Skip to content

minsx framework security

Jump to bottom
Joker edited this page Apr 4, 2018 · 5 revisions
项目描述:主要用于服务端权限控制
主要功能
  • 支持RBAC策略
  • 支持动态JAVASCRIPT/SPEL/GROOVY/OGNL等表达式权限校验
  • 支持元权限校验
  • 支持角色校验
  • 支持自定义权限校验
  • 支持注解校验
  • 支持统一请求信息校验
  • 支持事件通知
  • 支持单点登录(待完善)
全局配置
import com.minsx.framework.security.api.configure.WebSecurity;
import com.minsx.framework.security.api.configure.WebSecurityConfigurer;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SecurityConfig implements WebSecurityConfigurer {

    @Override
    public void configure(WebSecurity webSecurity) {
        webSecurity
                .enabled(true)
                .authorizeConfigurer()
                    .needAuthorize("/**")
                    .unNeedAuthorize("/", "/static/**")
                .and()
                    .loginConfigurer()
                    .loginAPIUrl("/api/login")
                    .loginPageUrl("/page/login")
                .and()
                    .logoutConfigurer()
                    .logoutAPIUrl("/api/logout");
    }
    
}
定义用户实体
import com.minsx.framework.security.api.authority.CustomAuthority;
import com.minsx.framework.security.api.authority.RequestAuthority;
import com.minsx.framework.security.api.basic.Role;
import com.minsx.framework.security.api.basic.SecurityUser;

import java.util.List;

public class User implements SecurityUser {

    private String username;

    private String password;

    private Boolean isLock;

    private Boolean isEnabled;

    private List<Role> roles;

    private List<CustomAuthority> customAuthorities;

    private List<RequestAuthority> requestAuthorities;

    @Override
    public String getUsername() {
        return this.username;
    }

    @Override
    public String getPassword() {
        return this.password;
    }

    @Override
    public Boolean isLocked() {
        return isLock;
    }

    @Override
    public Boolean isEnabled() {
        return isEnabled;
    }

    @Override
    public List<Role> getRoles() {
        return this.roles;
    }

    @Override
    public List<CustomAuthority> getCustomAuthorities() {
        return this.customAuthorities;
    }

    @Override
    public List<RequestAuthority> getRequestAuthorities() {
        return this.requestAuthorities;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public Boolean getLock() {
        return isLock;
    }

    public void setLock(Boolean lock) {
        isLock = lock;
    }

    public Boolean getEnabled() {
        return isEnabled;
    }

    public void setEnabled(Boolean enabled) {
        isEnabled = enabled;
    }

    public void setRoles(List<Role> roles) {
        this.roles = roles;
    }

    public void setCustomAuthorities(List<CustomAuthority> customAuthorities) {
        this.customAuthorities = customAuthorities;
    }

    public void setRequestAuthorities(List<RequestAuthority> requestAuthorities) {
        this.requestAuthorities = requestAuthorities;
    }
}
登录与授权
import com.minsx.example.security.entity.User;
import com.minsx.framework.security.api.authority.CustomAuthority;
import com.minsx.framework.security.api.authority.RequestAuthority;
import com.minsx.framework.security.api.basic.Role;
import com.minsx.framework.security.api.basic.SecurityUser;
import com.minsx.framework.security.api.exception.AuthorityDenyException;
import com.minsx.framework.security.api.exception.AuthorizationException;
import com.minsx.framework.security.api.service.LoadSecurityUserService;
import com.minsx.framework.security.api.simple.SimpleCustomAuthority;
import com.minsx.framework.security.api.simple.SimpleRequestAuthority;
import com.minsx.framework.security.api.simple.SimpleRole;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.List;

@Component
public class LoadSecurityUserServiceImpl implements LoadSecurityUserService {

    @Override
    public SecurityUser loadUser(HttpServletRequest httpServletRequest) throws AuthorizationException {
        User user = new User();
        user.setUsername(httpServletRequest.getParameter("username"));
        user.setPassword(httpServletRequest.getParameter("password"));
        user.setEnabled(true);
        user.setLock(false);

        List<Role> roles = new ArrayList<>();
        roles.add(new SimpleRole("admin"));
        roles.add(new SimpleRole("user"));
        user.setRoles(roles);

        List<RequestAuthority> requestAuthorities = new ArrayList<>();
        requestAuthorities.add(new SimpleRequestAuthority("/user/userInfo", "GET", "ALL"));
        requestAuthorities.add(new SimpleRequestAuthority("/user/select", "GET", "ALL"));
        requestAuthorities.add(new SimpleRequestAuthority("/user/deleteUser", "DELETE", "ALL"));
        requestAuthorities.add(new SimpleRequestAuthority("/user/update", "PUT", "name=good&age=25"));
        user.setRequestAuthorities(requestAuthorities);

        List<CustomAuthority> customAuthorizes = new ArrayList<>();
        customAuthorizes.add(new SimpleCustomAuthority("user", "good"));
        customAuthorizes.add(new SimpleCustomAuthority("user", "john"));
        customAuthorizes.add(new SimpleCustomAuthority("user", "joker"));
        customAuthorizes.add(new SimpleCustomAuthority("system", "mack"));
        user.setCustomAuthorities(customAuthorizes);

        if (!("admin".equals(user.getUsername()) && "admin".equals(user.getPassword()))) {
            throw new AuthorityDenyException(403, "username or password is incorrect");
        }
        return user;
    }

}
登录成功的事件监听
import com.alibaba.fastjson.JSON;
import com.minsx.framework.security.api.listener.LoginSuccessEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.stereotype.Component;

@Component
public class LoginSuccessEventListener implements ApplicationListener<LoginSuccessEvent>{

    @Override
    public void onApplicationEvent(LoginSuccessEvent event) {
        System.out.println(JSON.toJSONString(event.getAuthentication()));
    }

}
定义登录页面(非必须)
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
@RequestMapping(value = "/user")
public class SystemController {

    @GetMapping(value = "/login")
    public String login() {
        return "login";
    }

}
验证基本权限
import com.minsx.framework.security.api.annotation.VerifyAuthority;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
@RequestMapping(value = "/user")
public class SystemController {

    @DeleteMapping(value = "/deleteUser")
    @VerifyAuthority(value = {"user:good", "system:mack", "group:jack"}, logic = Logic.OR)
    public ResponseEntity<?> deleteUser() {
        return new ResponseEntity<Object>("success", HttpStatus.OK);
    }

}
验证角色
import com.minsx.framework.security.api.annotation.Logic;
import com.minsx.framework.security.api.annotation.Order;
import com.minsx.framework.security.api.annotation.Scope;
import com.minsx.framework.security.api.annotation.VerifyRole;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
@RequestMapping(value = "/user")
public class SystemController {

    @DeleteMapping(value = "/deleteUser")
    @VerifyRole(value = {"admin", "user", "super"}, logic = Logic.AND, order = Order.BEFORE, scope = Scope.EXCLUDE)
    public ResponseEntity<?> deleteUser() {
        return new ResponseEntity<Object>("success", HttpStatus.OK);
    }

}
验证表达式
import com.minsx.framework.security.api.annotation.Script;
import com.minsx.framework.security.api.annotation.VerifyExpression;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
@RequestMapping(value = "/user")
public class SystemController {

    @DeleteMapping(value = "/deleteUser")
    @VerifyExpression(value = {"'good'==#name"},script = Script.SPEL)
    public ResponseEntity<?> deleteUser(@RequestParam String name) {
        return new ResponseEntity<Object>("success", HttpStatus.OK);
    }

}
Maven依赖使用请参考
  • POM引入(暂未发布):
<dependency>
  <groupId>com.minsx</groupId>
  <artifactId>minsx-framework-security</artifactId>
  <version>1.0.0</version>
</dependency>

Minsx-framework Apache License Version 2.0 http://www.apache.org/licenses/

Minsx-framework

项目文档

联系方式
Clone this wiki locally