Spring Security的持久化用戶和授權實現方式

更新時間：2025年02月18日 11:04:58 作者：Exill

文章介紹了如何使用JdbcUserDetailsManager實現數據庫讀取用戶,并展示了如何配置SpringSecurity進行授權管理,通過創(chuàng)建數據庫表、配置數據庫連接和修改SecurityConfig,實現了用戶權限的控制

使用JdbcUserDetailsManager（UserDetailsService另一種實現）實現數據庫讀取用戶

1.引入jdbc和相關數據庫驅動

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
    <groupId>org.postgresql</groupId>
    <artifactId>postgresql</artifactId>
    <scope>runtime</scope>
</dependency>

2.創(chuàng)建數據庫表

--用戶表
CREATE TABLE users( 
    username VARCHAR(50)  NOT NULL PRIMARY KEY --用戶名, 
    password VARCHAR(500) NOT NULL             --密碼, 
    enabled  BOOLEAN      NOT NULL             --有效性
);
--權限表
CREATE TABLE authorities( 
    username  VARCHAR(50) NOT NULL  --用戶名, 
    authority VARCHAR(50) NOT NULL  --權限, 
    constraint fk FOREIGN KEY(username) REFERENCES users(username)
);
CREATE unique index ix_auth_username ON authorities (username, authority);

3.配置數據庫連接（application.yml）

spring:
    datasource:
        driver-class-name: org.postgresql.Driver
        url: jdbc:postgresql://localhost:5432/security
        username:postgres
        password: postgres

4.修改SecurityConfig配置

@Configuration
public class SecurityConfig {
    //配置Security過濾鏈
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        //配置哪些接口需要認證(.anyRequest().authenticated()代表任何請求都需認證)
        http.authorizeHttpRequests(authorize -> {
            authorize.anyRequest().authenticated();
        });
        //配置post表單請求/login接口
        http.formLogin(Customizer.withDefaults());
        //csrf攻擊：開發(fā)環(huán)境可不配方便調試，上線環(huán)境需配置，否則會遭csrf攻擊
        http.csrf(AbstractHttpConfigurer::disable);
        //返回Security過濾鏈對象
        return http.build();
    }

    @Bean //配置JdbcUserDetailsManager實現數據庫存儲用戶
    public UserDetailsService userDetailsService(DataSource dataSource) {
        return new JdbcUserDetailsManager(dataSource);
    }
}

實現Spring Security授權功能

1.創(chuàng)建接口

@RestController
public class HelloController{

    @RequestMapping("/hello")
    public String hello() { 
        return "Hello Security"; 
    }

    @RequestMapping("/hello1")
    public String hello1() { 
        return "Hello Security1"; 
    }

}

2.配置數據庫賬號和權限（DbUser用戶擁有hello和hello1權限、DbUser1只擁有hello1權限）

3.修改SecurityConfig配置

@Configuration
public class SecurityConfig {
    //配置Security過濾鏈
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        //配置哪些接口需要認證(.anyRequest().authenticated()代表任何請求都需認證)
        http.authorizeHttpRequests(authorize -> {
            authorize.requestMatchers("/hello").hasAuthority("hello");
            authorize.requestMatchers("/hello1").hasAuthority("hello1");
            authorize.anyRequest().authenticated();
        });
        //配置post表單請求/login接口
        http.formLogin(Customizer.withDefaults());
        //csrf攻擊：開發(fā)環(huán)境可不配方便調試，上線環(huán)境需配置，否則會遭csrf攻擊
        http.csrf(AbstractHttpConfigurer::disable);
        //返回Security過濾鏈對象
        return http.build();
    }

    @Bean //配置JdbcUserDetailsManager實現數據庫存儲用戶
    public UserDetailsService userDetailsService(DataSource dataSource) {
        return new JdbcUserDetailsManager(dataSource);
    }
}