授权
之前在认证的时候,就对用户做了授权
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
try{
SysUser sysUser = userDao.findByName(username);
if(Objects.isNull(sysUser))
return null;
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
for(SysRole role : sysUser.getRoles()){
authorities.add(new SimpleGrantedAuthority(role.getRoleName()));
}
log.info("{}",authorities);
//{noop}后面的密码,SpringSecurity会认为是原文
return new User(username,sysUser.getPassword(),sysUser.getStatus()==1,true,true,true,authorities);
}catch (Exception e){
e.printStackTrace();
return null;
}
}
对菜单进行权限控制:
<security:authorize access="hasAnyRole('ROLE_PRODUCT','ROLE_ADMIN')">
<li id="system-setting"><a
href="${pageContext.request.contextPath}/product/findAll">
<i class="fa fa-circle-o"></i> 产品管理
</a></li>
</security:authorize>
<security:authorize access="hasAnyRole('ROLE_ORDER','ROLE_ADMIN')">
<li id="system-setting"><a
href="${pageContext.request.contextPath}/order/findAll">
<i class="fa fa-circle-o"></i> 订单管理
</a></li>
</security:authorize>
表示产品管理只有ROLE_PRODUCT和ROLE_ADMIN角色的能够看到
订单管理只有ROLE_ORDER和ROLE_ADMIN角色的能够看到
动态权限注解支持
SpringSecurity可以通过注解方式来控制或者类的访问权限。注解需要对应的支持,若注解放在controller中,对应注解支持应该放在mvc配置文件中,因为controller类是由mvc配置文件扫描并创建的,同理,注解放在service类中,对应注解应该放在spring配置文件中。
开启springsecurity注解:(写在springmvc配置文件中)
<!--开启权限控制的注解支持
secured-annotations:spring security的权限控制注解开关
pre-post-annotations:spring的权限控制注解开关
jsr250-annotations:jsr250注解开关
-->
<security:global-method-security
secured-annotations="enabled"
pre-post-annotations="enabled"
jsr250-annotations="enabled"/>
添加注解:
@Controller
@RequestMapping("/product")
public class ProductController {
@Secured({"ROLE_ADMIN","ROLE_PRODUCT"})
@RequestMapping("/findAll")
public String findAll(){
return "product-list";
}
}
三种注解
- @Secured({"ROLE_ADMIN","ROLE_PRODUCT"}): Spring security注解
- @RolesAllowed({"ROLE_ADMIN","ROLE_PRODUCT"}): jsr250注解
- @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_PRODUCT')"):spring的el表达式注解