一、使用场景
springboot、springSecurity、mybatis 基于角色的权限控制
二、参考文献
说明:网上查了一圈,只按照以上这篇博客实践成功,本文仅仅是自己实践的一些记录
三、坑
3.1
User 最好是implements UserDetails
public class User implements UserDetails {
3.2
User里角色对象要用Authority implements GrantedAuthority描述,不要用自定义的枚举或者字符串
private Listauthoritys;
public class Authority implements GrantedAuthority { private String id; private String username; private String role;
3.3
SecurityConfig配置使用hasRole()时,不要在前面加.anyRequest().authenticated(),在最后面可以加,加在前面会使hasRole()失效
protected void configure(HttpSecurity http) throws Exception { http.formLogin().loginPage("/login").permitAll().failureUrl("/error").and().logout().logoutSuccessUrl("/login").permitAll().and().rememberMe().alwaysRemember(true) .and().authorizeRequests()// .anyRequest().authenticated() 这行不能加在前面 .antMatchers("/").hasRole("USER") .antMatchers("/manager/**").hasRole("ROOT") .antMatchers("/user/**").hasRole("USER") .anyRequest().authenticated() .and().csrf().disable(); }
3.4
数据库里的角色要加前缀ROLE_ 例如:ROLE_ROOT
而SecurityConfig配置里要写不带前缀的例如.antMatchers("/").hasRole("ROOT")
四、解决方案
4.1 环境
jdk 8、springboot 2.0.1.RELEASE、maven、mybatis
4.2 关键依赖
org.springframework.boot spring-boot-starter-security org.thymeleaf.extras thymeleaf-extras-springsecurity4 3.0.2.RELEASE
4.3 实体类
User
package com.xp.entity;import org.apache.ibatis.annotations.Many;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.UserDetails;import java.io.Serializable;import java.util.ArrayList;import java.util.Collection;import java.util.List;public class User implements UserDetails, Serializable { private String username; private String password; private List authoritys; @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } @Override public Collection getAuthorities() { List simpleAuthorities = new ArrayList<>(); for(GrantedAuthority authority : this.authoritys){ simpleAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority())); } return simpleAuthorities; } } Authority 角色
public class Authority implements GrantedAuthority { private String id; private String username; private String role;} UserMapper(基于mybits注解)
可以参考:
配置类
@Configuration@EnableGlobalMethodSecurity(prePostEnabled = true)// 启用方法安全设置public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Autowired private PasswordEncoder passwordEncoder; @Bean CustomUserService customUserService() { return new CustomUserService(); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean public AuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); authenticationProvider.setUserDetailsService(customUserService()); authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式 return authenticationProvider; } @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().loginPage("/login").permitAll().failureUrl("/error").and().logout().logoutSuccessUrl("/login").permitAll().and().rememberMe().alwaysRemember(true) .and().authorizeRequests()// .anyRequest().authenticated() 这行不能加 .antMatchers("/").hasRole("USER") .antMatchers("/manager/**").hasRole("ROOT") .antMatchers("/user/**").hasRole("USER") .and().csrf().disable(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(customUserService()); auth.authenticationProvider(authenticationProvider()); }}