基于Spring Boot 3 + Spring Security6 + JWT + Redis实现接口资源鉴权

紧接上一篇文章，基于Spring Boot 3 + Spring Security6 + JWT + Redis实现接口资源鉴权

系列文章指路👉
系列文章-基于SpringBoot3创建项目并配置常用的工具和一些常用的类

项目源码👉
/shijizhe/boot-test

1. 修改 UserDetailsService

采用RBCA模型进行权限控制.

简化后我们有三个表： 用户表、用户角色关联表、角色权限关联表(表结构源码中有:src/main/resources/static/数据结构.sql)

修改取用户的权限列表

     <select id="listAuthorityById" resultType="java.lang.String">
          SELECT pe.permission_id
          FROM ya_user_role ro,
               ya_role_permission pe
          WHERE ro.role_id = pe.role_id
          AND ro.user_id = #{userId}
     </select>

将权限列表放入UserDetail中

2. 新增认证和鉴权异常统一处理程序

做这一步的目的是：程序遇到未知的错误，仍可以返回json形式的错误信息，可以帮助排查问题。

实现AuthenticationEntryPoint

/**
 * <p>
 *  认证异常处理
 * </p>
 *
 * @author Ya Shi
 * @since 2024/3/28 16:01
 */
@Component
@Slf4j
public class YaAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
        log.error("YaAuthenticationEntryPoint commence 认证过程中遇到异常：{}", authException.toString());
        ServletUtils.renderResult(response, new BaseResult<>(ResultEnum.FAILED_UNAUTHORIZED.code, "Security auth failed."));
    }
}

实现AccessDeniedHandler

/**
 * <p>
 * 鉴权异常处理
 * </p>
 *
 * @author Ya Shi
 * @since 2024/3/28 16:06
 */
@Component
@Slf4j
public class YaAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        log.error("YaAccessDeniedHandler handle 鉴权过程中遇到异常：{}", accessDeniedException.toString());
        ServletUtils.renderResult(response, new BaseResult<>(ResultEnum.FAILED_FORBIDDEN.code, "鉴权失败：" + accessDeniedException.getMessage()));
    }
}

修改Security配置 YaSecurityConfig.securityFilterChain

1. 允许方法安全授权

@EnableMethodSecurity

2. securityFilterChain新增异常统一处理

 .exceptionHandling()
      .authenticationEntryPoint(authenticationEntryPoint)
      .accessDeniedHandler(accessDeniedHandler)
      .and()

剩余重复代码就不贴了，上篇文章有。

简单测试

给方法加权限控制

@PreAuthorize("hasAuthority('ya_fruit_list')")

    @GetMapping("/testApi")
    @Operation(summary = "testApi", description = "测试使用-直接返回成功")
    @PreAuthorize("hasAuthority('ya_fruit_list')")
    public Object testApi(){
        String userId = UserAuthUtils.getUserId();
        System.out.println(userId);
        return BaseResult.success(userId);
    }

调用测试（事先已登录）

请求一个没有权限的接口：

    @GetMapping("/testApi2")
    @Operation(summary = "testApi2", description = "测试使用2-直接返回成功")
    @PreAuthorize("hasAuthority('test_test_123456')")
    public Object testApi2(){
        String userId = UserAuthUtils.getUserId();
        System.out.println(userId);
        return BaseResult.success(userId);
    }