06-08security

spring security对oauth2.0支持比较强

public boolean havePermission(String resource){
	return this.resourceBeans.stream()
        .filter(resourceBean->resourceBean.getResourceName().equals(resource))
        .count()>0;
	
}

pubilc class RoleBean{
    private String roleId;
    private String roleName;
    private List resources;
}

@RestController
@RequestMapping("/mobile")
public class MobileController{
    @GetMapping("/query")
    public String query(){
        return "mobile";
    }
}

@PostMapping("/login")
public UserBean login(UserBean loginUser,HttpServletRerquest request){
    UserBean user=authService.userLogin(loginUser);
    if(user!=null){
        logger.info("user login succeed");
        //存到session中
        request.getSession().setAttribute(MyConstants.FLAG_CURRENTUSER,user);
    }
    logger.info("user login failed");
    return user;
}


@PostMapping("/getCurrentUser")
public Object getCurrentUser(HttpSession session){
    return session.getAttribute(MyConstants.FLAG_CURRENTUSER);
}


@PostMapping("/loginout")
public void logout(HttpSession session){
    session.removeAttribute(MyConstants.FLAG_CURRENTUSER);
}

RoleBean adminRole=new RoleBean("1","mobile");

这里挺有意思，不给worker用户添加任何权限

UserBean user1=new UserBean(userId:"1",userName:"admin",userPass:"admin");
user1.setUserRoles(adminRoles);
user1.setResourceBeans(adminResources);

UserBean user2=new UserBean(userId:"2",userName:"manager",userPass:"manager");
user2.setUserRoles(managerRoles);
user2.setResourceBeans(managerResources);

//todo:定义常量类作用是什么

public class MyConstants{

    public static final String FLAG_CURRENTUSER="currentUser";
}

@Compoment
public class AuthInterceptor extends HandlerInterceptroAdapter{
    @Override
    public boolean preHandle(HttpServletRequest request,HttpServletResponse response,Onject handler){
        //不需要登录就可以访问的路径
        if(requestURI.contains(".")||requestURI.startsWith("/"+MyConstants.RESOURCE_COMMON+"/")){
            return true;
        }
        //2、未登录用户，直接拒绝
        if(null==request.getzSession().getAttribute(MyConstants.FLAG_CURRENTUSER)){
            response.setCharacterEncoding("UTF-8");
            response.getWriter().write("please login first");
            return false;
        }
        else{
            UserBean currentUser=(UserBean) request.getSession().getAttribute(MyConstants.FLAG_CURRENTUSER);
            //3、已登录用户，判断是否有资源访问权限
            if(requestURI.startsWith("/"+MyConstants.RESOURCE_MOBILE+"/")&&
              currentUser.havePermission(MyConstants.RESOURCE_MOBILE)){
                return true;
            }else if(requestURI.startsWith("/"+MyConstants.RESOURCE_SALARY+"/")&¤tUser.havePermission
                    (MyConstants.RESOURCE_SALARY)){
                return true;
            }else{
                response.setCharacterEncoding("UTF-8");
                response.getWrite().write("no auth to visit");
                return false;
            }              
        }
        
    }
}

@SpringBootApplication
@EnableWebSecurity
public class SpringBootSecurityApplication{
    public static void main(String[] args){
        SpringApplication.run(SpringBootSecurityApplication.class,args);
    }
}

server.port=8080
spring.application.name=security-springboot

只是添加了一个注解，就引入了对接口的保护。

默认创建了一个密码