Spring Security controls the authorization method, springsecurity

Spring Security controls the authorization method, springsecurity

This article introduces Spring Security's authorization control methods and shares them with you as follows:

Use Authorization methods for authorization Configuration

Each Spring Security Control authorization expression (hereinafter referred to as an expression) corresponds to an authorization method in the API. This method is used to handle the request URL permission configuration. For example:

@Overrideprotected void configure(HttpSecurity http) throws Exception {  http.authorizeRequests()    .antMatchers(HttpMethod.DELETE, "/user/*").hasRole("ADMIN")    .antMatchers("/index").permitAll()    .antMatchers("/pay").hasAnyRole("WE_CHAT_PAY", "ALI_PAY")    .antMatchers("/debug").hasIpAddress("192.168.1.0/24");}

Use an authorization expression to authorize requests with multiple Permissions

So when do expressions need to be used for authorization? The permission requirements for a security application are often complex and diverse. For example, the project debugging request requires both administrator and internal LAN access. In this case, only the methods provided through the Security API cannot be met, because these authorization methods cannot be called continuously.

In this case, you can use the authorization expression to solve the problem:

@Overrideprotected void configure(HttpSecurity http) throws Exception {  http.authorizeRequests()    .antMatchers("/debug")      .access("hasRole('ADMIN') and hasIpAddress('192.168.1.0/24')");}

Authorization expression example

Expression	Description
PermitAll	Returns true forever.
DenyAll	Always return false
Anonyous	Returns true if the current user is anonymous.
RememberMe	Returns true if the current user is a rememberMe user.
Authenticated	Returns true if the current user is not anonymous (authenticated ).
FullAuthenticated	Returns true if the current user is neither an anonymous user nor a rememberMe user.
HasRole (role)	If you have the specified role ROLE permission in the current user permission set ('Role _ 'will be added before the permission you specify during matching, that is, you can determine whether you have the "ROLE_role" permission) returns true
HasAnyRole (role1, role2 ,...)	Returns true if the current user permission set has any role permission.
HasAuthority (authority)	Returns true if the current user permission set has the authority permission (whether the user has the "authority" permission ).
HasAnyAuthority (authority)	Returns true if the current user permission set has any permission.
HasIpAddress ("192.168.1.0/24 ")	Fanhui true when the requested IP address matches

Role-Based Access Control (RBAC)

You may think that the above method can meet the needs of most application security authorization management. However, in fact, enterprise-level application authorization is often based on the dynamic changes of database data. If the above method is used for String concatenation, not only are developers very unfriendly (every person change means code needs to be changed, obviously unreasonable), but the application performance will also decrease. So how can we solve it?

Data Model

The general RBAC data model generally requires five tables (three entity tables and two Relational Tables ). Three entity tables are user tables, role tables, and resource tables. Two Relational Tables are included. The relationship between them is as follows:

RBAC Data Model

User table

Any user must use an account table. When the company's personnel changes, the business personnel (such as Human Resources) add or delete the table.

Role table

Persons of the company, such as the president, vice president, and department manager, who operate the table data according to the company's actual situation.

Resource table

Storage resources that require permission control. Because we actually implement URL-based authorization, business personnel do not organize data entries by URL, but do so in the form of a view interface. Therefore, this table stores the menus, buttons, and URLs for permission control that are presented to business personnel.

User-role relationship table

There is a many-to-many relationship between the user table and the role table (user id and role id. A user can have multiple roles (a user can be both a department manager and an administrator), while a role often corresponds to multiple users.

Role-resource relationship table

Role tables and resource tables () are also many-to-many relationships. A role can access multiple resources (such as buttons or menus), and a resource can be accessed by multiple roles.

Spring security also supports custom expressions to complete this job, just like this

The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.