如何在spring boot中实现用户级别的特定授权?

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何在spring boot中实现用户级别的特定授权?相关的知识,希望对你有一定的参考价值。

我使用Spring Boot 1.2.1.RELEASE创建了一个Web服务。这有我在控制器中定义的POST ang GET方法。我还使用自己的应用程序数据库中的用户凭据配置了身份验证,并且还实现了OAuth。

这是我的Application.class,它具有所有必要的配置。

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends SpringBootServletInitializer {

  public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
  }

  @Override
  protected SpringApplicationBuilder configure(
      SpringApplicationBuilder application) {
    return application.sources(Application.class);
  }

  @Service
  protected static class ApplicationUserDetailsService implements UserDetailsService {

    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
      User user = this.userRepository.findByUsername(username);

      if (user == null) {
        return null;
      }

      List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");

      String password = user.getPassword();

      return new org.springframework.security.core.userdetails.User(username, password, auth);
    }
  }

  @Configuration
  @EnableGlobalMethodSecurity(prePostEnabled = true)
  @EnableWebSecurity
  protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private ApplicationUserDetailsService applicationUserDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth.userDetailsService(applicationUserDetailsService);
    }

    @Bean   
    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
      return super.authenticationManager();
    }

  }

  @Configuration
  @EnableResourceServer
  protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
      http.requestMatchers()
        .and()
        .authorizeRequests()
        .antMatchers("/user/**").access("#oauth2.hasScope('read')")
        .antMatchers("/car/**").access("#oauth2.hasScope('read')")
        .antMatchers("/transaction/**").access("#oauth2.hasScope('read')");
    }

  } 

  @Configuration
  @EnableAuthorizationServer
  protected static class AuthorizationServerConfig extends
      AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
      endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
        throws Exception {
      clients.inMemory()
          .withClient("my-trusted-client")
          .authorizedGrantTypes("authorization_code", "password",
              "refresh_token")
          .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
          .scopes("read", "write", "trust")
          .accessTokenValiditySeconds(60);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
        throws Exception {
      security.allowFormAuthenticationForClients();
    }

  }

}

这是我的pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.demo.web.restservice</groupId>
  <artifactId>restservice</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <packaging>war</packaging>

  <name>restservice</name>
  <description></description>

  <parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.2.1.RELEASE</version>
    <relativePath/> <!-- lookup parent from repository -->
  </parent>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <start-class>com.demo.web.restservice.Application</start-class>
    <java.version>1.7</java.version>
  </properties>

  <dependencies>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
      <groupId>mysql</groupId>
      <artifactId>mysql-connector-java</artifactId>
      <!-- <scope>runtime</scope> -->
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-tomcat</artifactId>
      <scope>provided</scope>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-undertow</artifactId>
    </dependency>

    <!-- Added for security purposes only -->
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.security.oauth</groupId>
      <artifactId>spring-security-oauth2</artifactId>
      <version>2.0.6.RELEASE</version>
      <exclusions>
        <exclusion>
          <artifactId>jackson-mapper-asl</artifactId>
          <groupId>org.codehaus.jackson</groupId>
        </exclusion>
      </exclusions>
    </dependency>

  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
      </plugin>
    </plugins>
  </build>

</project>

这是我的一个控制器。

@RestController
@RequestMapping("/transaction")
public class TransactionController {

  @Autowired
  private TransactionHeaderRepository transactionHeaderRepository;

  @RequestMapping("/header/{id}")
  public ResponseEntity<TransactionHeader> findHeaderById(@PathVariable UUID id) {
    return new ResponseEntity<>(this.transactionHeaderRepository.findById(id), HttpStatus.OK);
  }

  @RequestMapping(value = "/header/create", method = RequestMethod.POST)
  public ResponseEntity<TransactionHeader> createHeader(@RequestBody TransactionHeader transactionHeader) {
    this.transactionHeaderRepository.save(transactionHeader);
    this.transactionLineRepository.save(transactionHeader.getTransactionLines());
    return new ResponseEntity<>(HttpStatus.OK);
  }

  @RequestMapping(value = "/header/update", method = RequestMethod.POST)
  public ResponseEntity<TransactionHeader> updateHeader(@RequestBody TransactionHeader transactionHeader) {
    return new ResponseEntity<TransactionHeader>(this.transactionHeaderRepository.save(transactionHeader), HttpStatus.OK);
  }

  @RequestMapping(value = "/header/delete", method = RequestMethod.POST)
  public ResponseEntity<TransactionHeader> deleteHeader(@RequestBody TransactionHeader transactionHeader) {
    this.transactionHeaderRepository.delete(transactionHeader);
    return new ResponseEntity<TransactionHeader>(HttpStatus.OK);
  }

}

一切正常,除了我想限制用户的部分,并允许他们只更新自己的数据。

我应该怎么做呢?这应该在控制器中完成吗?或者spring提供了某种内置功能来处理这个问题?

感谢您的反馈。

答案

为此,您可以创建自己的自定义注释(@Useridentifier)并使用它来映射到UserDetails.UserId(您的用户PK)。将其放在包含用户PK的DTO上。

接下来,您可以创建另一个放置在端点上的注释(@Useridentifiercheck)(如requestMapping)。如果值不匹配,则抛出异常并返回401或将userId替换为OAuth属性中的userId(如果将userId存储在OAuth数据中)。

注意:所有这些也可以通过服务和一些反射完成,但我喜欢注释:)

失败的地方如果你有一个没有UserId更新FK表的休息点,那么这个想法就会失败。

table - User { long userId; nvarchar name; long address_fk; }
table - Address { long addressId; nvarchar postcode; }

在这里我们可以更新地址,但是如果没有一些联接给我们userId,我们无法知道我们是否“被授权”编辑地址。

服务器端问题需要小心为管理员删除此功能,否则,他们将无法更新其他人的数据以太...

网关API

另一个例子是创建一个靠近UI的网关API(例如ExpressJS服务React和自定义API)

UI会话可以存储在Express中,并将进行过滤以确保自动更新的任何请求都具有“正确的”UserID。

例如:坏人发送以下JSON

put: { userId: 69, password: powned, firstname: Paul }

Express API采用DTO并剥离未授权的输入(userId,密码)。请注意,在这种情况下,请求将被传递到API,用正确的会话值替换“传入”userId。

核心API将位于VPN防火墙后面,并使用客户OAuth令牌进行限制。

以上是关于如何在spring boot中实现用户级别的特定授权?的主要内容,如果未能解决你的问题,请参考以下文章

如何在 Spring Boot 中实现 Camunda SendTask

如何在 Spring Boot 中实现刷新令牌

如何在 Spring Boot 中禁用或覆盖 RequestCacheAwareFilter

是否可以在spring boot/java中实现每个用户在不同时间动态调度一个任务

如何在 Spring Boot 中实现基于角色权限的系统

如何使用hibernate在spring boot中实现分页