[Java知识库]Spring Boot Security配置用户认证和资源授权

用户认证

认证是指，用户是否在本系统，以及账号信息是否符合设定的预期。

查询用户(UserDetailsService)

实现UserDetailsService接口，根据用户名称，查询用户信息。可实现自定义查询用户，并设置用户的角色信息。

实现了该接口，需要到配置对应的密码加密类已实现对用户密码的校验。因前端输入的密码是未加密，而数据库保存的密码是已加密的。

@Service
public class CustomerUserDetailsService implements UserDetailsService {
    //密码加密类
	@Autowired
    private PasswordEncoder passwordEncoder;
    //加载用户信息
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        CustomerUserDetails userDetails = new CustomerUserDetails();
        userDetails.setUsername("user");
        userDetails.setPassword(passwordEncoder.encode("123123"));
        userDetails.setEnable(true);
        userDetails.setAuthorities(Collections.emptySet());
        userDetails.setAccountNonExpired(true);
        userDetails.setAccountNonLocked(true);
        userDetails.setCredentialsNonExpired(true);
        return userDetails;
    }

      /**
     * 根据用户名，返回用户角色
     */
    private Collection<? extends GrantedAuthority> loadRoleByUsername(String username){
        Collection<SimpleGrantedAuthority> collection = new HashSet<>();
        //测试数据
        if("admin".equals(username)) {
            collection.add(new SimpleGrantedAuthority("ADMIN"));
        }else {
            collection.add(new SimpleGrantedAuthority(username));
        }
        return collection;
    }

    /**
     * 角色信息可以参考SimpleGrantedAuthority类
     * 根据用户名， 返回用户组角色
     */
    private void loadGroupRoleByUsername(String username){

    }
}

用户信息(UserDetails)

只需要实现UserDetails接口即可，自定义参数不需要和接口调用类保持一致(set/get)但最好保持一致，该接口是UserDetailsService接口中返回参数。

public class CustomerUserDetails implements UserDetails {
    //用户密码
    private String password;
    //用户名
    private String username;
    //用户角色信息
    private Collection<? extends GrantedAuthority> authorities;
    //启用
    private boolean enable;
    //认证未过期
    private boolean credentialsNonExpired;
    //账号未锁定
    private boolean accountNonExpired;
    //账号未锁定
    private boolean accountNonLocked;
    
   
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return this.authorities;
    }

    @Override
    public String getPassword() {
        return this.password;
    }

    @Override
    public String getUsername() {
        return this.username;
    }

    @Override
    public boolean isAccountNonExpired() {
        return this.accountNonExpired;
    }

    @Override
    public boolean isAccountNonLocked() {
        return this.accountNonLocked;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return this.credentialsNonExpired;
    }

    @Override
    public boolean isEnabled() {
        return this.enable;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public void setAuthorities(Collection<? extends GrantedAuthority> authorities) {
        this.authorities = authorities;
    }

    public boolean isEnable() {
        return enable;
    }

    public void setEnable(boolean enable) {
        this.enable = enable;
    }

    public void setCredentialsNonExpired(boolean credentialsNonExpired) {
        this.credentialsNonExpired = credentialsNonExpired;
    }

    public void setAccountNonExpired(boolean accountNonExpired) {
        this.accountNonExpired = accountNonExpired;
    }

    public void setAccountNonLocked(boolean accountNonLocked) {
        this.accountNonLocked = accountNonLocked;
    }
}

安全配置(WebSecurityConfigurerAdapter)

因使用密码加密类，加密了密码，需要在配置中配置密码类。

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Bean
    //设置密码加密类
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
}

资源认证

资源认证，一般是基于URL与角色的认证。
需要自己定义

安全数据元(FilterInvocationSecurityMetadataSource)

通过数据库定义，URL和角色的授权关系。在将数据加入的缓存中已减少多次读取的问题。

设计的时候：

1. 如果只是需要登录即可访问的资源，可以设计一个角色，在用户注册时候就授予这个角色。
2. 如果需要指定角色，则需要URL和角色一一对应。

/**
 * 访问决策需要访问的资源
 */

public class CustomerFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
    protected final Log logger = LogFactory.getLog(getClass());

    private AntPathMatcher antPathMatcher = new AntPathMatcher();

    public CustomerFilterInvocationSecurityMetadataSource(){

    }

    /**
     * 获取所有资源
     */
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        Set<ConfigAttribute> allAttributes = new HashSet<>();
        logger.info("getAllConfigAttributes");

        return allAttributes;
    }

    /**
     * 根据请求，查找到匹配的资源
     */
    public Collection<ConfigAttribute> getAttributes(Object object) {
        logger.info("getAttributes");
        String url = ((FilterInvocation) object).getRequestUrl();
        int index = url.indexOf("?");
        if(index != -1){
            url = url.substring(0,index);
        }
        Collection<ConfigAttribute> collection = getRoleByUrl(url);
        //如果为空，则不进行校验
        if(collection.isEmpty()){

        }
        return collection;
    }

    /**
     * 获取请求路径的角色
     *
     */
    public Collection<ConfigAttribute> getRoleByUrl(String url) {
        //收集 匹配到路径的角色
        Collection<ConfigAttribute> collection = new HashSet<>();
        //获取路径和角色的资源，一般放在缓存中
       Map<String,Collection<ConfigAttribute>> map = new HashMap<>();
       Iterator<String> iterator = map.keySet().iterator();
       //这个角色是方便测试加入的，
       collection.add(new SecurityConfig("ADMIN"));
       while (iterator.hasNext()){
           String matchUrl = iterator.next();
           if(this.antPathMatcher.match(matchUrl,url)){
              Collection<ConfigAttribute> matchCollection = map.get(matchUrl);
              collection.addAll(matchCollection);
           }
       }
       return collection;
    }
    /**
     * 是否支持
     */
    @Override
    public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }
}

访问决策管理

在获取URL对应的角色时，会将用户的角色和获取的角色进行比较，查看用户是否有权限访问。

/**
 * 访问决策管理
 */

public class CustomerAccessDecisionManager implements AccessDecisionManager {
    protected final Log logger = LogFactory.getLog(getClass());
    //一般进行角色校验

    @Override
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
        Iterator<ConfigAttribute> iterator = configAttributes.iterator();
        logger.info("decide");
        while (iterator.hasNext()){
            ConfigAttribute attribute = iterator.next();
            for(GrantedAuthority ga : authentication.getAuthorities()){
                if(attribute.getAttribute().equals(ga.getAuthority())){
                    return;
                }
            }

        }
        //返回访问拒绝信息
       throw new AccessDeniedException("Access reject!");
    }

    @Override
    public boolean supports(ConfigAttribute attribute) {
        return true;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }
}

安全拦截器(FilterSecurityInterceptor)

需要继承FilterSecurityInterceptor类，在这里设置安全元数据、访问决策管理。如果不需要的访问，可以通过重写进行覆盖父类的方法。

@Component
public class CustomerFilterSecurityInterceptor extends FilterSecurityInterceptor {

	//初始化方法，加载访问决策管理，和安全元数据。
    @PostConstruct
    public void init(){
        logger.info("init info");
        super.setSecurityMetadataSource(new CustomerFilterInvocationSecurityMetadataSource());
        super.setAccessDecisionManager(new CustomerAccessDecisionManager());
    }

    /**
     * 这一步可以不重写，使用系统自带的方法，如果不需要或是没有配置那些功能，则可以重写为自己想要的功能
     */
    @Override
    public void invoke(FilterInvocation fi) throws IOException, ServletException {
        logger.info("invoke");
        InterceptorStatusToken token = beforeInvocation(fi);
        try {
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        }
        finally {
            super.finallyInvocation(token);
        }
        super.afterInvocation(token, null);
    }
}

安全配置(WebSecurityConfigurerAdapter)

在用户认证，安全配置类中加入，安全拦截器功能

/**
 * 配置类
 */
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected final Log logger = LogFactory.getLog(getClass());
    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
    @Override
    public void configure(WebSecurity web) throws Exception {
        logger.info("configure(WebSecurity web)");
        web.securityInterceptor(new CustomerFilterSecurityInterceptor());
    }
}