什么是 RBAC 模型?
基于角色的权限访问控制(Role-Based Access Control)作为传统访问控制(自主访问,强制访问)的有前景的代替受到广泛的关注。在 RBAC 中,权限与角色相关联,用户通过成为适当角色的成员而得到这些角色的权限。这就极大地简化了权限的管理。
在企业内部的权限管理系统中,大部分都是使用 RBAC 模型来搭建权限访问控制系统的。一般的做法是:将用户授予某些角色,而这些角色被分配一些权限,从而让用户登录的时候,可以获取这些权限。
OK,我们开始学习。
1、创建数据库
/*
Navicat Premium Data Transfer
Source Server : localhost-5.7-3306
Source Server Type : MySQL
Source Server Version : 50725
Source Host : 127.0.0.1:3306
Source Schema : study_security
Target Server Type : MySQL
Target Server Version : 50725
File Encoding : 65001
Date: 31/05/2021 18:25:49
*/
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for rel_role_per
-- ----------------------------
DROP TABLE IF EXISTS `rel_role_per`;
CREATE TABLE `rel_role_per` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键ID',
`role_id` int(11) NULL DEFAULT NULL COMMENT '角色ID,参考表:t_role 主键',
`per_id` int(11) NULL DEFAULT NULL COMMENT '权限ID,参考表:t_permission 主键',
PRIMARY KEY (`id`) USING BTREE,
INDEX `role_id`(`role_id`) USING BTREE,
INDEX `per_id`(`per_id`) USING BTREE,
CONSTRAINT `rel_role_per_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `t_role` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT,
CONSTRAINT `rel_role_per_ibfk_2` FOREIGN KEY (`per_id`) REFERENCES `t_permission` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT
) ENGINE = InnoDB AUTO_INCREMENT = 6 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '角色-权限关联表' ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of rel_role_per
-- ----------------------------
INSERT INTO `rel_role_per` VALUES (1, 1, 1);
INSERT INTO `rel_role_per` VALUES (2, 1, 2);
INSERT INTO `rel_role_per` VALUES (3, 1, 3);
INSERT INTO `rel_role_per` VALUES (4, 1, 4);
INSERT INTO `rel_role_per` VALUES (5, 2, 1);
-- ----------------------------
-- Table structure for rel_user_role
-- ----------------------------
DROP TABLE IF EXISTS `rel_user_role`;
CREATE TABLE `rel_user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键ID',
`user_id` int(11) NULL DEFAULT NULL COMMENT '用户ID,参考表:t_user 主键',
`role_id` int(11) NULL DEFAULT NULL COMMENT '角色ID,参考表:t_role 主键',
PRIMARY KEY (`id`) USING BTREE,
INDEX `role_id`(`role_id`) USING BTREE,
INDEX `user_id`(`user_id`) USING BTREE,
CONSTRAINT `rel_user_role_ibfk_2` FOREIGN KEY (`role_id`) REFERENCES `t_role` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT,
CONSTRAINT `rel_user_role_ibfk_3` FOREIGN KEY (`user_id`) REFERENCES `t_user` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '用户-角色关联表' ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of rel_user_role
-- ----------------------------
INSERT INTO `rel_user_role` VALUES (1, 1, 1);
INSERT INTO `rel_user_role` VALUES (2, 2, 2);
-- ----------------------------
-- Table structure for t_permission
-- ----------------------------
DROP TABLE IF EXISTS `t_permission`;
CREATE TABLE `t_permission` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键ID,也是权限ID',
`permission_name` varchar(50) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '权限名称',
`permission_tag` varchar(50) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '权限标识',
`url` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '请求URL',
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 5 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '权限表' ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of t_permission
-- ----------------------------
INSERT INTO `t_permission` VALUES (1, '查询用户', 'showUser', '/showUser');
INSERT INTO `t_permission` VALUES (2, '添加用户', 'addUser', '/addUser');
INSERT INTO `t_permission` VALUES (3, '修改用户', 'updateUser', '/updateUser');
INSERT INTO `t_permission` VALUES (4, '删除用户', 'deleteUser', '/deleteUser');
-- ----------------------------
-- Table structure for t_role
-- ----------------------------
DROP TABLE IF EXISTS `t_role`;
CREATE TABLE `t_role` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键ID,也是角色ID',
`role_name` varchar(50) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '角色名称',
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '角色表' ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of t_role
-- ----------------------------
INSERT INTO `t_role` VALUES (1, '管理员');
INSERT INTO `t_role` VALUES (2, '普通用户');
-- ----------------------------
-- Table structure for t_user
-- ----------------------------
DROP TABLE IF EXISTS `t_user`;
CREATE TABLE `t_user` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键ID,也是用户ID',
`username` varchar(50) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '用户名',
`password` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '密码',
`enabled` bit(1) NULL DEFAULT b'1' COMMENT '是否生效,1=true,0=false',
`account_non_expired` bit(1) NULL DEFAULT b'1' COMMENT '是否未过期,1=true,0=false',
`account_non_locked` bit(1) NULL DEFAULT b'1' COMMENT '是否未锁定,1=true,0=false',
`credentials_non_expired` bit(1) NULL DEFAULT b'1' COMMENT '证书是否未过期,1=true,0=false',
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '用户表' ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of t_user
-- ----------------------------
INSERT INTO `t_user` VALUES (1, 'admin', '123456', b'1', b'1', b'1', b'1');
INSERT INTO `t_user` VALUES (2, 'user', '250cf8b51c773f3f8dc8b4be867a9a02', b'1', b'1', b'1', b'1');
SET FOREIGN_KEY_CHECKS = 1;
说明:RBAC 权限控制主要有5张表(当然可以更多,这里只列出核心内容):用户表 t_user,角色表 t_role,权限表:t_permission,用户-角色关联表:rel_user_role,角色-权限关联表:rel_role_per。并初始化了一些测试数据:用户 admin 的密码是 MD5 加密的123,user的密码是456的MD5加密。5张表的关系如下:
说明:t_user 的字段信息要跟 SpringSecurity 的对应,对应的实体类是:org.springframework.security.core.userdetails
2、修改代码
在工程 pom.xml 增加 mybatis 依赖,完整配置如下:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.study.security</groupId>
<artifactId>study-security</artifactId>
<version>1.0-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.2.RELEASE</version>
</parent>
<dependencies>
<!--Spring boot 集成包-->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
<!-- SpringBoot整合Web组件 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!-- springboot整合freemarker -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-freemarker</artifactId>
</dependency>
<!-->spring-boot 整合security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- 阿里巴巴的druid数据库连接池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.20</version>
</dependency>
<!-- 该 starter 会扫描配置文件中的 DataSource,然后自动创建使用该 DataSource 的 SqlSessionFactoryBean,并注册到 Spring 上下文中 -->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.0.0</version>
</dependency>
<!-- 数据库MySQL 依赖包 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.48</version>
</dependency>
<!-- mybatis 依赖包 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.4.6</version>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Hoxton.SR2</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<!-- 注意: 这里必须要添加, 否者各种依赖有问题 -->
<repositories>
<repository>
<id>spring-milestones</id>
<name>Spring Milestones</name>
<url>https://repo.spring.io/libs-milestone</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</project>
我们造登录模块,让用户名和密码从数据库中获取,而不是写固定。并且权限也是从数据库中读取,不是写固定。
mybatis 的 mapper 文件:
UserEntityMapper.xml 代码
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.study.dao.UserMapper">
<resultMap id="BaseResultMap" type="com.study.entity.UserEntity">
<id column="id" jdbcType="INTEGER" property="id" />
<result column="username" jdbcType="VARCHAR" property="username" />
<result column="password" jdbcType="VARCHAR" property="password" />
<result column="enabled" jdbcType="BIT" property="enabled" />
<result column="account_non_expired" jdbcType="BIT" property="accountNonExpired" />
<result column="account_non_locked" jdbcType="BIT" property="accountNonLocked" />
<result column="credentials_non_expired" jdbcType="BIT" property="credentialsNonExpired" />
</resultMap>
<!-- 根据用户名查询数据 -->
<select id="getByUsername" parameterType="java.lang.String" resultMap="BaseResultMap">
select *
from t_user
where username = #{username,jdbcType=INTEGER}
</select>
</mapper>
其它 xml 文件可以下载代码,这里不赘述。
application.yml 配置文件增加 mybatis 配置:
server:
port: 80
# 将SpringBoot项目作为单实例部署调试时,不需要注册到注册中心
eureka:
client:
fetch-registry: false
register-with-eureka: false
spring:
application:
name: security-server
# 配置freemarker
freemarker:
# 设置模板后缀名
suffix: .ftl
# 设置文档类型
content-type: text/html
# 设置页面编码格式
charset: UTF-8
# 设置页面缓存
cache: false
# 设置ftl文件路径
template-loader-path:
- classpath:/templates
# 设置静态文件路径,js,css等
mvc:
static-path-pattern: /static/**
datasource:
# 使用阿里巴巴的 druid 数据源
druid:
driver-class-name: com.mysql.jdbc.Driver
url: jdbc:mysql://localhost:3306/study_security?characterEncoding=utf-8
username: root
password: root
# mybatis 配置
mybatis:
# Mybatis扫描的mapper文件
mapper-locations: classpath:mapper/*.xml
这里主要说一下 UserEntity 实体,需要实现 org.springframework.security.core.userdetails.UserDetails 接口,因此需要一些额外字段:
package com.study.entity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.ArrayList;
import java.util.List;
/**
* @author biandan
* @description 用户实体类,需要实现 UserDetails 接口
* @signature 让天下没有难写的代码
* @create 2021-05-31 下午 12:43
*/
public class UserEntity implements UserDetails {
private Integer id;
//用户名
private String username;
//密码
private String password;
//用户所有权限集合
private List<GrantedAuthority> authorities = new ArrayList<>();
//是否生效,1=true,0=false
private boolean enabled;
//是否未过期,1=true,0=false
private boolean accountNonExpired;
//是否未锁定,1=true,0=false
private boolean accountNonLocked;
//证书是否未过期,1=true,0=false
private boolean credentialsNonExpired;
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
@Override
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
@Override
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
@Override
public List<GrantedAuthority> getAuthorities() {
return authorities;
}
public void setAuthorities(List<GrantedAuthority> authorities) {
this.authorities = authorities;
}
@Override
public boolean isEnabled() {
return enabled;
}
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
@Override
public boolean isAccountNonExpired() {
return accountNonExpired;
}
public void setAccountNonExpired(boolean accountNonExpired) {
this.accountNonExpired = accountNonExpired;
}
@Override
public boolean isAccountNonLocked() {
return accountNonLocked;
}
public void setAccountNonLocked(boolean accountNonLocked) {
this.accountNonLocked = accountNonLocked;
}
@Override
public boolean isCredentialsNonExpired() {
return credentialsNonExpired;
}
public void setCredentialsNonExpired(boolean credentialsNonExpired) {
this.credentialsNonExpired = credentialsNonExpired;
}
}
在 service 包下创建类:MyUserDetailService,代码如下。主要是用于获取用户信息、用户权限的接口,需要实现 org.springframework.security.core.userdetails.UserDetailsService 接口:
package com.study.service;
import com.study.dao.PermissionMapper;
import com.study.dao.RelRolePerMapper;
import com.study.dao.RelUserRoleMapper;
import com.study.dao.UserMapper;
import com.study.entity.PermissionEntity;
import com.study.entity.RelRolePerEntity;
import com.study.entity.RelUserRoleEntity;
import com.study.entity.UserEntity;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
/**
* @author biandan
* @description
* @signature 让天下没有难写的代码
* @create 2021-05-09 下午 2:45
*/
@Component
public class MyUserDetailService implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Autowired
private RelUserRoleMapper relUserRoleMapper;
@Autowired
private RelRolePerMapper relRolePerMapper;
@Autowired
private PermissionMapper permissionMapper;
/**
* 查询用户信息,并返回给 security 需要的用户对象
* @param username
* @return
* @throws UsernameNotFoundException
*/
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserEntity userEntity = userMapper.getByUsername(username);
if(null == userEntity){
return null;
}
//根据用户信息,查询对应的权限
List<GrantedAuthority> authorityList = new ArrayList<>();
//先查询用户拥有的角色
List<RelUserRoleEntity> userRoleList = relUserRoleMapper.getAllByUserId(userEntity.getId());
//根据角色id,查询对应权限
System.out.println("用户名:"+userEntity.getUsername());
System.out.println("拥有权限:");
for (RelUserRoleEntity userRoleEntity : userRoleList) {
List<RelRolePerEntity> rolePerList = relRolePerMapper.getAllByRoleId(userRoleEntity.getRoleId());
//根据权限ID查询权限信息
for(RelRolePerEntity relRolePerEntity : rolePerList){
PermissionEntity permissionEntity = permissionMapper.getById(relRolePerEntity.getPerId());
System.out.println("["+permissionEntity.getPermissionName()+","+permissionEntity.getPermissionTag()+"]");
//添加到用户权限集合里
authorityList.add(new SimpleGrantedAuthority(permissionEntity.getPermissionTag()));
}
}
// 设置用户权限
userEntity.setAuthorities(authorityList);
return userEntity;
}
}
SecurityConfig 如下:
package com.study.config;
import com.study.dao.PermissionMapper;
import com.study.entity.PermissionEntity;
import com.study.handler.MyAuthenticationFailureHandler;
import com.study.handler.MyAuthenticationSuccessHandler;
import com.study.service.MyUserDetailService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.util.DigestUtils;
import java.util.List;
/**
* @author biandan
* @description
* @signature 让天下没有难写的代码
* @create 2021-05-30 下午 9:38
*/
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyAuthenticationSuccessHandler successHandler;
@Autowired
private MyAuthenticationFailureHandler failureHandler;
@Autowired
private MyUserDetailService myUserDetailService;
@Autowired
private PermissionMapper permissionMapper;
// 配置认证用户信息和权限
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//从数据库中获取数据,并校验密码是否一致
auth.userDetailsService(myUserDetailService).passwordEncoder(new PasswordEncoder() {
//重写加密方法
@Override
public String encode(CharSequence charSequence) {
System.out.println("encode charSequence=" + charSequence);
String md5Pwd = DigestUtils.md5DigestAsHex(((String) charSequence).getBytes());
return md5Pwd;
}
/**
* 判断密码是否匹配
* @param charSequence 请求的密码
* @param sqlPwd 数据库密码
* @return
*/
@Override
public boolean matches(CharSequence charSequence, String sqlPwd) {
System.out.println("matches charSequence=" + charSequence + ";sqlPwd=" + sqlPwd);
String reqPwd = encode(charSequence);
boolean result = reqPwd.equals(sqlPwd);
return result;//只有返回 true 的情况才会验证成功
}
});
}
// 配置拦截请求资源
@Override
protected void configure(HttpSecurity http) throws Exception {
// 如何权限控制:给每一个请求路径,分配一个权限名称,然后账号只要关联该名称,就可以有访问权限。
//查询所有的权限数据
List<PermissionEntity> permissionList = permissionMapper.findALl();
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry
authorizeRequests = http.authorizeRequests();
for(PermissionEntity entity : permissionList){
authorizeRequests.antMatchers(entity.getUrl()).hasAnyAuthority(entity.getPermissionTag());
}
authorizeRequests.antMatchers("/login").permitAll()
.antMatchers("/**").fullyAuthenticated().and()
.formLogin()
.loginPage("/login")
.successHandler(successHandler).failureHandler(failureHandler)
.and().csrf().disable();
}
}
OK,重启服务。浏览器输入:http://127.0.0.1/
后台控制台输出:
实际的管理项目中,我们为了提高相应速度和安全性,通常把用户的权限信息加载到 Redis,从 Redis 里读取,会比从数据库读取更快、更安全。Gateway 通常不要直接连数据库。比较合理的做法是:
统一权限管理平台,通过定时任务或者手动触发的方式将数据存入 Redis 缓存,Gateway 微服务再从 Redis 里将数据读取到内存(如使用 Ehcache 缓存)。而且一般来说,权限控制这块逻辑代码,写到 Gateway 网关上做统一认证,业务的微服务只需要专注于业务处理即可。从 Gateway 将用户的信息传递到业务微服务,微服务再去 Redis 里获取用户信息。