使用SpringSecurity3实现RBAC权限管理
1、 What? 什么是权限管理?
?
?
??
?
2.2.1、用户user?
Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>();GrantedAuthorityImpl roleAdmin=new GrantedAuthorityImpl("ROLE_ADMIN");GrantedAuthorityImpl roleUser=new GrantedAuthorityImpl("ROLE_USER");auths.add(roleAdmin);auths.add(roleUser);?
?
<sec:authorize ifAnyGranted="ROLE_CREATE,ROLE_UPDATE,ROLE_READ,ROLE_DELETE"> <a>用户管理</a> </sec:authorize>
?
?
import java.util.ArrayList;import java.util.Collection;import java.util.List;import java.util.Set;import org.apache.commons.collections.CollectionUtils;import org.apache.commons.lang.StringUtils;import org.springframework.dao.DataAccessException;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.GrantedAuthorityImpl;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;import cn.com.timekey.drugmonitor.business.PrivilegeBus;import cn.com.timekey.drugmonitor.business.UserBus;import cn.com.timekey.drugmonitor.log.Log;import cn.com.timekey.drugmonitor.log.LogFactory;import cn.com.timekey.drugmonitor.po.Privilege;import cn.com.timekey.drugmonitor.po.Role;import cn.com.timekey.drugmonitor.po.RolePrivilege;import cn.com.timekey.drugmonitor.po.Users;/** * @author Kenny */public class MyUserDetailsService implements UserDetailsService {private static final Log LOGGER = LogFactory.getLog(MyUserDetailsService.class);private static final String SYSTEM_ROLE_ID = "1";// 系统默认管理员的idprivate UserBus userBus;private PrivilegeBus privilegeBus;public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException, DataAccessException {if (StringUtils.isBlank(username)) {throw new UsernameNotFoundException("no such user.", username);}Users user = userBus.findByName(username);if (user == null) {LOGGER.debug("no such user by " + username);throw new UsernameNotFoundException("no such user.", username);} else if (user.getRole() == null) {LOGGER.debug("no such role by " + username);throw new UsernameNotFoundException("no such user.", username);}String adminName = user.getUserName();String password = user.getUserPassword();Role role = user.getRole();@SuppressWarnings("unchecked")Collection<Privilege> privileges = CollectionUtils.EMPTY_COLLECTION;// 判断是否为系统默认管理员,若是,则直接获取privilege表中全部权限。if (StringUtils.equals(role.getRoleId(), SYSTEM_ROLE_ID)) {privileges = privilegeBus.findAll();}Set<RolePrivilege> rolePrivileges = role.getRolePrivileges();@SuppressWarnings("unchecked")Collection<GrantedAuthority> authorities = CollectionUtils.EMPTY_COLLECTION;if (privileges.isEmpty() && rolePrivileges != null&& !rolePrivileges.isEmpty()) {privileges = new ArrayList<Privilege>(rolePrivileges.size());for (RolePrivilege rolePrivilege : rolePrivileges) {privileges.add(rolePrivilege.getPrivilege());}}if (privileges.isEmpty()) {LOGGER.warn("user has not any rolePrivileges.");throw new UsernameNotFoundException("Privilege fail! ", username);}// 构造权限组authorities = generateAuthorities(privileges);boolean isEnable = user.getIsActive();// 如果账号有状态的话,可根据查询结果配置该值。return new org.springframework.security.core.userdetails.User(adminName, password, isEnable, true, true, true, authorities);}/** * 构造权限组 * * @param rolePrivileges * @return */private Collection<GrantedAuthority> generateAuthorities(Collection<Privilege> privileges) {List<GrantedAuthority> auth = new ArrayList<GrantedAuthority>(privileges.size());for (Privilege rolePrivilege : privileges) {GrantedAuthority authority = new GrantedAuthorityImpl(rolePrivilege.getPrivilegeName());auth.add(authority);}return auth;}public void setUserBus(UserBus userBus) {this.userBus = userBus;}public void setPrivilegeBus(PrivilegeBus privilegeBus) {this.privilegeBus = privilegeBus;}}
??
2.3.5、系统的权限漏洞<intercept-url pattern="/listUser.do" access="ROLE_USER_READ" /> <intercept-url pattern="/**" access="ROLE_LOGIN" />
?
<global-method-security secured-annotations="enabled"> </global-method-security>
import org.springframework.security.access.annotation.Secured;public interface AccountBusiness { @Secured("ROLE_USER_CREATE") public void save(User user); @Secured("ROLE_USER_DELETE") public void delete(String id);}
?
3、 Gain 我们的收获3.Group用户组还不在此架构范围内。