springsecurity权限配置在哪,springsecurity权限控制
目录
春天安全设置角色和权限概念使用模拟的代码在控制器中为方法添加权限控制安全性角色和权限的概念安全性中一些可选的表达式
SpringSecurity设置角色和权限
概念
在用户详细信息服务的loaduserbysusername方法里去构建当前登陆的用户时,你可以选择两种授权方法,即角色授权和权限授权,对应使用的代码是哈斯罗勒和有权威,而这两种方式在设置时也有不同,下面介绍一下:
角色授权:授权代码需要加角色_前缀,控制器上使用时不要加前缀权限授权:设置和使用时,名称保持一至即可
使用mock代码
@组件公共类MyUserDetailService实现userdailsservice { @ auto wired private password encoder密码编码器;@ Override public User details loaduserbysusername(String name)抛出UsernameNotFoundException { User User=new User(name,password encode。编码( 123456 ),权限实用程序。commaseparatedstringtoauthoritylist( read,ROLE _ User ));//设置权限和角色//1.commaseparatedstringtoauthoritylist放入角色时需要加前缀角色_,而在控制器使用时不需要加角色_前缀//2.放入的是权限时,不能加角色_前缀,有权威与放入的权限名称对应即可返回用户;}}上面使用了两种授权方法,大家可以参考。
在controller中为方法添加权限控制
@ get mapping(/write )@ pre authority( hasAuthority( write ))公共字符串getWrite() { return 有写权限;} @ get mapping(/read )@ pre authorize( has authority( read ))public String read date(){ return 有读取权限;} @ get mapping(/read-or-write )@ pre authority( hasAnyAuthority( read , write ))public String read write date(){ return 有读取或写入权限;} @ get mapping(/admin-role )@ pre authorize( has role( admin ))公共字符串read admin(){ return 有管理角色;} @ get mapping(/USER-role )@预授权( has role( USER ))公共字符串readUser() { return 有用户角色;}网上很多关于哈斯罗勒和hasAuthority的文章,很多都说二者没有区别,但我认为,这是弹簧设计者的考虑,两种性质完成独立的东西,不存在任何关系,一个是用做角色控制,一个是操作权限的控制,二者也并不矛盾。
Security角色和权限的概念
Security中一些可选的表达式
许可证永远返回truedenyAll永远返回虚假匿名当前用户是匿名的时返回truerememberMe当前用户是记住我用户时返回真实认证当前用户不是匿名的时返回真实认证
icated当前用户既不是anonymous也不是rememberMe用户时返回truehasRole(role)
用户拥有指定的角色权限时返回truehasAnyRole([role1,role2])
用户拥有任意一个指定的角色权限时返回truehasAuthority(authority)
用户拥有指定的权限时返回truehasAnyAuthority([authority1,authority2])
用户拥有任意一个指定的权限时返回truehasIpAddress('192.168.1.0')
请求发送的Ip匹配时返回true看到上述的表达式,应该能发现一些问题,在Security中,似乎并没有严格区分角色和权限,
如果没有角色和权限的区别,只需要hasRole()函数就够了, hasAuthority()是做什么用的?
答:区别就是,hasRole()的权限名称需要用 "ROLE_" 开头,而hasAuthority()不需要,而且,这就是全部的区别。
在通常的系统设计中,我们区分角色和权限,但是,判断 用户是不是管理员,和判断 是否拥有管理员权限,在代码逻辑上,其实是完全一致的,角色是一种权限的象征,可以看做是权限的一种。因此,不区分角色和权限,本身就是合理的做法。
如果撇开别的问题不谈,只考虑权限的问题,我们可以将角色视为权限的一种,但是,角色是用户的固有属性,在用户管理上还是非常有必要的,在Security4中,处理角色(如RoleVoter、hasRole表达式等)的代码总是会添加ROLE_前缀,它更加方便开发者从两个不同的维度去设计权限。
Spring Security3 到 Spring Security4 的迁移文档:
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-role-prefixing
S.O. (Stack Overflow)网站对这个问题的描述:
https://stackoverflow.com/questions/19525380/difference-between-role-and-grantedauthority-in-spring-security
Think of a GrantedAuthority as being a "permission" or a "right". Those "permissions" are (normally) expressed as strings (with the getAuthority() method). Those strings let you identify the permissions and let your voters decide if they grant access to something.
You can grant different GrantedAuthoritys (permissions) to users by putting them into the security context. You normally do that by implementing your own UserDetailsService that returns a UserDetails implementation that returns the needed GrantedAuthorities.
Roles (as they are used in many examples) are just "permissions" with a naming convention that says that a role is a GrantedAuthority that starts with the prefix ROLE_. There's nothing more. A role is just a GrantedAuthority - a "permission" - a "right". You see a lot of places in spring security where the role with its ROLE_ prefix is handled specially as e.g. in the RoleVoter, where the ROLE_ prefix is used as a default. This allows you to provide the role names withtout the ROLE_ prefix. Prior to Spring security 4, this special handling of "roles" has not been followed very consistently and authorities and roles were often treated the same (as you e.g. can see in the implementation of the hasAuthority() method in SecurityExpressionRoot - which simply calls hasRole()). With Spring Security 4, the treatment of roles is more consistent and code that deals with "roles" (like the RoleVoter, the hasRole expression etc.) always adds the ROLE_ prefix for you. So hasAuthority('ROLE_ADMIN') means the the same as hasRole('ADMIN') because the ROLE_ prefix gets added automatically. See the spring security 3 to 4 migration guide for futher information.
以上为个人经验,希望能给大家一个参考,也希望大家多多支持盛行IT。
郑重声明:本文由网友发布,不代表盛行IT的观点,版权归原作者所有,仅为传播更多信息之目的,如有侵权请联系,我们将第一时间修改或删除,多谢。