SpringSecurity基于数据库RBAC数据模型控制权限

⒈通用RBAC(Role - Based Access Control）数据模型

⒉如何使用

 1 package cn.coreqi.ssoserver.rbac;
 2 
 3 import org.springframework.security.core.Authentication;
 4 
 5 import javax.servlet.http.HttpServletRequest;
 6 
 7 public interface RbacService {
 8 
 9     /**
10      *
11      * @param request   当前请求的信息
12      * @param authentication    当前用户的信息
13      * @return  是否拥有访问权限
14      */
15     boolean hasPermission(HttpServletRequest request, Authentication authentication);
16 }

 1 package cn.coreqi.ssoserver.rbac.impl;
 2 
 3 import cn.coreqi.ssoserver.rbac.RbacService;
 4 import org.springframework.beans.factory.annotation.Autowired;
 5 import org.springframework.security.core.Authentication;
 6 import org.springframework.security.core.userdetails.UserDetails;
 7 import org.springframework.stereotype.Component;
 8 import org.springframework.util.AntPathMatcher;
 9 
10 import javax.servlet.http.HttpServletRequest;
11 import java.util.HashSet;
12 import java.util.Set;
13 
14 @Component("rbacService")
15 public class RbacServiceImpl implements RbacService {
16 
17     private AntPathMatcher antPathMatcher = new AntPathMatcher();
18 
19     /**
20      *
21      * @param request   当前请求的信息
22      * @param authentication    当前用户的信息
23      * @return  是否拥有访问权限
24      */
25     @Override
26     public boolean hasPermission(HttpServletRequest request, Authentication authentication) {
27         Object principal = authentication.getPrincipal();
28         boolean hasPermission = false;
29         if(principal instanceof UserDetails){
30             String username = ((UserDetails)principal).getUsername();
31             //在数据库中读取用户所拥有权限的所有URL
32             //在这里使用Set模拟
33             Set<String> urls = new HashSet<>();
34             for (String url : urls){
35                 if(antPathMatcher.match(url,request.getRequestURI())){
36                     hasPermission = true;
37                     break;
38                 }
39             }
40         }
41         return hasPermission;
42     }
43 }

　　3.写一个权限表达式，让SpringSecurity调用我们的方法

 1 @EnableWebSecurity
 2 public class SsoWebSecurityConfig extends WebSecurityConfigurerAdapter {
 3 
 4     @Override
 5     protected void configure(HttpSecurity http) throws Exception {
 6         http.formLogin()
 7                 .and()
 8                 .authorizeRequests()
 9                     .anyRequest().access("@rbacService.hasPermission(request, authentication)") //为了避免该配置被覆盖，必要时需要使用@Order注解设置优先级。
10                 .and()
11                     .csrf().disable();    //禁用CSRF
12     }
13 
14 }