cangxiaowu / oauth2-example Goto Github PK
View Code? Open in Web Editor NEWThe Example Of Spring Cloud Security
oauth2-example's People
Contributors
Stargazers
Forkers
kevin-lu robertyang1024 zhulianhai sxyseo davency liufei1988 cole2295 ibyxz q9542958 taot168 kicy lehuai aidou-comoauth2-example's Issues
看了gitchat后的几个疑问
您好,我看了您在gitchat写的文章后,有几个疑问,希望您能抽空解答一下,
1,关于spring security的权限问题,
文章里说
Spring Security 提供了四种制定权限访问的接口,分别是:
hasRole(String role) 表示具备某种角色才可访问;
hasAnyRole(String ...roles) 表示具备其中任意角色即可访问;
hasAuthority(String authority) 表示具备某种权限才可访问;
hasAnyAuthority(String ...authorities) 表示具备其中任意权限即可访问。
然后,在资源服务器中控制接口访问权限的配置如下:
@Override
public void configure(HttpSecurity http) throws Exception {
// 配置资源服务器的拦截规则
http.
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.requestMatchers().anyRequest()
.and()
.anonymous()
.and()
.authorizeRequests()
.antMatchers("/user/**").authenticated() // /user/** 端点的访问必须要验证后
.antMatchers("/user/**").access("hasRole('ADMIN') or hasAuthority('See_Info')") // /user/** 端点的访问需要具备ADMIN的身份或者具备See_Info的权限
.and()
.exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}我的疑问是:
这个configure里面用HttpSecurity配置/user/**等接口的权限的代码可以动态修改吗?
比如我配合一个后台管理系统的话,最近又有个活动,我需要把这个user接口的权限弄得严格一些,然后我动态的修改,这个能否行得通?还有业内一般的动态的控制权限是怎么控制的?
当然,我知道有种控制权限的方案是这样的:
HttpSecurity配置接口这块代码不动,比如/user/**接口 需要什么权限什么角色,先确定好,然后写在代码里,比如:
.antMatchers("/user/**").authenticated() // /user/** 端点的访问必须要验证后
.antMatchers("/user/**").access("hasRole('ADMIN') or hasAuthority('b61d9b91-2fbc-4112-98da-983cd1d94e06')") //角色是ADMIN,权限是一个uuid
然后,在用户权限这块,动态的去授权,
// WebSecurityConfigurerAdapter.java
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// 在内存中配置两个用户
InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
userDetailsManager.createUser(User
.withUsername("user1")
.password("123456")
.authorities("ROLE_ADMIN", "b61d9b91-2fbc-4112-98da-983cd1d94e06") // 设置user1的角色为ADMIN,具备b61d9b91-2fbc-4112-98da-983cd1d94e06权限
.build());
userDetailsManager.createUser(User
.withUsername("user2")
.password("123456")
.authorities("ROLE_USER") // 设置user2的角色为USER,不具备额外的权限
.build());
auth.userDetailsService(userDetailsManager);
}
这段代码是在内存中默认配置好的用户,我知道可以把它换成从数据库中获取用户及用户的权限信息,既然存在数据库中,那就可以动态修改了,就可以配合一个后台管理系统去根据需要给用户设置权限,比如:现在有个人“张三”,我需要他能访问/user/**接口,那我就给他ADMIN角色和b61d9b91-2fbc-4112-98da-983cd1d94e06权限,然后张三过来访问接口的时候,去数据库查到他有这些权限,就让他访问,后面不需要了,就移除他的权限。
但是这样的话,/user/**接口设置能访问的角色时就要小心,比如配置ADMIN能访问,后面如果由于业务需要,要减少ADMIN的权利,不让访问了,那就需要修改代码了。这种方案可行性怎么样?还有,一般业界的这种架构是怎样?(其实我就想知道大家都是怎么用spring security 的 ...)
2,scope的作用
.scopes("all")// 允许请求范围
配置token的时候有个scope,这个到底是做什么用的?在代码里没有看到,在网上好像也没有人讲清楚的,都是抄过来抄过去。还有scope里面的“all”是自己随便写的吗?我看到有的示例代码里还有“read”“write”等,假如我限制为“read”,那在哪里起作用的呢?在代码哪里做的判断?
啰嗦了很多,非常希望能被解答
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.