Java Spring、@RolesAllowed和数据库来保护页面_Java_Spring_Spring Security

Java Spring、@RolesAllowed和数据库来保护页面

java spring spring-security

Java Spring、@RolesAllowed和数据库来保护页面,java,spring,spring-security,Java,Spring,Spring Security,我的数据库中有两个选项卡。用户和用户角色 CREATE TABLE `user` ( `username` varchar(50) NOT NULL, `password` varchar(255) NOT NULL, `enable` tinyint(4) NOT NULL DEFAULT '1', PRIMARY KEY (`username`), UNIQUE KEY `unique_username` (`username`) ) ENGINE=InnoDB DEFA

我的数据库中有两个选项卡。用户和用户角色

CREATE TABLE `user` (
  `username` varchar(50) NOT NULL,
  `password` varchar(255) NOT NULL,
  `enable` tinyint(4) NOT NULL DEFAULT '1',
  PRIMARY KEY (`username`),
  UNIQUE KEY `unique_username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1

CREATE TABLE `user_roles` (
  `user_role_id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(45) NOT NULL,
  `ROLE` varchar(45) NOT NULL,
  PRIMARY KEY (`user_role_id`),
  UNIQUE KEY `uni_username_role` (`ROLE`,`username`),
  KEY `fk_username_idx` (`username`),
  CONSTRAINT `fk_username` FOREIGN KEY (`username`) REFERENCES `user` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1

用户角色中的“角色”显示用户拥有的角色{ROLE\u user，ROLE\u ADMIN}

我想使用@RolesAllowed来拒绝用户对某些页面的访问（并授予管理员访问权限），但我不知道如何从数据库中获取user_角色并将其发送给RolesAllowed

获取控制器中的用户角色不是问题，但我认为检查每个函数中的用户角色不是一个好主意

或者，也许有比使用@RolesAllowed更好的解决方案

很抱歉问了这个愚蠢的问题，这是我第一次看到春天的5个小时

您没有详细介绍正在构建的应用程序的体系结构，但作为初学者，我可以给您一些我当前正在构建的应用程序的示例。我正在使用SpringBoot、JPA、SpringData和SpringSecurity。我有一个类似的要求，并这样解决：

我已经实现了UserDetailsService接口。它用于检索有关试图登录的用户的信息。当我使用JPA和Spring数据时，服务和模型类看起来像这样（为了简洁起见，删除了getter、setter和大多数字段）：

@Entity
// in your case this would map to the User table
public class Profile implements UserDetails {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Integer id;

    // you should probably use bean validation / jpa to assure uniqueness etc.
    private String name;
    ...

    @ElementCollection(fetch = FetchType.EAGER)
    private Set<Role> roles = ImmutableSet.<Role> of(new Role("USER"));
    ...
}

@Embeddable
// in your case this would map to the user_role table
public class Role implements GrantedAuthority {

    public final static Role USER = new Role("USER");
    public final static Role ADMIN = new Role("ADMIN");

    private String authority;

    ...

}

@Transactional
@Service
public class ProfileService implements UserDetailsService {

    private final ProfileRepository profileRepository;

    @Autowired
    public ProfileService(ProfileRepository profileRepository){
            this.profileRepository = profileRepository;
    }

    public Profile loadUserByUsername(String username) throws UsernameNotFoundException {
        Profile profile = profileRepository.findByUsername(username);

        // this is the only way to authenticate
        if (profile == null) {
            throw new UsernameNotFoundException("security.userNotFound");
        }

        return profile;
    }

// you may want to add profile creation etc.
...
}

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private ProfileService profileService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
        throws Exception {
        auth.userDetailsService(profileService).passwordEncoder(passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/**")
                .authenticated()
                ...
                // you may want to put more config here
      }
}