RBAC permission analysis
The full name of RBAC is role-based access control. This section will explain RBAC from several aspects such as what is RBAC, model classification, what is authority, the use of user groups, and example analysis.
mind Mapping
Draw a mind map as follows
What is RBAC
The full name of RBAC is User Role Access Control. Users are associated with roles and permissions are associated with roles. In this way, the permissions granted to users are inter-level, as shown in the following figure
For a common system, there are multiple users with the same authority. When assigning, the relevant authority should be assigned to the specified user. When modifying, the authority of these users must be modified in turn. With For the permission of the role, when modifying the permission, you only need to modify the role to realize the modification of the relevant permission. Doing so increases efficiency and reduces the occurrence of privilege vulnerabilities.
Model classification
For the RBAC model, it is divided into the following four models: RBAC0, RBAC1, RBAC2, and RBAC3. This section will introduce these four models in turn, and the most commonly used model is RBAC0.
RBAC0
RBAC0 is the simplest RBAC model, which contains two types.
There is a many-to-one relationship between users and roles, that is, one user only plays one role, and one role can be played by multiple roles. There is a many-to-many relationship between users and roles, that is, a user can act in multiple roles at the same time, and a role can have multiple users.
This system has a single function and a small number of personnel. Here is a chestnut. Zhang San is not only in charge of administration, but also in charge of finance. At this time, Zhang San has two authorities, namely administrative authority and financial authority.
RBAC1
Compared with the RBAC0 model, sub-roles are added and the concept of inheritance is introduced.
RBAC2 model
Here the RBAC2 model, based on the RBAC0 model, adds some functions and restrictions
Mutually exclusive roles
That is, the same user cannot have two mutually exclusive roles. For example, in the financial system, a user cannot have the two roles of accountant and audit.
cardinality constraints
That is, with a role, the members it has are fixed. For example, for the role of CEO, the same role can only have one user.
prerequisites
That is, for this role, if you want to get a higher role, you need to get a lower level role first. For example, for the two permissions of deputy general manager and manager, you need to have the authority of the deputy general manager before you can have the authority of the manager. The authority of the deputy general manager is a prerequisite for the authority of the manager.
runtime mutex
That is, a user can have two roles, but these two roles cannot be used at the same time, and the role needs to be switched to enter another role. For example, for the two roles of general manager and commissioner, the system can only have one role for a certain period of time, and cannot operate on these two roles at the same time.
RBAC3 model
That is, RBAC1, RBAC2, and the two models are all accumulated, which is called a unified model.
what is permission
Permissions are a collection of resources, where resources refer to all content in the software, that is, the permissions to operate pages, access permissions to pages, and permissions to add, delete, check, and modify data. Take a chestnut. For the system in the figure below,
Ownership, plan management, customer management, contract management, inbound and outbound notice management, grain safety traceability, grain statistics query, equipment management pages, access to these pages, and access to the menu are all permissions .
Use of user groups
For user groups, many users are divided into one group, and roles are granted in batches, that is, permissions are granted in batches. For example, for a department, a department has more than 10,000 employees, and these employees all have the same role. If there is no user group, you may need to grant related roles one by one. After you have a user group, you only need to , divide all these users into a group, and then grant roles to the group, which is equivalent to granting roles to these users.
Advantages: Reduce workload, easy to understand, increase multi-level management, etc. The latest interview questions have been sorted out, click on the Java interview library applet to brush the questions online.
Spring Security is simple to use
First add dependencies
I won’t introduce the basics of Spring Boot. I recommend this practical tutorial: https://github.com/javastacks/spring-boot-best-practice
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Then add the relevant access interface
package com.example.demo.web;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/test")
public class Test {
@RequestMapping("/test")
public String test(){
return "test";
}
}
Finally start the project and check the relevant password in the log
Access interface, you can see the relevant login interface
Enter username and associated password
用户名:user
密码 984cccf2-ba82-468e-a404-7d32123d0f9c
login successful
Add username and password
In the configuration file, write the relevant login and password
spring:
security:
user:
name: ming
password: 123456
roles: admin
On the login page, enter the user name and password to log in normally. In addition, the Spring series of interview questions and answers have all been sorted out. WeChat searches the Java technology stack and sends it in the background: interview, which can be read online.
memory-based authentication
Custom classes need to inherit WebSecurityConfigurerAdapter code as follows
package com.example.demo.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
PasswordEncoder passwordEncoder(){
return NoOpPasswordEncoder.getInstance();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("123").roles("admin");
}
}
That is, the configured user name is admin, the password is 123, and the role is admin
HttpSecurity
Some methods are intercepted here
package com.ming.demo.interceptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//基于内存的用户存储
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("itguang").password("123456").roles("USER").and()
.withUser("admin").password("{noop}" + "123456").roles("ADMIN");
}
//请求拦截
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().permitAll()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
}
That is, the interception of all method access is completed here.
Spring Security integrates JWT
This is a small demo, the purpose is to return the token generated by jwt after login
Recommend a Spring Boot basic tutorial and practical example:
https://github.com/javastacks/spring-boot-best-practice
import dependencies
Add web dependencies
Import JWT and Security dependencies
<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.3.1.RELEASE</version>
</dependency>
Create a JwtUser that implements UserDetails
Create a related JavaBean
package com.example.demo;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
public class JwtUser implements UserDetails {
private String username;
private String password;
private Integer state;
private Collection<? extends GrantedAuthority> authorities;
public JwtUser(){
}
public JwtUser(String username, String password, Integer state, Collection<? extends GrantedAuthority> authorities){
this.username = username;
this.password = password;
this.state = state;
this.authorities = authorities;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
@Override
public String getPassword() {
return this.password;
}
@Override
public String getUsername() {
return this.username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
Write a tool class to generate tokens
Write tool classes to generate tokens, refresh tokens, and verify tokens
package com.example.demo;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.UserDetails;
import java.io.Serializable;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
public class JwtTokenUtil implements Serializable {
private String secret;
private Long expiration;
private String header;
private String generateToken(Map<String, Object> claims) {
Date expirationDate = new Date(System.currentTimeMillis() + expiration);
return Jwts.builder().setClaims(claims).setExpiration(expirationDate).signWith(SignatureAlgorithm.HS512, secret).compact();
}
private Claims getClaimsFromToken(String token) {
Claims claims;
try {
claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
} catch (Exception e) {
claims = null;
}
return claims;
}
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>(2);
claims.put("sub", userDetails.getUsername());
claims.put("created", new Date());
return generateToken(claims);
}
public String getUsernameFromToken(String token) {
String username;
try {
Claims claims = getClaimsFromToken(token);
username = claims.getSubject();
} catch (Exception e) {
username = null;
}
return username;
}
public Boolean isTokenExpired(String token) {
try {
Claims claims = getClaimsFromToken(token);
Date expiration = claims.getExpiration();
return expiration.before(new Date());
} catch (Exception e) {
return false;
}
}
public String refreshToken(String token) {
String refreshedToken;
try {
Claims claims = getClaimsFromToken(token);
claims.put("created", new Date());
refreshedToken = generateToken(claims);
} catch (Exception e) {
refreshedToken = null;
}
return refreshedToken;
}
public Boolean validateToken(String token, UserDetails userDetails) {
JwtUser user = (JwtUser) userDetails;
String username = getUsernameFromToken(token);
return (username.equals(user.getUsername()) && !isTokenExpired(token));
}
}
Write an interceptor
Write Filter to detect JWT
The latest interview questions have been sorted out, click on the Java interview library applet to brush the questions online.
package com.example.demo;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
String authHeader = httpServletRequest.getHeader(jwtTokenUtil.getHeader());
if (authHeader != null && StringUtils.isNotEmpty(authHeader)) {
String username = jwtTokenUtil.getUsernameFromToken(authHeader);
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(authHeader, userDetails)) {
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(userDetails,null,userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
}
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}
Write the implementation class of userDetailsService
In the above code, write the userDetailsService class to implement its verification process
package com.example.demo;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import javax.management.relation.Role;
import java.util.List;
@Service
public class JwtUserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
User user = userMapper.selectByUserName(s);
if (user == null) {
throw new UsernameNotFoundException(String.format("'%s'.这个用户不存在", s));
}
List<SimpleGrantedAuthority> collect = user.getRoles().stream().map(Role::getRolename).map(SimpleGrantedAuthority::new).collect(Collectors.toList());
return new JwtUser(user.getUsername(), user.getPassword(), user.getState(), collect);
}
}
write login
Write the implementation class of the login business, and its login method will return a token of JWTUtils
I won’t introduce the basics of Spring Boot. I recommend this practical tutorial:
https://github.com/javastacks/spring-boot-best-practice
@Service
public class UserServiceImpl implements UserService {
@Autowired
private UserMapper userMapper;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtTokenUtil jwtTokenUtil;
public User findByUsername(String username) {
User user = userMapper.selectByUserName(username);
return user;
}
public RetResult login(String username, String password) throws AuthenticationException {
UsernamePasswordAuthenticationToken upToken = new UsernamePasswordAuthenticationToken(username, password);
final Authentication authentication = authenticationManager.authenticate(upToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
return new RetResult(RetCode.SUCCESS.getCode(),jwtTokenUtil.generateToken(userDetails));
}
}
Finally configure Config
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(this.userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and().headers().cacheControl();
http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();
registry.requestMatchers(CorsUtils::isPreFlightRequest).permitAll();
}
@Bean
public CorsFilter corsFilter() {
final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
final CorsConfiguration cors = new CorsConfiguration();
cors.setAllowCredentials(true);
cors.addAllowedOrigin("*");
cors.addAllowedHeader("*");
cors.addAllowedMethod("*");
urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", cors);
return new CorsFilter(urlBasedCorsConfigurationSource);
}
}
Run, return token
Run, the return result is token
Spring Security JSON Login
Configure the JSON login of Spring Security here
Here you need to rewrite the UsernamePasswordAnthenticationFilter class and configure SpringSecurity
Override UsernamePasswordAnthenticationFilter
public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
//attempt Authentication when Content-Type is json
if(request.getContentType().equals(MediaType.APPLICATION_JSON_UTF8_VALUE)
||request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)){
//use jackson to deserialize json
ObjectMapper mapper = new ObjectMapper();
UsernamePasswordAuthenticationToken authRequest = null;
try (InputStream is = request.getInputStream()){
AuthenticationBean authenticationBean = mapper.readValue(is,AuthenticationBean.class);
authRequest = new UsernamePasswordAuthenticationToken(
authenticationBean.getUsername(), authenticationBean.getPassword());
}catch (IOException e) {
e.printStackTrace();
authRequest = new UsernamePasswordAuthenticationToken(
"", "");
}finally {
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
}
//transmit it to UsernamePasswordAuthenticationFilter
else {
return super.attemptAuthentication(request, response);
}
}
}
Configure SecurityConfig
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**").permitAll()
.anyRequest().authenticated()
//这里必须要写formLogin(),不然原有的UsernamePasswordAuthenticationFilter不会出现,也就无法配置我们重新的UsernamePasswordAuthenticationFilter
.and().formLogin().loginPage("/")
.and().csrf().disable();
//用重写的Filter替换掉原有的UsernamePasswordAuthenticationFilter
http.addFilterAt(customAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
//注册自定义的UsernamePasswordAuthenticationFilter
@Bean
CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
filter.setAuthenticationSuccessHandler(new SuccessHandler());
filter.setAuthenticationFailureHandler(new FailureHandler());
filter.setFilterProcessesUrl("/login/self");
//这句很关键,重用WebSecurityConfigurerAdapter配置的AuthenticationManager,不然要自己组装AuthenticationManager
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
This completes logging into Spring Security using json.
The latest interview questions have been sorted out, click on the Java interview library applet to brush the questions online.
Spring Security password encryption method
The following needs to be configured in the Config class
/**
* 密码加密
*/
@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
That is, use this method to encrypt the password, and use this encryption method at the business layer
@Service
@Transactional
public class UserServiceImpl implements UserService {
@Resource
private UserRepository userRepository;
@Resource
private BCryptPasswordEncoder bCryptPasswordEncoder; //注入bcryct加密
@Override
public User add(User user) {
user.setPassword(bCryptPasswordEncoder.encode(user.getPassword())); //对密码进行加密
User user2 = userRepository.save(user);
return user2;
}
@Override
public ResultInfo login(User user) {
ResultInfo resultInfo=new ResultInfo();
User user2 = userRepository.findByName(user.getName());
if (user2==null) {
resultInfo.setCode("-1");
resultInfo.setMessage("用户名不存在");
return resultInfo;
}
//判断密码是否正确
if (!bCryptPasswordEncoder.matches(user.getPassword(),user2.getPassword())) {
resultInfo.setCode("-1");
resultInfo.setMessage("密码不正确");
return resultInfo;
}
resultInfo.setMessage("登录成功");
return resultInfo;
}
}
That is, use BCryptPasswordEncoder to encrypt the password and save the database
Use database authentication
Here use database authentication SpringSecurity
design data sheet
design data table here
Focus on configuring SpringConfig
@Configurable
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService; // service 层注入
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// 参数传入Service,进行验证
auth.userDetailsService(userService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("admin")
.anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl("/login").permitAll()
.and()
.csrf().disable();
}
}
Here we focus on configuring SpringConfig
summary
It focuses on RBAC permission configuration, simple use of Spring Security, and the use of Spring Security + JWT to complete the separation of front and back ends, as well as configuration of json login and password encryption.