快捷導(dǎo)航

Spring Security的持久化用戶(hù)和授權(quán)實(shí)現(xiàn)方式

更新時(shí)間：2025年02月18日 11:04:58 作者：Exill

文章介紹了如何使用JdbcUserDetailsManager實(shí)現(xiàn)數(shù)據(jù)庫(kù)讀取用戶(hù),并展示了如何配置SpringSecurity進(jìn)行授權(quán)管理,通過(guò)創(chuàng)建數(shù)據(jù)庫(kù)表、配置數(shù)據(jù)庫(kù)連接和修改SecurityConfig,實(shí)現(xiàn)了用戶(hù)權(quán)限的控制

使用JdbcUserDetailsManager（UserDetailsService另一種實(shí)現(xiàn)）實(shí)現(xiàn)數(shù)據(jù)庫(kù)讀取用戶(hù)

1.引入jdbc和相關(guān)數(shù)據(jù)庫(kù)驅(qū)動(dòng)

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
    <groupId>org.postgresql</groupId>
    <artifactId>postgresql</artifactId>
    <scope>runtime</scope>
</dependency>

2.創(chuàng)建數(shù)據(jù)庫(kù)表

--用戶(hù)表
CREATE TABLE users( 
    username VARCHAR(50)  NOT NULL PRIMARY KEY --用戶(hù)名, 
    password VARCHAR(500) NOT NULL             --密碼, 
    enabled  BOOLEAN      NOT NULL             --有效性
);
--權(quán)限表
CREATE TABLE authorities( 
    username  VARCHAR(50) NOT NULL  --用戶(hù)名, 
    authority VARCHAR(50) NOT NULL  --權(quán)限, 
    constraint fk FOREIGN KEY(username) REFERENCES users(username)
);
CREATE unique index ix_auth_username ON authorities (username, authority);

3.配置數(shù)據(jù)庫(kù)連接（application.yml）

spring:
    datasource:
        driver-class-name: org.postgresql.Driver
        url: jdbc:postgresql://localhost:5432/security
        username:postgres
        password: postgres

4.修改SecurityConfig配置

@Configuration
public class SecurityConfig {
    //配置Security過(guò)濾鏈
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        //配置哪些接口需要認(rèn)證(.anyRequest().authenticated()代表任何請(qǐng)求都需認(rèn)證)
        http.authorizeHttpRequests(authorize -> {
            authorize.anyRequest().authenticated();
        });
        //配置post表單請(qǐng)求/login接口
        http.formLogin(Customizer.withDefaults());
        //csrf攻擊：開(kāi)發(fā)環(huán)境可不配方便調(diào)試，上線(xiàn)環(huán)境需配置，否則會(huì)遭csrf攻擊
        http.csrf(AbstractHttpConfigurer::disable);
        //返回Security過(guò)濾鏈對(duì)象
        return http.build();
    }

    @Bean //配置JdbcUserDetailsManager實(shí)現(xiàn)數(shù)據(jù)庫(kù)存儲(chǔ)用戶(hù)
    public UserDetailsService userDetailsService(DataSource dataSource) {
        return new JdbcUserDetailsManager(dataSource);
    }
}

實(shí)現(xiàn)Spring Security授權(quán)功能

1.創(chuàng)建接口

@RestController
public class HelloController{

    @RequestMapping("/hello")
    public String hello() { 
        return "Hello Security"; 
    }

    @RequestMapping("/hello1")
    public String hello1() { 
        return "Hello Security1"; 
    }

}

2.配置數(shù)據(jù)庫(kù)賬號(hào)和權(quán)限（DbUser用戶(hù)擁有hello和hello1權(quán)限、DbUser1只擁有hello1權(quán)限）

3.修改SecurityConfig配置

@Configuration
public class SecurityConfig {
    //配置Security過(guò)濾鏈
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        //配置哪些接口需要認(rèn)證(.anyRequest().authenticated()代表任何請(qǐng)求都需認(rèn)證)
        http.authorizeHttpRequests(authorize -> {
            authorize.requestMatchers("/hello").hasAuthority("hello");
            authorize.requestMatchers("/hello1").hasAuthority("hello1");
            authorize.anyRequest().authenticated();
        });
        //配置post表單請(qǐng)求/login接口
        http.formLogin(Customizer.withDefaults());
        //csrf攻擊：開(kāi)發(fā)環(huán)境可不配方便調(diào)試，上線(xiàn)環(huán)境需配置，否則會(huì)遭csrf攻擊
        http.csrf(AbstractHttpConfigurer::disable);
        //返回Security過(guò)濾鏈對(duì)象
        return http.build();
    }

    @Bean //配置JdbcUserDetailsManager實(shí)現(xiàn)數(shù)據(jù)庫(kù)存儲(chǔ)用戶(hù)
    public UserDetailsService userDetailsService(DataSource dataSource) {
        return new JdbcUserDetailsManager(dataSource);
    }
}