In a system, the interception of permissions is a very common thing, usually we intercept based on url. So how should it be configured in spring security.
The general steps are as follows:
1. After the user logs in successfully, we need to get the permissions owned by the user and save them to the current authentication object.
|- SecurityUserDetailServiceImpl#loadUserByUsername(String) After obtaining the user according to the user name, query the permissions of the user together
2. When a user accesses a url, we need to determine whether the currently authenticated user has the permissions required by the currently accessed url.
|- When the system is loaded, all resources (url) need to be loaded with the corresponding permissions
|- When the user accesses the url, if it is a url with authority judgment, the authority required to extract the url is compared with the current authority of the user
> successfully released
> No right to refuse
3. Modify the configuration file of spring security and increase our own authority judgment
So how do we know what permissions we have? We can implement it based on a simple rbac permission model. There are users (sys_user), roles (sys_role), and resources (sys_resources) in the system, which are used to have a many-to-many relationship with roles (sys_user_role), and roles and resources are also in a many-to-many relationship (sys_role_resource).
In the resource table, the url and the permissions required by the url are recorded.
Based on the previous article "Understanding spring security", let's make a simple modification to realize the interception of url permissions .
1. Modify the SecurityUserDetailServiceImpl class. When the user logs in successfully, add the permissions owned by the user 
Note: In the above figure, you can see that the user has three permissions: admin, 01, and 0102
Second, write a method to realize the url permission judgment in the system
/**
* Security resource decisions in the system
*
* @describe
* @authorhuan
*@time November 4th, 2017 - 12:32:11 pm
*/
@ Slf4j
@Component("securityResourceDecisionHandler")
public class SecurityResourceDecisionHandler {
/**
* Save the url and the permissions required by the url
*/
private static final Map<String, List<GrantedAuthority>> URL_AUTHS = new ConcurrentHashMap<>();
static {
URL_AUTHS.put("/xx", Arrays.asList(new SimpleGrantedAuthority("01")));
URL_AUTHS.put("/xx/x", Arrays.asList(new SimpleGrantedAuthority("01")));
URL_AUTHS.put("/yy", Arrays.asList(new SimpleGrantedAuthority("0102")));
URL_AUTHS.put("/zz/**", Arrays.asList(new SimpleGrantedAuthority("010201")));
}
AntPathMatcher pathMatcher = new AntPathMatcher ();
/**
* Custom decision
*
* @param authentication
* Authentication object
* @param request
* The request object of the request
* @return true: have permission to access false: no permission to access
*/
public boolean auth(Authentication authentication, HttpServletRequest request) {
String uri = request.getRequestURI().replace(request.getContextPath(), "");
for (Entry<String, List<GrantedAuthority>> entry : URL_AUTHS.entrySet()) {
if (pathMatcher.match(entry.getKey(), uri)) {
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (GrantedAuthority grantedAuthority : authorities) {
if (entry.getValue().contains(grantedAuthority)) {
return true;
}
}
log.warn("The currently accessed uri:{}, the required permission is:{}, the current user does not have this permission.", uri, entry.getValue());
return false;
}
}
// Access is a function without configuration permissions, you must log in to access the user
if (authentication.isAuthenticated() && !Objects.equals("anonymousUser", authentication.getPrincipal())) {
return true;
}
// not logged in, return false directly
return false;
}
}
Note: Note that the permission required for the /zz/** url is 010201, and this permission is not available for the currently logged-in user
3. Modify the configuration file of spring security
4. View the results (the permission required for the /zz/** url is 010201, and we only have 01,0102, these 2 permissions, all reported that they have no right to access this.) At
this point, a simple url interception based on Implementation is complete.