Spring Cloud微服务安全实战_3-6_API安全之授权

孤街醉人 提交于 2019-12-08 21:06:32

 

API安全之授权

 

访问控制:

1,ACL :Access Control Lists,直接给每个用户授权,他能访问什么。开发简单,但是用户多的话,给每个用户授权比较麻烦。

2,RBAC:Role Based Access Control。给角色授权,给用户赋予角色。授权简单,开发麻烦。

 

下边用ACL来实现简单的权限控制,在用户表里加入permission字段标识权限。

项目代码结构:

 

 

 

数据库,User表:

 

 

插入两条数据

 

 

 

 

 

 

 User类:

 

/**
 * <p>
 *     User
 * </p>
 *
 * @author 李浩洋
 * @since 2019-10-26
 */
@Data
public class User implements Serializable {

    private static final long serialVersionUID = 1L;

    private Long id;
    private String name;
    private String username;
    private String password;
    private String permissions;


    public boolean hasPermission(String method){
        boolean result = false;
        if(StringUtils.equalsIgnoreCase("get",method)){
            //如果是get请求,判断user的permissions是否有r
            result = StringUtils.contains(permissions,"r");
        }else {
            //是否有w权限
            result = StringUtils.contains(permissions,"w");
        }
        return result;
    }

}

 

 

 

拦截

  用拦截器进行拦截,因为授权要在审计之后,审计就是拦截器,如果权限控制用过滤器,就会在审计之前执行

/**
 * 基于ACL访问控制的权限拦截器
 * 在审计之后执行
 */
@Component
public class AclInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        System.err.println("+++授权+++" +4);
        boolean result = true;
        //从request拿用户信息
        User user = (User)request.getAttribute("user");
        if(user == null){
            //未认证
            response.setContentType("text/plain");
            response.setStatus(HttpStatus.UNAUTHORIZED.value());
            response.getWriter().write("未认证");
            result = false;
        }else {
            //判断用户是否有权限访问
            if(!user.hasPermission(request.getMethod())){
                //没权限
                response.setContentType("text/plain");
                response.setStatus(HttpStatus.FORBIDDEN.value());
                response.getWriter().write("未授权");
                result = false;
            }
        }
        return result;
    }
}

webconfig配置:

@Configuration
public class SecurityConfig implements WebMvcConfigurer {

    //审计日志
    @Autowired
    private AuditLogInterceptor auditLogInterceptor;
    //授权
    @Autowired
    private AclInterceptor aclInterceptor;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(auditLogInterceptor);//.addPathPatterns();//先add的先执行,默认所有请求都拦截
        registry.addInterceptor(aclInterceptor);
    }
}

正常的访问:

 

 

 控制台打印,可以看到,限流、认证、审计、授权几个过滤器拦截器,是预期的执行顺序

2019-12-08 20:52:33.857 INFO 50060 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2019-12-08 20:52:33.857 INFO 50060 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2019-12-08 20:52:33.863 INFO 50060 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 6 ms
++++流控++++ 1
++++认证++++ 2
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@a3f8551] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: SELECT id,password,permissions,name,username FROM user WHERE (username = ?)
==> Parameters: lhy(String)
<== Columns: id, password, permissions, name, username
<== Row: 1, 123, r, 阳仔, lhy
<== Total: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@a3f8551]
+++审计+++3
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@230e191f] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: INSERT INTO audit_log ( path, method, create_time, username ) VALUES ( ?, ?, ?, ? )
==> Parameters: /users/1(String), GET(String), 2019-12-08 20:52:34.143(Timestamp), lhy(String)
+++审计拦截器,insert+++
<== Updates: 1
+++授权+++4
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@230e191f]
Controller getUser,id=1
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@771b52e5] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: SELECT id,password,permissions,name,username FROM user WHERE id=?
==> Parameters: 1(Long)
<== Columns: id, password, permissions, name, username
<== Row: 1, 123, r, 阳仔, lhy
<== Total: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@771b52e5]
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@776808b4] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: SELECT id,path,method,create_time,update_time,username,status FROM audit_log WHERE id=?
==> Parameters: 144(Long)
<== Columns: id, path, method, create_time, update_time, username, status
<== Row: 144, /users/1, GET, 2019-12-08 20:52:34.0, null, lhy, null
<== Total: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@776808b4]
Creating a new SqlSession
SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@359aa106] was not registered for synchronization because synchronization is not active
JDBC Connection [com.mysql.jdbc.JDBC4Connection@1914b4d] will not be managed by Spring
==> Preparing: UPDATE audit_log SET path=?, method=?, create_time=?, update_time=?, username=?, status=? WHERE id=?
==> Parameters: /users/1(String), GET(String), 2019-12-08 20:52:34.0(Timestamp), 2019-12-08 20:52:34.302(Timestamp), lhy(String), 200(Integer), 144(Long)
<== Updates: 1
Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@359aa106]
+++审计拦截器,update+++

未授权的访问:

 

 

 

审计日志

 代码:https://github.com/lhy1234/springcloud-security/tree/master/nb-user-api

 ++++++++++++++++++分割线++++++++++++++++++

小结

用ACL访问控制列表+拦截器实现了一个简单的权限控制

 

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!