API安全之授权
访问控制:
1,ACL :Access Control Lists,直接给每个用户授权,他能访问什么。开发简单,但是用户多的话,给每个用户授权比较麻烦。
2,RBAC:Role Based Access Control。给角色授权,给用户赋予角色。授权简单,开发麻烦。
下边用ACL来实现简单的权限控制,在用户表里加入permission字段标识权限。
项目代码结构:
数据库,User表:
插入两条数据
User类:
/** * <p> * User * </p> * * @author 李浩洋 * @since 2019-10-26 */ @Data public class User implements Serializable { private static final long serialVersionUID = 1L; private Long id; private String name; private String username; private String password; private String permissions; public boolean hasPermission(String method){ boolean result = false; if(StringUtils.equalsIgnoreCase("get",method)){ //如果是get请求,判断user的permissions是否有r result = StringUtils.contains(permissions,"r"); }else { //是否有w权限 result = StringUtils.contains(permissions,"w"); } return result; } }
拦截
用拦截器进行拦截,因为授权要在审计之后,审计就是拦截器,如果权限控制用过滤器,就会在审计之前执行
/** * 基于ACL访问控制的权限拦截器 * 在审计之后执行 */ @Component public class AclInterceptor extends HandlerInterceptorAdapter { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { System.err.println("+++授权+++" +4); boolean result = true; //从request拿用户信息 User user = (User)request.getAttribute("user"); if(user == null){ //未认证 response.setContentType("text/plain"); response.setStatus(HttpStatus.UNAUTHORIZED.value()); response.getWriter().write("未认证"); result = false; }else { //判断用户是否有权限访问 if(!user.hasPermission(request.getMethod())){ //没权限 response.setContentType("text/plain"); response.setStatus(HttpStatus.FORBIDDEN.value()); response.getWriter().write("未授权"); result = false; } } return result; } }
webconfig配置:
@Configuration public class SecurityConfig implements WebMvcConfigurer { //审计日志 @Autowired private AuditLogInterceptor auditLogInterceptor; //授权 @Autowired private AclInterceptor aclInterceptor; @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(auditLogInterceptor);//.addPathPatterns();//先add的先执行,默认所有请求都拦截 registry.addInterceptor(aclInterceptor); } }
正常的访问:
控制台打印,可以看到,限流、认证、审计、授权几个过滤器拦截器,是预期的执行顺序
2019-12-08 20:52:33.857 INFO 50060 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2019-12-08 20:52:33.857 INFO 50060 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2019-12-08 20:52:33.863 INFO 50060 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 6 ms
++++流控++++ 1
++++认证++++ 2
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@a3f8551] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: SELECT id,password,permissions,name,username FROM user WHERE (username = ?)
==> Parameters: lhy(String)
<== Columns: id, password, permissions, name, username
<== Row: 1, 123, r, 阳仔, lhy
<== Total: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@a3f8551]
+++审计+++3
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@230e191f] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: INSERT INTO audit_log ( path, method, create_time, username ) VALUES ( ?, ?, ?, ? )
==> Parameters: /users/1(String), GET(String), 2019-12-08 20:52:34.143(Timestamp), lhy(String)
+++审计拦截器,insert+++
<== Updates: 1
+++授权+++4
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@230e191f]
Controller getUser,id=1
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@771b52e5] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: SELECT id,password,permissions,name,username FROM user WHERE id=?
==> Parameters: 1(Long)
<== Columns: id, password, permissions, name, username
<== Row: 1, 123, r, 阳仔, lhy
<== Total: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@771b52e5]
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@776808b4] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: SELECT id,path,method,create_time,update_time,username,status FROM audit_log WHERE id=?
==> Parameters: 144(Long)
<== Columns: id, path, method, create_time, update_time, username, status
<== Row: 144, /users/1, GET, 2019-12-08 20:52:34.0, null, lhy, null
<== Total: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@776808b4]
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@359aa106] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: UPDATE audit_log SET path=?, method=?, create_time=?, update_time=?, username=?, status=? WHERE id=?
==> Parameters: /users/1(String), GET(String), 2019-12-08 20:52:34.0(Timestamp), 2019-12-08 20:52:34.302(Timestamp), lhy(String), 200(Integer), 144(Long)
<== Updates: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@359aa106]
+++审计拦截器,update+++
未授权的访问:
审计日志
代码:https://github.com/lhy1234/springcloud-security/tree/master/nb-user-api
++++++++++++++++++分割线++++++++++++++++++
小结
用ACL访问控制列表+拦截器实现了一个简单的权限控制