当前位置: 首页 > news >正文

spring security怎么解决用户的权限问题

news 2025/8/19 19:44:51

1.在我们想要控制权限的接口是哪个添加注解

@PreAuthorize(" hasRole('admin')")
表示只有admin这个角色才能使用这个接口
@PreAuthorize(" hasAuthority('sys:user:list')")
表示必须有这个授权才能使用

2.在我们校验用户的类UserDetailsServiceImpl 上添加

不知道怎么定义UserDetailsServiceImpl 的可以看这个

怎么自定义spring security对用户信息进行校验及密码的加密校验-CSDN博客

package com.lzy.security;import com.lzy.entity.SysUser;
import com.lzy.service.ISysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;import java.util.List;
@Service
public class UserDetailsServiceImpl implements UserDetailsService {@AutowiredISysUserService sysUserService;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {//根据用户名查询用户信息SysUser sysUser = sysUserService.getByUsername(username);if (sysUser == null) {throw new UsernameNotFoundException("用户名不存在");}return new AccountUser(sysUser.getId(),sysUser.getUsername(),sysUser.getPassword(),getUserAuthority(sysUser.getId()));}//在这里获取用户的权限public List<GrantedAuthority> getUserAuthority(Long userId) {//根据用户id查询用户权限String authority = sysUserService.getUserAuthorityInfo(userId);//将权限放入GrantedAuthority中return AuthorityUtils.commaSeparatedStringToAuthorityList(authority);}}

添加

 return new AccountUser(sysUser.getId(),sysUser.getUsername(),sysUser.getPassword(),getUserAuthority(sysUser.getId()));
//添加这个getUserAuthority(sysUser.getId())

3.写getUserAuthorityInfo方法

    @Overridepublic String getUserAuthorityInfo(Long userId) {String authority = "";//获取角色List<SysRole> roles = sysRoleService.list(new QueryWrapper<SysRole>().inSql("id", "select role_id from sys_user_role where user_id = " + userId));if (roles.size() > 0) {String roleCodes = roles.stream().map(r -> "ROLE_"+ r.getCode()).collect(Collectors.joining(","));authority = roleCodes.concat(",");}//获取菜单操作权限编码List<Long> menuId = sysUserMapper.getNavMenuIds(userId);if (menuId.size() > 0) {List<SysMenu> sysMenus = sysMenuService.listByIds(menuId);String percodes = sysMenus.stream().map(m -> m.getPerms()).collect(Collectors.joining(","));authority = authority.concat(percodes);}return authority;}

4.写getNavMenuIds方法和sql语句

<select id="getNavMenuIds" resultType="java.lang.Long">select Distinct rm.menu_idfrom sys_user_role urleft join sys_role_menu rm on ur.role_id = rm.role_idwhere ur.user_id = #{userId};</select>

5.完成之后在jwt的校验类中填写

package com.lzy.security;import cn.hutool.core.util.StrUtil;
import com.lzy.entity.SysUser;
import com.lzy.service.ISysUserService;
import com.lzy.util.JwtUtil;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;public class JwtAuthenticationFilter extends BasicAuthenticationFilter {@AutowiredJwtUtil jwtUtil;@AutowiredUserDetailsServiceImpl userDetailsService;@AutowiredISysUserService sysUserService;public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {super(authenticationManager);}//重写父类方法@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {//调用父类方法String jwt = request.getHeader("Authorization");//判断jwt是否为空if(StrUtil.isBlankOrUndefined(jwt)){chain.doFilter(request,response);return;}//解析jwtClaims claims = null;try {claims = jwtUtil.parseJwt(jwt);} catch (Exception e) {throw new RuntimeException(e);}if(claims == null){throw new JwtException("token无效");}if (jwtUtil.isJwtExpired(claims)) {throw new JwtException("token已过期");}//获取用户名String username = claims.getSubject();SysUser byUsername = sysUserService.getByUsername(username);//获取权限信息UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, null, userDetailsService.getUserAuthority(byUsername.getId()));//将用户名和权限信息放入SecurityContextHolderSecurityContextHolder.getContext().setAuthentication(token);//继续执行过滤器链chain.doFilter(request,response);}
}

因为我们这里传入的是username,所以我们还需要根据username获取对应的对象

    @AutowiredUserDetailsServiceImpl userDetailsService;SysUser byUsername = sysUserService.getByUsername(username);

写入

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, null, userDetailsService.getUserAuthority(byUsername.getId()));
//在这里填写userDetailsService.getUserAuthority(byUsername.getId())


http://www.mrgr.cn/news/12561.html

相关文章:

  • SAP 有趣的‘bug‘ 选择屏幕输入框没了
  • 小白之 FastGPT Windows 本地化部署
  • Linux内核定时器
  • 5G SSB(Synchronization Signal/PBCH, 同步广播块
  • HarmonyOs应用权限申请,system_grant和user_grant区别。本文附头像上传申请user-grant权限代码示例
  • C HTML格式解析与生成
  • 深度学习学习经验——深度学习名词字典
  • [Meachines] [Easy] jerry Tomcat用户暴力破解+war包webshell上传
  • 腾讯地图接入报错vue.runtime.esm.js:4605[Vue warn]: Error in v-on handler: “far <= 0“
  • 基于单片机的无线空气质量检测系统设计
  • SQL Server 查询语句中,对索引列做CONVERT的影响
  • STM32自制手持小风扇实验
  • HTTP/1和HTTP/2
  • 【C++】异常 详解
  • 解决ONENOTE复制文字到外部为图片(Ditto)
  • PyTorch构建神经网络
  • leetcode94:二叉树的中序遍历
  • 【pytorch深度学习——小样本学习策略】网格搜索和遗传算法混合优化支持向量机的小样本学习策略进行预测
  • Python的变量、关键字、命名规则、基本数据类型及类型转换
  • [每日一练]从表中创建DataFrame