogin()重新啟用
                .formLogin();
    }

    /**
     * 使用內(nèi)存設(shè)置基本人物信息
     * @param auth
     * @throws Exception
     */
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        //使用內(nèi)存添加用戶名及登陸密碼和身份,使用指定編碼器對(duì)密碼進(jìn)行編碼
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder()).withUser("admin").password(new BCryptPasswordEncoder().encode("123456")).roles("ADMIN");
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder()).withUser("dba").password(new BCryptPasswordEncoder().encode("123456")).roles("DBA");

        //Spring Security 5.0之前的寫(xiě)法,5.0之后,如果沒(méi)有指定密碼編碼器,將會(huì)報(bào)There is no PasswordEncoder mapped for the id "null"的錯(cuò)
        /*auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
        auth.inMemoryAuthentication().withUser("dba").password("123456").roles("DBA");*/
    }
}
  • 編寫(xiě)基本類
@Data//lombok注解,默認(rèn)編譯生成setter和getter方法
public class User {
    /**
     * 用戶名
     **/
    private String userName;

    /**
     * 密碼
     **/
    private String password;

    /**
     * 年齡
     **/
    private Integer age;
}
  • 編寫(xiě)基本dao,此處為方便起見(jiàn),不實(shí)現(xiàn)jdbc
@Repository
public class BaseDao {

    /**
     * 根據(jù)用戶名獲取用戶
     * @param userName
     * @return
     */
    public User get(String userName) {
        System.out.println("獲取用戶");
        User user = new User();
        user.setUserName(userName);
        return user;
    }

    /**
     * 根據(jù)用戶名刪除用戶
     * @return
     */
    public void delete() {
        System.out.println("刪除用戶?。。?);
    }

    /**
     * 保存用戶
     * @param user
     * @return
     */
    public User save(User user) {
        return user;
    }
}
  • 編寫(xiě)基本Service接口和實(shí)現(xiàn)類
public interface BaseService {

    /**
     * 獲取管理員信息
     * @return
     */
    User getAdmin();

    /**
     * 獲取DBA用戶信息
     * @return
     */
    User getDBA();

    /**
     * 刪除用戶
     */
    void deleteUser();

    /**
     * 添加用戶
     * @param user
     * @return
     */
    User addUser(User user);
}

@Component
public class BaseServiceImpl implements BaseService {

    @Autowired
    private BaseDao baseDao;

    @Override
    public User getAdmin() {
        return this.baseDao.get("admin");
    }

    @Override
    public User getDBA() {
        return this.baseDao.get("dba");
    }

    @Override
    public void deleteUser() {
        this.baseDao.delete();
    }

    @Override
    public User addUser(User user) {
        return this.baseDao.save(user);
    }
}
  • 編寫(xiě)基本controller
@Controller
public class MyController{

    @Autowired
    private BaseService baseService;

    @RequestMapping(value = {"/user/getAdmin"},method = RequestMethod.GET)
    public ModelAndView getAdmin(){
        ModelAndView model = new ModelAndView();
        User admin = this.baseService.getAdmin();
        model.addObject("user",admin);
        model.setViewName("showUserMessage");
        return model;
    }

    @RequestMapping(value = {"/user/getDBA"},method = RequestMethod.GET)
    public ModelAndView getDBA(){
        ModelAndView model = new ModelAndView();
        User dba = this.baseService.getDBA();
        model.addObject("user",dba);
        model.setViewName("showUserMessage");
        return model;
    }

    @RequestMapping("/user/userForm")
    public String login(){
        return "userForm";
    }

    @RequestMapping(value = {"/user/addUser"})
    public ModelAndView addUser(User user){
        ModelAndView model = new ModelAndView();
        User temp = this.baseService.addUser(user);
        model.addObject("user",temp);
        model.setViewName("showUserMessage");
        return model;
    }

    @RequestMapping(value = {"/user/deleteUser"})
    public ModelAndView deleteUser(){
        ModelAndView model = new ModelAndView();
        this.baseService.deleteUser();
        model.addObject("message","刪除成功?。。?);
        model.setViewName("showUserMessage");
        return model;
    }
}
  • 編寫(xiě)基本視圖
/userForm.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>新增用戶</title>
</head>
<body>
    <form method="get" action="./user/addUser">
        <label>用戶名:</label><input type="text" name="userName">
        <label>密碼:</label><input type="password" name="password">
        <label>年齡:</label><input type="text" name="age">
        <button type="submit">提交</button>
    </form>
</body>
</html>

/showUserMessage.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ page isELIgnored="false" %>
<html>
<head>
    <title>用戶信息頁(yè)</title>
</head>
<body>
<c:if test="${user != null}">
   <label>您獲取到的用戶名字為:</label><span style="font-size: large">${user.userName}</span>
</c:if>
<c:if test="${user == null}">
    <span>${message}</span>
</c:if>
</body>
</html>

其基本目錄結(jié)構(gòu)如下:


執(zhí)行簡(jiǎn)單測(cè)試:

訪問(wèn)/user/getAdmin,使用dba進(jìn)行登錄

訪問(wèn)/user/getDBA,使用admin進(jìn)行登錄

可以看到,無(wú)論是amdin還是dba用戶,只要具備/user/**的訪問(wèn)權(quán)限,就可以對(duì)路徑內(nèi)的方法擁有暢通的訪問(wèn),這顯然不是我們所允許的。

Ⅰ、@Secured注解實(shí)現(xiàn)方法訪問(wèn)權(quán)限限制

要使用@Secured之前,我們需要先開(kāi)啟Security的方法權(quán)限配置:@EnableGlobalMethodSecurity(securedEnabled = true)&GlobalMethodSecurityConfiguration

如果 securedEnabled 屬性的值為 true 的話,將會(huì)創(chuàng)建一個(gè)切點(diǎn),這樣的話 Spring Security 切面就會(huì)包裝帶有 @Secured 注解的方法

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)//開(kāi)啟全局方法權(quán)限控制
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
}

接下來(lái),為Service添加方法權(quán)限控制-@Secured(value = {})

@Secured 注解會(huì)使用一個(gè) String 數(shù)組作為參數(shù)。每個(gè) String 值是一個(gè)權(quán)限,調(diào)用這個(gè)方法至少需要具備其中的一個(gè)權(quán)限:

如下面的getAdmin方法只允許具備ROLE_ADMIN身份的用戶訪問(wèn),也就是admin

而getDBA方法則允許具備ROLE_ADMIN或者ROLE_DBA身份的用戶訪問(wèn),依此類推

@Component
public class BaseServiceImpl implements BaseService {

    @Autowired
    private BaseDao baseDao;

    @Override
    @Secured(value = {"ROLE_ADMIN"})
    public User getAdmin() {
        return this.baseDao.get("admin");
    }

    @Override
    @Secured(value = {"ROLE_ADMIN","ROLE_DBA"})
    public User getDBA() {
        return this.baseDao.get("dba");
    }

    @Override
    @Secured(value = {"ROLE_ADMIN"})
    public void deleteUser() {
        this.baseDao.delete();
    }

    @Override
    @Secured(value = {"ROLE_ADMIN","ROLE_DBA"})
    public User addUser(User user) {
        return this.baseDao.save(user);
    }
}

測(cè)試結(jié)果:

使用admin身份訪問(wèn)/user/getAdmin,允許訪問(wèn)

使用admin身份訪問(wèn)/user/deleteUser,允許訪問(wèn)

使用dba身份訪問(wèn)/user/getAdmin,權(quán)限不足

使用dba身份訪問(wèn)/user/deleteUser,權(quán)限不足

可以看到,即便dba擁有對(duì)/user/**路徑的完全訪問(wèn)權(quán)限,依舊無(wú)法訪問(wèn)受限方法,方法保護(hù)成功

Ⅱ、 @RolesAllowed 注解實(shí)現(xiàn)方法訪問(wèn)權(quán)限限制

@RolesAllowed 注解和 @Secured 注解在各個(gè)方面基本上都是一致的。唯一顯著的區(qū)別在于 @RolesAllowed 是 JSR-250 定義的 Java 標(biāo)準(zhǔn)注解

兩者使用上的區(qū)別在于注解名稱和@EnableGlobalMethodSecurity()開(kāi)啟的方式

①引入maven依賴

<dependency>
    <groupId>javax.annotation</groupId>
    <artifactId>jsr250-api</artifactId>
    <version>1.0</version>
</dependency>

②更改MethodSecurityConfig,開(kāi)啟jsr250Enabled 支持,值得注意的是,此處實(shí)際上可以同時(shí)使用securedEnabled和jsr250Enabled,兩者并不沖突

@Configuration
@EnableGlobalMethodSecurity(jsr250Enabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
}

③更改目標(biāo)方法使用的注解

@Component
public class BaseServiceImpl implements BaseService {

    @Autowired
    private BaseDao baseDao;

    @Override
    @RolesAllowed(value = {"ROLE_ADMIN"})
    public User getAdmin() {
        return this.baseDao.get("admin");
    }

    @Override
    @RolesAllowed(value = {"ROLE_ADMIN","ROLE_DBA"})
    public User getDBA() {
        return this.baseDao.get("dba");
    }

    @Override
    @RolesAllowed(value = {"ROLE_ADMIN"})
    public void deleteUser() {
        this.baseDao.delete();
    }

    @Override
    @RolesAllowed(value = {"ROLE_ADMIN","ROLE_DBA"})
    public User addUser(User user) {
        return this.baseDao.save(user);
    }
}

④執(zhí)行測(cè)試

使用admin登錄,訪問(wèn)/user/getAdmin,允許訪問(wèn)

使用admin登錄,訪問(wèn)/user/deleteUser,允許訪問(wèn)


使用dba登錄,訪問(wèn)/user/getAdmin,訪問(wèn)受限


使用dba登錄,訪問(wèn)/user/deleteUser,訪問(wèn)受限

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容