java

关注公众号 jb51net

关闭
首页 > 软件编程 > java > SpringSecurity动态权限校验

SpringSecurity实现动态权限校验的过程

作者:深藏Blued蓝先生

Spring Security过滤器链中,AuthorizationFilter的authorizationManager是我们要找的组件,该组件的check方法已被弃用,推荐使用authorize方法,最终通过接口路径和权限进行校验,本文给大家介绍SpringSecurity实现动态权限校验的相关知识,感兴趣的朋友一起看看吧

在框架DefaultSecurityFilterChain源码内打断点可以找到SpringSecurity的过滤器链可以看见一个叫AuthorizationFilter的过滤器

很明显这个叫authorizationManager的应该是我们要找的玩意,直接去AuthorizationFilter内找这个类看他的源码可以发现check方法已经弃用,他推荐用的方法是authorize但这玩意也还是调用的check

@FunctionalInterface
public interface AuthorizationManager<T> {
	/**
	 * Determines if access should be granted for a specific authentication and object.
	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
	 * @param object the {@link T} object to check
	 * @throws AccessDeniedException if access is not granted
	 */
	default void verify(Supplier<Authentication> authentication, T object) {
		AuthorizationDecision decision = check(authentication, object);
		if (decision != null && !decision.isGranted()) {
			throw new AuthorizationDeniedException("Access Denied", decision);
		}
	}
	/**
	 * Determines if access is granted for a specific authentication and object.
	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
	 * @param object the {@link T} object to check
	 * @return an {@link AuthorizationDecision} or null if no decision could be made
	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
	 */
	@Nullable
	@Deprecated
	AuthorizationDecision check(Supplier<Authentication> authentication, T object);
	/**
	 * Determines if access is granted for a specific authentication and object.
	 * @param authentication the {@link Supplier} of the {@link Authentication} to
	 * authorize
	 * @param object the {@link T} object to authorize
	 * @return an {@link AuthorizationResult}
	 * @since 6.4
	 */
	@Nullable
	default AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
		return check(authentication, object);
	}

继续往下面看可以看见他是进行了校验然后返回了一个布尔值

@Override
	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
		boolean granted = this.authorizationStrategy.isGranted(authentication.get());
		return new AuthorizationDecision(granted);
	}

代码实现 逻辑大概是通过传进来的接口路径然后匹配权限

@Component
public class DynamicAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
    @Resource
    private DynamicSecurityMetadataSource securityMetadataSource;
    @Override
    public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
        HttpServletRequest request = context.getRequest();
        // 获取当前请求所需的权限
        String url = request.getRequestURI();
        String method = request.getMethod();
        FilterInvocation fi = new FilterInvocation(String.valueOf(request), url, method);
        Collection<ConfigAttribute> attributes = securityMetadataSource.getAttributes(fi);
        // 没有配置权限要求,允许访问
        if (CollectionUtils.isEmpty(attributes)) {
            return new AuthorizationDecision(true);
        }
        // 获取当前用户认证信息
        Authentication auth = authentication.get();
        if (auth == null || !auth.isAuthenticated()) {
            return new AuthorizationDecision(false);
        }
        // 获取用户所拥有的权限
        Set<String> userPermissions = auth.getAuthorities().stream()
            .map(GrantedAuthority::getAuthority)
            .collect(Collectors.toSet());
        // 判断是否有所需权限
        boolean hasPermission = attributes.stream()
            .map(ConfigAttribute::getAttribute)
            .anyMatch(userPermissions::contains);
        return new AuthorizationDecision(hasPermission);
    }
}

getAllConfigAttributes和supports我大概看了一下直接复制粘贴的框架的源码以后万一有用呢

@Component
public class DynamicSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
    @Resource
    private TPMenuService menuService;
    private Map<String, Collection<ConfigAttribute>> configAttributeMap;
    @PostConstruct
    public void loadDataSource() {
        configAttributeMap = new HashMap<>();
        List<TPMenu> menus = menuService.list();
        configAttributeMap = menus.stream()
                .filter(menu -> StringUtils.hasText(menu.getPath()) && StringUtils.hasText(menu.getPerms()))
                .collect(Collectors.toMap(
                        TPMenu::getPath,
                        menu -> {
                            List<ConfigAttribute> attributes = new ArrayList<>();
                            attributes.add(new SecurityConfig(menu.getPerms()));
                            return attributes;
                        }
                ));
    }
    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        String requestUrl = ((FilterInvocation) object).getRequestUrl();
        if (requestUrl.contains("?")) {
            requestUrl = requestUrl.substring(0, requestUrl.indexOf("?"));
        }
        int count = StringUtils.countOccurrencesOf(requestUrl, "/");
        if (count > 2) {
            requestUrl = requestUrl.replaceAll("/[^/]+$", "");
        }
        for (Map.Entry<String, Collection<ConfigAttribute>> entry : configAttributeMap.entrySet()) {
            String pattern = entry.getKey();
            if (new AntPathMatcher().match(pattern, requestUrl)) {
                return entry.getValue();
            }
        }
        return null;
    }
    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        Set<ConfigAttribute> allAttributes = new HashSet<>();
        configAttributeMap.values().forEach(allAttributes::addAll);
        return allAttributes;
    }
    @Override
    public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }
}

过滤器实现然后记得security配置文件添加这个过滤器就ok了,配置文件可以看我另外一篇文章

@Component
public class DynamicSecurityFilter extends OncePerRequestFilter {
    @Resource
    private DynamicSecurityMetadataSource securityMetadataSource;
    @Resource
    private DynamicAuthorizationManager authorizationManager;
    @Resource
    private AccessDeniedHandler accessDeniedHandler;
    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain chain) throws ServletException, IOException, IOException {
        if (shouldNotFilter(request)) {
            chain.doFilter(request, response);
            return;
        }
        try {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            RequestAuthorizationContext context = new RequestAuthorizationContext(request);
            // 权限检查
            AuthorizationDecision check = authorizationManager.check(
                    () -> authentication,
                    context
            );
            if (check.isGranted()) {
                chain.doFilter(request, response);
            } else {
                accessDeniedHandler.handle(request, response, new AccessDeniedException("权限不足"));
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        } catch (ServletException e) {
            throw new RuntimeException(e);
        }
    }
    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) {
        String path = request.getRequestURI();
        return whitelist.stream()
                .anyMatch(pattern ->
                        pattern.endsWith("/**")
                                ? path.startsWith(pattern.substring(0, pattern.length() - 3))
                                : pattern.equals(path)
                );
    }
}

debug重启可以看见我的过滤器已经添加进去了

如果有需要还可以直接去看官方demo
https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/jwt/login/src/main

到此这篇关于SpringSecurity实现动态权限校验的过程的文章就介绍到这了,更多相关SpringSecurity动态权限校验内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!

您可能感兴趣的文章:
阅读全文