前提
近期在使用 Spring Boot,用戶角色被分為管理者和普通用戶;角色不同,權限也就存在不同。
在 Spring Boot 里實現不同用戶擁有不同訪問權限,可借助 Spring Security 框架達成。
實現
1. 添加必要依賴
首先要在 pom.xml 里添加 Spring Security 和 JPA 的依賴。
<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-jpa</artifactId></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><scope>runtime</scope></dependency>
</dependencies>
2. 數據庫表設計
創建三張表,分別是用戶表、角色表以及用戶角色關聯表:
CREATE TABLE users (id INT PRIMARY KEY AUTO_INCREMENT,username VARCHAR(50) NOT NULL UNIQUE,password VARCHAR(100) NOT NULL,enabled BOOLEAN DEFAULT true
);CREATE TABLE roles (id INT PRIMARY KEY AUTO_INCREMENT,name VARCHAR(50) NOT NULL UNIQUE
);CREATE TABLE user_roles (user_id INT NOT NULL,role_id INT NOT NULL,PRIMARY KEY (user_id, role_id),FOREIGN KEY (user_id) REFERENCES users(id),FOREIGN KEY (role_id) REFERENCES roles(id)
);
3. 實體類設計
創建與數據庫表對應的實體類:
// User.java
import javax.persistence.*;
import java.util.Set;@Entity
@Table(name = "users")
public class User {@Id@GeneratedValue(strategy = GenerationType.IDENTITY)private Long id;private String username;private String password;private boolean enabled;@ManyToMany(fetch = FetchType.EAGER)@JoinTable(name = "user_roles",joinColumns = @JoinColumn(name = "user_id"),inverseJoinColumns = @JoinColumn(name = "role_id"))private Set<Role> roles;// getters and setters
}// Role.java
import javax.persistence.*;@Entity
@Table(name = "roles")
public class Role {@Id@GeneratedValue(strategy = GenerationType.IDENTITY)private Long id;private String name;// getters and setters
}
4. 創建 Repository 接口
為 User 和 Role 分別創建 Repository 接口,用于數據訪問:
// UserRepository.java
import org.springframework.data.jpa.repository.JpaRepository;public interface UserRepository extends JpaRepository<User, Long> {User findByUsername(String username);
}// RoleRepository.java
import org.springframework.data.jpa.repository.JpaRepository;public interface RoleRepository extends JpaRepository<Role, Long> {Role findByName(String name);
}
5. 實現 UserDetailsService
實現 Spring Security 的 UserDetailsService 接口,從數據庫加載用戶信息:
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;import java.util.ArrayList;
import java.util.List;
import java.util.Set;@Service
public class CustomUserDetailsService implements UserDetailsService {private final UserRepository userRepository;public CustomUserDetailsService(UserRepository userRepository) {this.userRepository = userRepository;}@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userRepository.findByUsername(username);if (user == null) {throw new UsernameNotFoundException("User not found with username: " + username);}return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),user.isEnabled(),true,true,true,getAuthorities(user.getRoles()));}private List<GrantedAuthority> getAuthorities(Set<Role> roles) {List<GrantedAuthority> authorities = new ArrayList<>();for (Role role : roles) {authorities.add(new SimpleGrantedAuthority("ROLE_" + role.getName()));}return authorities;}
}
6. 配置 Spring Security
對 Spring Security 進行配置,設置不同 URL 的訪問權限:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;@Configuration
@EnableWebSecurity
public class SecurityConfig {@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}@Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/public/**").permitAll().antMatchers("/admin/**").hasRole("ADMIN").antMatchers("/user/**").hasAnyRole("USER", "ADMIN").anyRequest().authenticated().and().formLogin().loginPage("/login").permitAll().and().logout().permitAll();return http.build();}
}
7. 創建控制器
創建不同權限的控制器示例:
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;@RestController
public class HelloController {@GetMapping("/public/hello")public String publicHello() {return "Public Hello!";}@GetMapping("/user/hello")public String userHello() {return "User Hello!";}@GetMapping("/admin/hello")public String adminHello() {return "Admin Hello!";}
}
8. 測試用戶數據
創建測試用戶數據,以便進行測試:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.stereotype.Component;import java.util.Collections;
import java.util.HashSet;@Component
public class DataInitializer implements CommandLineRunner {@Autowiredprivate UserRepository userRepository;@Autowiredprivate RoleRepository roleRepository;@Autowiredprivate PasswordEncoder passwordEncoder;@Overridepublic void run(String... args) throws Exception {// 創建角色Role adminRole = roleRepository.findByName("ADMIN");if (adminRole == null) {adminRole = new Role();adminRole.setName("ADMIN");roleRepository.save(adminRole);}Role userRole = roleRepository.findByName("USER");if (userRole == null) {userRole = new Role();userRole.setName("USER");roleRepository.save(userRole);}// 創建管理員用戶User adminUser = userRepository.findByUsername("admin");if (adminUser == null) {adminUser = new User();adminUser.setUsername("admin");adminUser.setPassword(passwordEncoder.encode("admin123"));adminUser.setEnabled(true);adminUser.setRoles(new HashSet<>(Collections.singletonList(adminRole)));userRepository.save(adminUser);}// 創建普通用戶User normalUser = userRepository.findByUsername("user");if (normalUser == null) {normalUser = new User();normalUser.setUsername("user");normalUser.setPassword(passwordEncoder.encode("user123"));normalUser.setEnabled(true);normalUser.setRoles(new HashSet<>(Collections.singletonList(userRole)));userRepository.save(normalUser);}}
}
權限控制說明
@PreAuthorize注解:能在方法級別進行權限控制。例如:@PreAuthorize("hasRole('ADMIN')") @GetMapping("/admin/hello") public String adminHello() {return "Admin Hello!"; }- 角色繼承:可以讓 ADMIN 角色繼承 USER 角色的權限,配置如下:
@Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/public/**").permitAll().antMatchers("/user/**").hasRole("USER").antMatchers("/admin/**").hasRole("ADMIN").anyRequest().authenticated().and().roleHierarchy(roleHierarchy());return http.build(); }@Bean public RoleHierarchy roleHierarchy() {RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER");return roleHierarchy; }
)
