思維導(dǎo)圖如下

RBAC權(quán)限分析

RBAC 全稱為基于角色的權(quán)限控制，本段將會(huì)從什么是RBAC，模型分類，什么是權(quán)限，用戶組的使用，實(shí)例分析等幾個(gè)方面闡述RBAC

思維導(dǎo)圖

繪制思維導(dǎo)圖如下

什么是RBAC

RBAC 全稱為用戶角色權(quán)限控制，通過角色關(guān)聯(lián)用戶，角色關(guān)聯(lián)權(quán)限，這種方式，間階的賦予用戶的權(quán)限，如下圖所示

對(duì)于通常的系統(tǒng)而言，存在多個(gè)用戶具有相同的權(quán)限，在分配的時(shí)候，要為指定的用戶分配相關(guān)的權(quán)限，修改的時(shí)候也要依次的對(duì)這幾個(gè)用戶的權(quán)限進(jìn)行修改，有了角色這個(gè)權(quán)限，在修改權(quán)限的時(shí)候，只需要對(duì)角色進(jìn)行修改，就可以實(shí)現(xiàn)相關(guān)的權(quán)限的修改。這樣做增加了效率，減少了權(quán)限漏洞的發(fā)生。

模型分類

對(duì)于RBAC模型來說，分為以下幾個(gè)模型 分別是RBAC0，RBAC1，RBAC2，RBAC3，這四個(gè)模型，這段將會(huì)依次介紹這四個(gè)模型，其中最常用的模型有RBAC0.

RBAC0

用戶和角色是多對(duì)一的關(guān)系，即一個(gè)用戶只充當(dāng)一種角色，一個(gè)角色可以有多個(gè)角色的擔(dān)當(dāng)。用戶和角色是多對(duì)多的關(guān)系，即，一個(gè)用戶可以同時(shí)充當(dāng)多個(gè)角色，一個(gè)角色可以有多個(gè)用戶。 

此系統(tǒng)功能單一，人員較少，這里舉個(gè)栗子，張三既是行政，也負(fù)責(zé)財(cái)務(wù)，此時(shí)張三就有倆個(gè)權(quán)限，分別是行政權(quán)限，和財(cái)務(wù)權(quán)限兩個(gè)部分。

RBAC1

RBAC2 模型

角色互斥

即，同一個(gè)用戶不能擁有兩個(gè)互斥的角色，舉個(gè)例子，在財(cái)務(wù)系統(tǒng)中，一個(gè)用戶不能擁有會(huì)計(jì)員和審計(jì)這兩種角色。

基數(shù)約束

即，用一個(gè)角色，所擁有的成員是固定的，例如對(duì)于CEO這種角色，同一個(gè)角色，也只能有一個(gè)用戶。

先決條件

即，對(duì)于該角色來說，如果想要獲得更高的角色，需要先獲取低一級(jí)別的角色。舉個(gè)栗子，對(duì)于副總經(jīng)理和經(jīng)理這兩個(gè)權(quán)限來說，需要先有副總經(jīng)理權(quán)限，才能擁有經(jīng)理權(quán)限，其中副總經(jīng)理權(quán)限是經(jīng)理權(quán)限的先決條件。

運(yùn)行時(shí)互斥

即，一個(gè)用戶可以擁有兩個(gè)角色，但是這倆個(gè)角色不能同時(shí)使用，需要切換角色才能進(jìn)入另外一個(gè)角色。舉個(gè)栗子，對(duì)于總經(jīng)理和專員這兩個(gè)角色，系統(tǒng)只能在一段時(shí)間，擁有其一個(gè)角色，不能同時(shí)對(duì)這兩種角色進(jìn)行操作。

RBAC3模型

什么是權(quán)限

用戶組的使用

優(yōu)點(diǎn)：減少工作量，便于理解，增加多級(jí)管理，等。

SpringSecurity 簡(jiǎn)單使用

首先添加依賴

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

然后添加相關(guān)的訪問接口

package com.example.demo.web;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/test")
public class Test {
    @RequestMapping("/test")
    public String test(){
        return "test";
    }
}

最后啟動(dòng)項(xiàng)目，在日志中查看相關(guān)的密碼

用戶名：user
密碼 984cccf2-ba82-468e-a404-7d32123d0f9c

增加用戶名和密碼

在配置文件中，書寫相關(guān)的登錄和密碼

spring:
  security:
    user:
      name: ming
      password: 123456
      roles: admin

基于內(nèi)存的認(rèn)證

需要自定義類繼承 WebSecurityConfigurerAdapter 代碼如下

package com.example.demo.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Bean
    PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin").password("123").roles("admin");
    }
}

即，配置的用戶名為admin，密碼為123，角色為admin

HttpSecurity

這里對(duì)一些方法進(jìn)行攔截

package com.ming.demo.interceptor;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;

@Configuration
@EnableWebSecurity
public class SecurityConfig  extends WebSecurityConfigurerAdapter {
    //基于內(nèi)存的用戶存儲(chǔ)
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("itguang").password("123456").roles("USER").and()
                .withUser("admin").password("{noop}" + "123456").roles("ADMIN");
    }

    //請(qǐng)求攔截
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().permitAll()
                .and()
                .formLogin()
                .permitAll()
                .and()
                .logout()
                .permitAll();
    }

}

SpringSecurity 集成JWT

這是一個(gè)小demo，目的，登錄以后返回jwt生成的token

導(dǎo)入依賴

添加web依賴

導(dǎo)入JWT和Security依賴

 <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>0.9.1</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <version>2.3.1.RELEASE</version>
        </dependency>

創(chuàng)建一個(gè)JwtUser實(shí)現(xiàn)UserDetails

創(chuàng)建 一個(gè)相關(guān)的JavaBean

package com.example.demo;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;

public class JwtUser implements UserDetails {
    private String username;
    private String password;
    private Integer state;
    private Collection<? extends GrantedAuthority> authorities;
    public JwtUser(){

    }

    public JwtUser(String username, String password, Integer state,  Collection<? extends GrantedAuthority> authorities){
        this.username = username;
        this.password = password;
        this.state = state;
        this.authorities = authorities;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return authorities;
    }

    @Override
    public String getPassword() {
        return this.password;
    }

    @Override
    public String getUsername() {
        return this.username;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

編寫工具類生成令牌

編寫工具類，用來生成token，以及刷新token，以及驗(yàn)證token

package com.example.demo;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.UserDetails;

import java.io.Serializable;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

public class JwtTokenUtil implements Serializable {
    private String secret;
    private Long expiration;
    private String header;

    private String generateToken(Map<String, Object> claims) {
        Date expirationDate = new Date(System.currentTimeMillis() + expiration);
        return Jwts.builder().setClaims(claims).setExpiration(expirationDate).signWith(SignatureAlgorithm.HS512, secret).compact();
    }

    private Claims getClaimsFromToken(String token) {
        Claims claims;
        try {
            claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();

        } catch (Exception e) {
            claims = null;
        }
        return claims;
    }

    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>(2);
        claims.put("sub", userDetails.getUsername());
        claims.put("created", new Date());
        return generateToken(claims);

    }

    public String getUsernameFromToken(String token) {
        String username;
        try {
            Claims claims = getClaimsFromToken(token);
            username = claims.getSubject();

        } catch (Exception e) {
            username = null;

        }
        return username;

    }

    public Boolean isTokenExpired(String token) {
        try {
            Claims claims = getClaimsFromToken(token);
            Date expiration = claims.getExpiration();
            return expiration.before(new Date());
        } catch (Exception e) {
            return false;
        }
    }

    public String refreshToken(String token) {
        String refreshedToken;
        try {
            Claims claims = getClaimsFromToken(token);
            claims.put("created", new Date());
            refreshedToken = generateToken(claims);

        } catch (Exception e) {
            refreshedToken = null;

        }
        return refreshedToken;
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        JwtUser user = (JwtUser) userDetails;
        String username = getUsernameFromToken(token);
        return (username.equals(user.getUsername()) && !isTokenExpired(token));

    }

}

編寫攔截器

編寫Filter 用來檢測(cè)JWT

package com.example.demo;

import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class JwtAuthenticationTokenFilter  extends OncePerRequestFilter {
    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String authHeader = httpServletRequest.getHeader(jwtTokenUtil.getHeader());
        if (authHeader != null && StringUtils.isNotEmpty(authHeader)) {
            String username = jwtTokenUtil.getUsernameFromToken(authHeader);
            if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
                UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
                if (jwtTokenUtil.validateToken(authHeader, userDetails)) {
                    UsernamePasswordAuthenticationToken authentication  =
                    new UsernamePasswordAuthenticationToken(userDetails,null,userDetails.getAuthorities());
                    authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
                    SecurityContextHolder.getContext().setAuthentication(authentication);

                }
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);

    }
}

編寫userDetailsService的實(shí)現(xiàn)類

在上方代碼中，編寫userDetailsService，類，實(shí)現(xiàn)其驗(yàn)證過程

package com.example.demo;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import javax.management.relation.Role;
import java.util.List;

@Service
public class JwtUserDetailsServiceImpl  implements UserDetailsService {
    @Autowired
    private UserMapper userMapper;

    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        User user = userMapper.selectByUserName(s);
        if (user == null) {
            throw new UsernameNotFoundException(String.format("'%s'.這個(gè)用戶不存在", s));

        }
        List<SimpleGrantedAuthority> collect = user.getRoles().stream().map(Role::getRolename).map(SimpleGrantedAuthority::new).collect(Collectors.toList());
        return new JwtUser(user.getUsername(), user.getPassword(), user.getState(), collect);

    }
}

編寫登錄

編寫登錄業(yè)務(wù)的實(shí)現(xiàn)類 其login方法會(huì)返回一個(gè)JWTUtils 的token

@Service
public class UserServiceImpl  implements UserService {
    @Autowired
    private UserMapper userMapper;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    public User findByUsername(String username) {
        User user = userMapper.selectByUserName(username);
        return user;

    }

    public RetResult login(String username, String password) throws AuthenticationException {
        UsernamePasswordAuthenticationToken upToken = new UsernamePasswordAuthenticationToken(username, password);
        final Authentication authentication = authenticationManager.authenticate(upToken);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        UserDetails userDetails = userDetailsService.loadUserByUsername(username);
        return new RetResult(RetCode.SUCCESS.getCode(),jwtTokenUtil.generateToken(userDetails));

    }
}

最后配置Config

@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;

    @Autowired
    public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(this.userDetailsService).passwordEncoder(passwordEncoder());

    }

    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)

    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();

    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers("/auth/**").permitAll()
                .anyRequest().authenticated()
                .and().headers().cacheControl();

        http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);

        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();

        registry.requestMatchers(CorsUtils::isPreFlightRequest).permitAll();

    }

    @Bean
    public CorsFilter corsFilter() {
        final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        final CorsConfiguration cors = new CorsConfiguration();
        cors.setAllowCredentials(true);
        cors.addAllowedOrigin("*");
        cors.addAllowedHeader("*");
        cors.addAllowedMethod("*");
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", cors);
        return new CorsFilter(urlBasedCorsConfigurationSource);

    }
}

運(yùn)行，返回token

運(yùn)行，返回結(jié)果為token

SpringSecurity JSON登錄

這里配置SpringSecurity之JSON登錄

這里需要重寫UsernamePasswordAnthenticationFilter類，以及配置SpringSecurity

重寫UsernamePasswordAnthenticationFilter

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        //attempt Authentication when Content-Type is json
        if(request.getContentType().equals(MediaType.APPLICATION_JSON_UTF8_VALUE)
                ||request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)){

            //use jackson to deserialize json
            ObjectMapper mapper = new ObjectMapper();
            UsernamePasswordAuthenticationToken authRequest = null;
            try (InputStream is = request.getInputStream()){
                AuthenticationBean authenticationBean = mapper.readValue(is,AuthenticationBean.class);
                authRequest = new UsernamePasswordAuthenticationToken(
                        authenticationBean.getUsername(), authenticationBean.getPassword());
            }catch (IOException e) {
                e.printStackTrace();
                authRequest = new UsernamePasswordAuthenticationToken(
                        "", "");
            }finally {
                setDetails(request, authRequest);
                return this.getAuthenticationManager().authenticate(authRequest);
            }
        }

        //transmit it to UsernamePasswordAuthenticationFilter
        else {
            return super.attemptAuthentication(request, response);
        }
    }
}

配置SecurityConfig

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .antMatcher("/**").authorizeRequests()
            .antMatchers("/", "/login**").permitAll()
            .anyRequest().authenticated()
            //這里必須要寫formLogin()，不然原有的UsernamePasswordAuthenticationFilter不會(huì)出現(xiàn)，也就無法配置我們重新的UsernamePasswordAuthenticationFilter
            .and().formLogin().loginPage("/")
            .and().csrf().disable();

    //用重寫的Filter替換掉原有的UsernamePasswordAuthenticationFilter
    http.addFilterAt(customAuthenticationFilter(),
    UsernamePasswordAuthenticationFilter.class);
}

//注冊(cè)自定義的UsernamePasswordAuthenticationFilter
@Bean
CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
    CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
    filter.setAuthenticationSuccessHandler(new SuccessHandler());
    filter.setAuthenticationFailureHandler(new FailureHandler());
    filter.setFilterProcessesUrl("/login/self");

    //這句很關(guān)鍵，重用WebSecurityConfigurerAdapter配置的AuthenticationManager，不然要自己組裝AuthenticationManager
    filter.setAuthenticationManager(authenticationManagerBean());
    return filter;
}

這樣就完成使用json登錄SpringSecurity。

Spring Security 密碼加密方式

需要在Config 類中配置如下內(nèi)容

 /**
     * 密碼加密
     */
    @Bean
    public BCryptPasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

即，使用此方法，對(duì)密碼進(jìn)行加密， 在業(yè)務(wù)層的時(shí)候，使用此加密的方法

@Service
@Transactional
public class UserServiceImpl implements UserService {

    @Resource
    private UserRepository userRepository;

    @Resource
    private BCryptPasswordEncoder bCryptPasswordEncoder;  //注入bcryct加密
    @Override
    public User add(User user) {
        user.setPassword(bCryptPasswordEncoder.encode(user.getPassword())); //對(duì)密碼進(jìn)行加密
        User user2 = userRepository.save(user);
        return user2;
    }
    @Override
    public ResultInfo login(User user) {
        ResultInfo resultInfo=new ResultInfo();
        User user2 = userRepository.findByName(user.getName());
        if (user2==null) {
            resultInfo.setCode("-1");
            resultInfo.setMessage("用戶名不存在");
            return resultInfo;
        }

        //判斷密碼是否正確
        if (!bCryptPasswordEncoder.matches(user.getPassword(),user2.getPassword())) {
            resultInfo.setCode("-1");
            resultInfo.setMessage("密碼不正確");
            return resultInfo;
        }
        resultInfo.setMessage("登錄成功");
        return resultInfo;
    }
}

使用數(shù)據(jù)庫(kù)認(rèn)證

這里使用數(shù)據(jù)庫(kù)認(rèn)證SpringSecurity

設(shè)計(jì)數(shù)據(jù)表

這里設(shè)計(jì)數(shù)據(jù)表

著重配置SpringConfig

@Configurable
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserService userService;    // service 層注入

    @Bean
    PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // 參數(shù)傳入Service，進(jìn)行驗(yàn)證
        auth.userDetailsService(userService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/admin/**").hasRole("admin")
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/login").permitAll()
                .and()
                .csrf().disable();
    }
}

這里著重配置SpringConfig

小結(jié)

著重講解了RBAC的權(quán)限配置，以及簡(jiǎn)單的使用SpringSecurity，以及使用SpringSecurity + JWT 完成前后端的分離，以及配置json登錄，和密碼加密方式。