別再用過時(shí)的方式了!全新版本Spring Security,這樣用才夠優(yōu)雅!

前不久Spring Boot 2.7.0 剛剛發(fā)布,Spring Security 也升級(jí)到了5.7.1 。升級(jí)后發(fā)現(xiàn),原來一直在用的Spring Security配置方法,居然已經(jīng)被棄用了。不禁感慨技術(shù)更新真快,用著用著就被棄用了!今天帶大家體驗(yàn)下Spring Security的最新用法,看看是不是夠優(yōu)雅!

SpringBoot實(shí)戰(zhàn)電商項(xiàng)目mall(50k+star)地址:github.com/macrozheng/…

基本使用

我們先對(duì)比下Spring Security提供的基本功能登錄認(rèn)證,來看看新版用法是不是更好。

升級(jí)版本

首先修改項(xiàng)目的pom.xml文件,把Spring Boot版本升級(jí)至2.7.0版本。

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.7.0</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>

舊用法

在Spring Boot 2.7.0 之前的版本中,我們需要寫個(gè)配置類繼承WebSecurityConfigurerAdapter,然后重寫Adapter中的三個(gè)方法進(jìn)行配置;

/**
 * SpringSecurity的配置
 * Created by macro on 2018/4/26.
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OldSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UmsAdminService adminService;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        //省略HttpSecurity的配置
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService())
                .passwordEncoder(passwordEncoder());
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}

如果你在SpringBoot 2.7.0版本中進(jìn)行使用的話,你就會(huì)發(fā)現(xiàn)WebSecurityConfigurerAdapter已經(jīng)被棄用了,看樣子Spring Security要堅(jiān)決放棄這種用法了!

新用法

新用法非常簡單,無需再繼承WebSecurityConfigurerAdapter,只需直接聲明配置類,再配置一個(gè)生成SecurityFilterChainBean的方法,把原來的HttpSecurity配置移動(dòng)到該方法中即可。

/**
 * SpringSecurity 5.4.x以上新用法配置
 * 為避免循環(huán)依賴,僅用于配置HttpSecurity
 * Created by macro on 2022/5/19.
 */
@Configuration
public class SecurityConfig {

    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        //省略HttpSecurity的配置
        return httpSecurity.build();
    }

}

新用法感覺非常簡潔干脆,避免了繼承WebSecurityConfigurerAdapter并重寫方法的操作,強(qiáng)烈建議大家更新一波!

高級(jí)使用

升級(jí) Spring Boot 2.7.0版本后,Spring Security對(duì)于配置方法有了大的更改,那么其他使用有沒有影響呢?其實(shí)是沒啥影響的,這里再聊聊如何使用Spring Security實(shí)現(xiàn)動(dòng)態(tài)權(quán)限控制!

基于方法的動(dòng)態(tài)權(quán)限

首先來聊聊基于方法的動(dòng)態(tài)權(quán)限控制,這種方式雖然實(shí)現(xiàn)簡單,但卻有一定的弊端。

  • 在配置類上使用@EnableGlobalMethodSecurity來開啟它;
/**
 * SpringSecurity的配置
 * Created by macro on 2018/4/26.
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OldSecurityConfig extends WebSecurityConfigurerAdapter {

}
  • 然后在方法中使用@PreAuthorize配置訪問接口需要的權(quán)限;
/**
 * 商品管理Controller
 * Created by macro on 2018/4/26.
 */
@Controller
@Api(tags = "PmsProductController", description = "商品管理")
@RequestMapping("/product")
public class PmsProductController {
    @Autowired
    private PmsProductService productService;

    @ApiOperation("創(chuàng)建商品")
    @RequestMapping(value = "/create", method = RequestMethod.POST)
    @ResponseBody
    @PreAuthorize("hasAuthority('pms:product:create')")
    public CommonResult create(@RequestBody PmsProductParam productParam, BindingResult bindingResult) {
        int count = productService.create(productParam);
        if (count > 0) {
            return CommonResult.success(count);
        } else {
            return CommonResult.failed();
        }
    }
}
  • 再從數(shù)據(jù)庫中查詢出用戶所擁有的權(quán)限值設(shè)置到UserDetails對(duì)象中去,這種做法雖然實(shí)現(xiàn)方便,但是把權(quán)限值寫死在了方法上,并不是一種優(yōu)雅的做法。
/**
 * UmsAdminService實(shí)現(xiàn)類
 * Created by macro on 2018/4/26.
 */
@Service
public class UmsAdminServiceImpl implements UmsAdminService {
    @Override
    public UserDetails loadUserByUsername(String username){
        //獲取用戶信息
        UmsAdmin admin = getAdminByUsername(username);
        if (admin != null) {
            List<UmsPermission> permissionList = getPermissionList(admin.getId());
            return new AdminUserDetails(admin,permissionList);
        }
        throw new UsernameNotFoundException("用戶名或密碼錯(cuò)誤");
    }
}

基于路徑的動(dòng)態(tài)權(quán)限

其實(shí)每個(gè)接口對(duì)應(yīng)的路徑都是唯一的,通過路徑來進(jìn)行接口的權(quán)限控制才是更優(yōu)雅的方式。

  • 首先我們需要?jiǎng)?chuàng)建一個(gè)動(dòng)態(tài)權(quán)限的過濾器,這里注意下doFilter方法,用于配置放行OPTIONS白名單請(qǐng)求,它會(huì)調(diào)用super.beforeInvocation(fi)方法,此方法將調(diào)用AccessDecisionManager中的decide方法來進(jìn)行鑒權(quán)操作;
/**
 * 動(dòng)態(tài)權(quán)限過濾器,用于實(shí)現(xiàn)基于路徑的動(dòng)態(tài)權(quán)限過濾
 * Created by macro on 2020/2/7.
 */
public class DynamicSecurityFilter extends AbstractSecurityInterceptor implements Filter {

    @Autowired
    private DynamicSecurityMetadataSource dynamicSecurityMetadataSource;
    @Autowired
    private IgnoreUrlsConfig ignoreUrlsConfig;

    @Autowired
    public void setMyAccessDecisionManager(DynamicAccessDecisionManager dynamicAccessDecisionManager) {
        super.setAccessDecisionManager(dynamicAccessDecisionManager);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        FilterInvocation fi = new FilterInvocation(servletRequest, servletResponse, filterChain);
        //OPTIONS請(qǐng)求直接放行
        if(request.getMethod().equals(HttpMethod.OPTIONS.toString())){
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
            return;
        }
        //白名單請(qǐng)求直接放行
        PathMatcher pathMatcher = new AntPathMatcher();
        for (String path : ignoreUrlsConfig.getUrls()) {
            if(pathMatcher.match(path,request.getRequestURI())){
                fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
                return;
            }
        }
        //此處會(huì)調(diào)用AccessDecisionManager中的decide方法進(jìn)行鑒權(quán)操作
        InterceptorStatusToken token = super.beforeInvocation(fi);
        try {
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        } finally {
            super.afterInvocation(token, null);
        }
    }

    @Override
    public void destroy() {
    }

    @Override
    public Class<?> getSecureObjectClass() {
        return FilterInvocation.class;
    }

    @Override
    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return dynamicSecurityMetadataSource;
    }

}
  • 接下來我們就需要?jiǎng)?chuàng)建一個(gè)類來繼承AccessDecisionManager,通過decide方法對(duì)訪問接口所需權(quán)限和用戶擁有的權(quán)限進(jìn)行匹配,匹配則放行;
/**
 * 動(dòng)態(tài)權(quán)限決策管理器,用于判斷用戶是否有訪問權(quán)限
 * Created by macro on 2020/2/7.
 */
public class DynamicAccessDecisionManager implements AccessDecisionManager {

    @Override
    public void decide(Authentication authentication, Object object,
                       Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
        // 當(dāng)接口未被配置資源時(shí)直接放行
        if (CollUtil.isEmpty(configAttributes)) {
            return;
        }
        Iterator<ConfigAttribute> iterator = configAttributes.iterator();
        while (iterator.hasNext()) {
            ConfigAttribute configAttribute = iterator.next();
            //將訪問所需資源或用戶擁有資源進(jìn)行比對(duì)
            String needAuthority = configAttribute.getAttribute();
            for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
                if (needAuthority.trim().equals(grantedAuthority.getAuthority())) {
                    return;
                }
            }
        }
        throw new AccessDeniedException("抱歉,您沒有訪問權(quán)限");
    }

    @Override
    public boolean supports(ConfigAttribute configAttribute) {
        return true;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        return true;
    }

}
  • 由于上面的decide方法中的configAttributes屬性是從FilterInvocationSecurityMetadataSourcegetAttributes方法中獲取的,我們還需創(chuàng)建一個(gè)類繼承它,getAttributes方法可用于獲取訪問當(dāng)前路徑所需權(quán)限值;
/**
 * 動(dòng)態(tài)權(quán)限數(shù)據(jù)源,用于獲取動(dòng)態(tài)權(quán)限規(guī)則
 * Created by macro on 2020/2/7.
 */
public class DynamicSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

    private static Map<String, ConfigAttribute> configAttributeMap = null;
    @Autowired
    private DynamicSecurityService dynamicSecurityService;

    @PostConstruct
    public void loadDataSource() {
        configAttributeMap = dynamicSecurityService.loadDataSource();
    }

    public void clearDataSource() {
        configAttributeMap.clear();
        configAttributeMap = null;
    }

    @Override
    public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
        if (configAttributeMap == null) this.loadDataSource();
        List<ConfigAttribute>  configAttributes = new ArrayList<>();
        //獲取當(dāng)前訪問的路徑
        String url = ((FilterInvocation) o).getRequestUrl();
        String path = URLUtil.getPath(url);
        PathMatcher pathMatcher = new AntPathMatcher();
        Iterator<String> iterator = configAttributeMap.keySet().iterator();
        //獲取訪問該路徑所需資源
        while (iterator.hasNext()) {
            String pattern = iterator.next();
            if (pathMatcher.match(pattern, path)) {
                configAttributes.add(configAttributeMap.get(pattern));
            }
        }
        // 未設(shè)置操作請(qǐng)求權(quán)限,返回空集合
        return configAttributes;
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        return true;
    }

}
  • 這里需要注意的是,所有路徑對(duì)應(yīng)的權(quán)限值數(shù)據(jù)來自于自定義的DynamicSecurityService;
/**
 * 動(dòng)態(tài)權(quán)限相關(guān)業(yè)務(wù)類
 * Created by macro on 2020/2/7.
 */
public interface DynamicSecurityService {
    /**
     * 加載資源ANT通配符和資源對(duì)應(yīng)MAP
     */
    Map<String, ConfigAttribute> loadDataSource();
}
  • 一切準(zhǔn)備就緒,把動(dòng)態(tài)權(quán)限過濾器添加到FilterSecurityInterceptor之前;
/**
 * SpringSecurity 5.4.x以上新用法配置
 * 為避免循環(huán)依賴,僅用于配置HttpSecurity
 * Created by macro on 2022/5/19.
 */
@Configuration
public class SecurityConfig {

    @Autowired
    private DynamicSecurityService dynamicSecurityService;
    @Autowired
    private DynamicSecurityFilter dynamicSecurityFilter;

    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        //省略若干配置...
        //有動(dòng)態(tài)權(quán)限配置時(shí)添加動(dòng)態(tài)權(quán)限校驗(yàn)過濾器
        if(dynamicSecurityService!=null){
            registry.and().addFilterBefore(dynamicSecurityFilter, FilterSecurityInterceptor.class);
        }
        return httpSecurity.build();
    }

}
  • 如果你看過這篇僅需四步,整合SpringSecurity+JWT實(shí)現(xiàn)登錄認(rèn)證 ! 的話,就知道應(yīng)該要配置這兩個(gè)Bean了,一個(gè)負(fù)責(zé)獲取登錄用戶信息,另一個(gè)負(fù)責(zé)獲取存儲(chǔ)的動(dòng)態(tài)權(quán)限規(guī)則,為了適應(yīng)Spring Security的新用法,我們不再繼承SecurityConfig,簡潔了不少!
/**
 * mall-security模塊相關(guān)配置
 * 自定義配置,用于配置如何獲取用戶信息及動(dòng)態(tài)權(quán)限
 * Created by macro on 2022/5/20.
 */
@Configuration
public class MallSecurityConfig {

    @Autowired
    private UmsAdminService adminService;

    @Bean
    public UserDetailsService userDetailsService() {
        //獲取登錄用戶信息
        return username -> {
            AdminUserDetails admin = adminService.getAdminByUsername(username);
            if (admin != null) {
                return admin;
            }
            throw new UsernameNotFoundException("用戶名或密碼錯(cuò)誤");
        };
    }

    @Bean
    public DynamicSecurityService dynamicSecurityService() {
        return new DynamicSecurityService() {
            @Override
            public Map<String, ConfigAttribute> loadDataSource() {
                Map<String, ConfigAttribute> map = new ConcurrentHashMap<>();
                List<UmsResource> resourceList = adminService.getResourceList();
                for (UmsResource resource : resourceList) {
                    map.put(resource.getUrl(), new org.springframework.security.access.SecurityConfig(resource.getId() + ":" + resource.getName()));
                }
                return map;
            }
        };
    }

}

效果測試

  • 接下來啟動(dòng)我們的示例項(xiàng)目mall-tiny-security,使用如下賬號(hào)密碼登錄,該賬號(hào)只配置了訪問/brand/listAll的權(quán)限,訪問地址:http://localhost:8088/swagger-ui/
  • 然后把返回的token放入到Swagger的認(rèn)證頭中;
  • 當(dāng)我們?cè)L問有權(quán)限的接口時(shí)可以正常獲取到數(shù)據(jù);
  • 當(dāng)我們?cè)L問沒有權(quán)限的接口時(shí),返回沒有訪問權(quán)限的接口提示。

總結(jié)

Spring Security的升級(jí)用法確實(shí)夠優(yōu)雅,夠簡單,而且對(duì)之前用法的兼容性也比較好!個(gè)人感覺一個(gè)成熟的框架不太會(huì)在升級(jí)過程中大改用法,即使改了也會(huì)對(duì)之前的用法做兼容,所以對(duì)于絕大多數(shù)框架來說舊版本會(huì)用,新版本照樣會(huì)用!

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容