Platform management background access control design

The access control design here uses Spring Secutiry To achieve , These contents are similar to those in the second chapter 10 Chapter SSO The implementation methods of the access control part in the design are similar , The difference is that there's no need for OAuth 2, And the design of authority management also uses a more simple method to achieve . Let's skip some of the same things , Explain the differences only . These designs are all in modules manage-web Implemented in .

Using operators in access control

Create a MyUserDetails class , Realization Spring Secutiry Of UserDetails, To import Operators Users and their rights management , The code is as follows :

public class MyUserDetails implements UserDetails {
private String username;
private String password;
private Collection<? extends GrantedAuthority> authorities;
private Operators operators;
public MyUserDetails(String username,String password, collection<? extendsGrantedAuthority>authorities,Operators operators) {
this.username = username;
this.password = password;
this.authorities =authorities;this.operators = operators;
this.operators.setPassword(null);
)
...
}

Create a MyUserDetailsService Service , And in the configuration class SecurityConfiguration Quote from . So that we can Spring Secutiry Using our defined users and their permissions for secure access control Authentication . Specific implementation details can refer to the previous article SSO Design .

Platform management background authority management design

Here the authority management uses a relatively simple method to achieve , That is to use configuration parameters to realize authority management , The implementation method is as follows .

First , Add the following configuration items to the application configuration of the module :

securityconfig:
logoutsuccssurl:/
permitall:-/druid/**- /bbs**
deniedpage:/deny
urlroles:/**/new/** =admins;
/**/edit/**=admins, editors;/**/delete/** =admins

These configuration parameters are defined by a custom configuration class SecuritySettings Realization .

among ,urlroles Configuration parameters for rights management . This configuration parameter is passed through the requested URL Set the user's access rights . There are only two roles set up here （ Or user groups ） Authority , They are admins and editors. stay URL In resource allocation , Combining wildcards “*”, Use keywords separately new、edit and delete Means new 、 Edit and delete operations .

In the design of the controller , You also need to use these keyword settings URL, For example, some of the following @RequestMapping Design :

@RequestMapping( "/new")
CRequestMapping(value="/edit/{id] ")
@RequestMapping(value="/update",method = RequestMethod.POST)@RequestMapping(value=" /delete/{id} ")

secondly , Metadata management in security resource management
CustomSecurityMetadataSource in , Use the design shown below :

public CustomsecurityMetadataSource (String urlroles){
super();
this.urlroles =urlroles;
resourceMap = loadResourceMatchAuthority();
private Map<String, Collection<ConfigAttribute>>loadResourceMatchAuthority({
Map<String, Collection<ConfigAttribute>>map = new HashMap<String,
Collection<ConfigAttribute>>(0);
if (urlroles !=null && !urlroles.isEmpty()){
String[] resouces = urlroles.split(";");for(String resource : resouces){
String[]urls = resource.split("=");String[roles = urls[1].split(",");Collection<ConfigAttribute> list = new
ArrayList<ConfigAttribute>();
for(String role :roles){
ConfigAttribute config =new SecurityConfig (role.trim());list.add (config);
//key: url,value: roles
map.put(urls[0].trim(), list);
}else{
logger.error("'securityconfig.urlroles' must be set");
}
logger.info ( "Loaded UrlRoles Resources. ");return map;
}

This design means , When the system starts , Import the data of the above permission configuration as the metadata of security management , To provide the basis for the later authority check .

Last , In authority check
CustomAccessDecisionManager In the design of , Use the design shown below :

public class CustomAccessDecisionManager implements AccessDecisionManager
{
protected Log log = LogFactory.getLog (getClass());
@override
public void decide (Authentication authentication, 0bject object,
Collection<configAttribute>configAttributes)
throws AccessDeniedException,InsufficientAuthenticationException tif(configAttributes == null) {
return;
}
//config urlroles
Iterator<ConfigAttribute>iterator = configAttributes.iterator();
while (iterator.hasNext()）{
ConfigAttribute configAttribute = iterator.next();//need role
String needRole = configAttribute.getAttribute();//user roles
for (GrantedAuthority ga : authentication.getAuthorities())I
if (needRole.equals(ga.getAuthority())) {
return;
}
}
log.info("need role is " + needRole);
}
throw new AccessDeniedException ( "Cannot Access!");
}
}

When a user accesses a resource that contains metadata for security management , Check whether there is a matching role in the user's role list , In order to achieve the purpose of authority verification .

This simplified design requires that when we create characters , The name must match the name in the configuration , That is, use the admins and editors.

If you want to control permissions through data management , Realize more abundant authority management function , You can refer to 10.4 The content of section .

After completing all the above designs , You can start testing .

Direct start manage-web application , After successful startup , Enter the following link in the browser to log in to the system :

http://localhost:8099

Use the user name generated in the previous unit test admin Log in to the system . After logging into the system, you can manage the data of operators and their roles , Pictured 11-1 Shown .

The content of this article is platform management background and business menu resource management ： Platform management background access control design

1. The next article is to explain the platform management background and business menu resource management ： Business registration management design ;
2. Friends who think the article is good can forward this article and pay attention to Xiaobian ;
3. Thank you for your support !