1. Basic ideas for authorization
In SpringSecurity, the default FilterSecurityInterceptor is used to perform permission verification. In the FilterSecurityInterceptor, the Authentication will be obtained from the SecurityContextHolder and then the permission information will be obtained. Whether the current user has the permissions required to access the current resource.
Therefore, in the project, we only need to store the permission information of the currently logged in user into Authentication. Then set the permissions required for our resources
2. Implementation process
(1) Turn on related configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig{
.....
}Then you can use the corresponding annotations. @PreAuthorize on each interface
@RestController
public class HelloController {
@RequestMapping("/hello")
@PreAuthorize("hasAuthority('test')")
public String hello(){
return "hello";
}
}(2) Custom LoginUser, encapsulate permission information
We have defined the UserDetails implementation class LoginUser before. If you want it to encapsulate permission information, you have to modify it.
@Data
@NoArgsConstructor
public class LoginUser implements UserDetails{
private User user;
//The list of permissions found private List<String> list;
public LoginUser(User user, List<String> list) {
= list;
= user;
}
//Customize a collection of permission lists. Transfer operation @JSONField(serialize = false)
List<SimpleGrantedAuthority> authorities;
//Return permission @Override
public Collection<? extends GrantedAuthority> getAuthorities() {
if (authorities != null) {
return authorities;
}
authorities = new ArrayList<>();
for (String item : list) {
SimpleGrantedAuthority authority = new SimpleGrantedAuthority(item);
(authority);
}
return authorities;
}
//Get password @Override
public String getPassword() {
return ();
}
//Get username @Override
public String getUsername() {
return ();
}
//Judge whether the account has not expired @Override
public boolean isAccountNonExpired() {
return true;
}
//Discern whether the account is not locked @Override
public boolean isAccountNonLocked() {
return true;
}
//Judge whether the account has not expired @Override
public boolean isCredentialsNonExpired() {
return true;
}
//Discern whether the account is available @Override
public boolean isEnabled() {
return true;
}
}(3) Query permission information from the database
RBAC model
We can call the mapper method in UserDetailsServiceImpl to query permission information and encapsulate it into the LoginUser object.
@Service
public class UserDetailServiceImpl implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Autowired
private MenuMapper menuMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//1. Query user information QueryWrapper<User> queryWrapper = new QueryWrapper<>();
("user_name", username);
User user = (queryWrapper);
//If the user is not found, an exception will be thrown if ((user)) {
throw new RuntimeException("Error in username or password");
}
//2. Query the user's corresponding permission information// List<String> list = new ArrayList<>();
// ("select");
// ("delete");
List<String> list = (());
//3. Return the UserDetails object return new LoginUser(user, list);
}
}This is all about this article about SpringSecurity authorization implementation. For more relevant SpringSecurity authorization content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!