龙采网站建设案例友情链接交换工具
在之前的博客中,已经介绍了Spring Security的用户UserDetails、用户服务UserDetailsService和密码编码器PasswordEncoder,它们都是用于验证用户的身份,而GrantedAuthority则表示用户验证通过后被授予的权限(可能授予多种权限),本篇博客介绍GrantedAuthority接口及其实现类。
- Spring Security:用户UserDetails源码与Debug分析
- Spring Security:用户服务UserDetailsService源码分析
- Spring Security:密码编码器PasswordEncoder介绍与Debug分析
应用的依赖:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.kaven</groupId><artifactId>security</artifactId><version>1.0-SNAPSHOT</version><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.3.1.RELEASE</version></parent><properties><maven.compiler.source>8</maven.compiler.source><maven.compiler.target>8</maven.compiler.target></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency></dependencies>
</project>
启动类:
@SpringBootApplication
public class Application {public static void main(String[] args) {SpringApplication.run(Application.class);}
}
GrantedAuthority
GrantedAuthority接口源码:
package org.springframework.security.core;import java.io.Serializable;import org.springframework.security.access.AccessDecisionManager;/*** 表示授予Authentication对象(需要进行验证或通过验证的用户封装)的权限*/
public interface GrantedAuthority extends Serializable {/*** 获取权限*/String getAuthority();
}
GrantedAuthority接口及其实现类,如下图所示:
SimpleGrantedAuthority
GrantedAuthority的基本具体实现,存储授予Authentication对象的权限的String表示形式。
SimpleGrantedAuthority类源码:
public final class SimpleGrantedAuthority implements GrantedAuthority {private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;// 授予Authentication对象的权限private final String role;public SimpleGrantedAuthority(String role) {Assert.hasText(role, "A granted authority textual representation is required");this.role = role;}@Overridepublic String getAuthority() {return role;}// 只会比较role属性是否equals@Overridepublic boolean equals(Object obj) {if (this == obj) {return true;}if (obj instanceof SimpleGrantedAuthority) {return role.equals(((SimpleGrantedAuthority) obj).role);}return false;}@Overridepublic int hashCode() {return this.role.hashCode();}@Overridepublic String toString() {return this.role;}
}
增加配置文件:
spring:security:user:name: kavenpassword: itkavenroles:- USER- ADMIN
Debug启动应用,Spring Security在应用启动时会创建配置文件中定义的用户,首先会创建用户服务(InMemoryUserDetailsManager)bean。
通过用户服务创建用户,并且授予权限(通过创建SimpleGrantedAuthority实例)。
可见,SimpleGrantedAuthority是默认的授权实现(特殊场景除外),它只存储权限,是一种简易的授权实现。
JaasGrantedAuthority
JaasGrantedAuthority类源码:
/*** 除了分配的角色,还持有授权人(AuthorityGranter)的主体(Principal),用作授予此权限的理由*/
public final class JaasGrantedAuthority implements GrantedAuthority {private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;private final String role;// 授权人的主体private final Principal principal;public JaasGrantedAuthority(String role, Principal principal) {Assert.notNull(role, "role cannot be null");Assert.notNull(principal, "principal cannot be null");this.role = role;this.principal = principal;}public Principal getPrincipal() {return principal;}@Overridepublic String getAuthority() {return role;}@Overridepublic int hashCode() {int result = this.principal.hashCode();result = 31 * result + this.role.hashCode();return result;}// 判断role属性和principal属性是否都equals@Overridepublic boolean equals(Object obj) {if (this == obj) {return true;}if (obj instanceof JaasGrantedAuthority) {JaasGrantedAuthority jga = (JaasGrantedAuthority) obj;return this.role.equals(jga.role) && this.principal.equals(jga.principal);}return false;}@Overridepublic String toString() {return "Jaas Authority [" + role + "," + principal + "]";}
}
AuthorityGranter接口源码:
/*** AuthorityGranter接口用于将给定的主体映射到角色名称集合*/
public interface AuthorityGranter {/*** 根据主体映射到角色名称集合*/Set<String> grant(Principal principal);
}
JaasGrantedAuthority是一种用于Java 验证和授权服务(Java Authentication and Authorization Service,简称JAAS)场景下的授权实现,感兴趣可自行了解JAAS。
SwitchUserGrantedAuthority
SwitchUserGrantedAuthority类源码:
/*** SwitchUserFilter使用的自定义GrantedAuthority* 存储原始用户的Authentication对象,以便从退出用户切换时使用。*/
public final class SwitchUserGrantedAuthority implements GrantedAuthority {private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;private final String role;// 存储原始用户的Authentication对象private final Authentication source;public SwitchUserGrantedAuthority(String role, Authentication source) {Assert.notNull(role, "role cannot be null");Assert.notNull(source, "source cannot be null");this.role = role;this.source = source;}/*** 返回与成功的用户切换关联的原始用户*/public Authentication getSource() {return source;}@Overridepublic String getAuthority() {return role;}@Overridepublic int hashCode() {int result = this.role.hashCode();result = 31 * result + this.source.hashCode();return result;}// 判断role属性和source属性是否都equals@Overridepublic boolean equals(Object obj) {if (this == obj) {return true;}if (obj instanceof SwitchUserGrantedAuthority) {SwitchUserGrantedAuthority swa = (SwitchUserGrantedAuthority) obj;return this.role.equals(swa.role) && this.source.equals(swa.source);}return false;}@Overridepublic String toString() {return "Switch User Authority [" + role + "," + source + "]";}
}
该授权实现类似于Linux系统下用户之间的切换授权(使用su命令的权限),如下所示在Linux系统中添加kaven用户,然后从root用户切换到kaven用户(root用户有这个权限)。
root@48556522ad65:~# adduser kaven
Adding user `kaven' ...
Adding new group `kaven' (1000) ...
Adding new user `kaven' (1000) with group `kaven' ...
Creating home directory `/home/kaven' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for kaven
Enter the new value, or press ENTER for the defaultFull Name []: Room Number []: Work Phone []: Home Phone []: Other []:
Is the information correct? [Y/n] Y
root@48556522ad65:~# su kaven
kaven@48556522ad65:/root$
SwitchUserGrantedAuthority是SwitchUserFilter使用的自定义GrantedAuthority,SwitchUserFilter(用户切换处理过滤器)负责用户上下文切换,对于Spring Security管理的web应用程序,此过滤器类似于su命令,此功能的一个常见例子是能够允许更高权限的用户(如ROLE_ADMIN)切换到普通用户(如ROLE_USER)。Spring Security的过滤器以及如何将自定义的过滤器集成到Spring Security中,博主以后会进行介绍,这里只是了解即可。
所以,SwitchUserGrantedAuthority是一种用于用户切换场景下的授权实现,不仅存储了权限,还存储了原始用户的Authentication对象,即source属性,方便用户切换的退出。
kaven@48556522ad65:/root$ exit
exit
root@48556522ad65:~# exit
logout
Connection closing...Socket close.Connection closed by foreign host.Disconnected from remote host(predict) at 13:40:23.Type `help' to learn how to use Xshell prompt.
[C:\~]$
Spring Security的授权GrantedAuthority介绍就到这里,如果博主有说错的地方或者大家有不同的见解,欢迎大家评论补充。