Java Spring、@RolesAllowed和数据库来保护页面
我的数据库中有两个选项卡。用户和用户角色Java Spring、@RolesAllowed和数据库来保护页面,java,spring,spring-security,Java,Spring,Spring Security,我的数据库中有两个选项卡。用户和用户角色 CREATE TABLE `user` ( `username` varchar(50) NOT NULL, `password` varchar(255) NOT NULL, `enable` tinyint(4) NOT NULL DEFAULT '1', PRIMARY KEY (`username`), UNIQUE KEY `unique_username` (`username`) ) ENGINE=InnoDB DEFA
CREATE TABLE `user` (
`username` varchar(50) NOT NULL,
`password` varchar(255) NOT NULL,
`enable` tinyint(4) NOT NULL DEFAULT '1',
PRIMARY KEY (`username`),
UNIQUE KEY `unique_username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
CREATE TABLE `user_roles` (
`user_role_id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(45) NOT NULL,
`ROLE` varchar(45) NOT NULL,
PRIMARY KEY (`user_role_id`),
UNIQUE KEY `uni_username_role` (`ROLE`,`username`),
KEY `fk_username_idx` (`username`),
CONSTRAINT `fk_username` FOREIGN KEY (`username`) REFERENCES `user` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1
用户角色中的“角色”显示用户拥有的角色{ROLE\u user,ROLE\u ADMIN}
我想使用@RolesAllowed来拒绝用户对某些页面的访问(并授予管理员访问权限),但我不知道如何从数据库中获取user_角色并将其发送给RolesAllowed
获取控制器中的用户角色不是问题,但我认为检查每个函数中的用户角色不是一个好主意
或者,也许有比使用@RolesAllowed更好的解决方案
很抱歉问了这个愚蠢的问题,这是我第一次看到春天的5个小时 您没有详细介绍正在构建的应用程序的体系结构,但作为初学者,我可以给您一些我当前正在构建的应用程序的示例。我正在使用SpringBoot、JPA、SpringData和SpringSecurity。我有一个类似的要求,并这样解决: 我已经实现了UserDetailsService接口。它用于检索有关试图登录的用户的信息。当我使用JPA和Spring数据时,服务和模型类看起来像这样(为了简洁起见,删除了getter、setter和大多数字段):
@Entity
// in your case this would map to the User table
public class Profile implements UserDetails {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
// you should probably use bean validation / jpa to assure uniqueness etc.
private String name;
...
@ElementCollection(fetch = FetchType.EAGER)
private Set<Role> roles = ImmutableSet.<Role> of(new Role("USER"));
...
}
@Embeddable
// in your case this would map to the user_role table
public class Role implements GrantedAuthority {
public final static Role USER = new Role("USER");
public final static Role ADMIN = new Role("ADMIN");
private String authority;
...
}
@Transactional
@Service
public class ProfileService implements UserDetailsService {
private final ProfileRepository profileRepository;
@Autowired
public ProfileService(ProfileRepository profileRepository){
this.profileRepository = profileRepository;
}
public Profile loadUserByUsername(String username) throws UsernameNotFoundException {
Profile profile = profileRepository.findByUsername(username);
// this is the only way to authenticate
if (profile == null) {
throw new UsernameNotFoundException("security.userNotFound");
}
return profile;
}
// you may want to add profile creation etc.
...
}
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ProfileService profileService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(profileService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/login")
.permitAll()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/**")
.authenticated()
...
// you may want to put more config here
}
}