feat(security): 添加自定义动态权限 PermissionAuthorizationManager

Author: andanyoung

security-spring-boot-starter/README.md

@@ -4,6 +4,7 @@
 
 - 多渠道登录
 - 一个注解/一个配置，解决匿名url访问（忽略认证）
+- 基于数据库的动态权限
 
 ## USAGES
 

security-spring-boot-starter/pom.xml

@@ -10,7 +10,7 @@
     <groupId>com.admin4j.framework</groupId>
     <artifactId>security-spring-boot-starter</artifactId>
     <packaging>jar</packaging>
-    <version>0.9.4-SNAPSHOT</version>
+    <version>0.9.5-SNAPSHOT</version>
 
     <name>security-spring-boot-starter</name>
 

security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/IPermissionUriService.java

@@ -0,0 +1,26 @@
+package com.admin4j.framework.security.authorization;
+
+import java.util.List;
+
+/**
+ * 权限uri 服务
+ *
+ * @author andanyang
+ * @since 2023/12/19 14:34
+ */
+public interface IPermissionUriService {
+
+    /**
+     * 获取 系统 所有的 PermissionUri
+     *
+     * @return
+     */
+    List<String> allPermissionUri();
+
+    /**
+     * 当前用户拥有的权限
+     *
+     * @return
+     */
+    List<String> getMyPermissionUrls();
+}

security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/PermissionAuthorizationManager.java

@@ -0,0 +1,114 @@
+package com.admin4j.framework.security.authorization;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
+import org.springframework.util.AntPathMatcher;
+
+import java.util.Collection;
+import java.util.function.Supplier;
+
+/**
+ * 自定义数据权限(授权)处理
+ * 被授 AuthorizationFilter 调用，负责做出最终的访问控制决定
+ *
+ * @author andanyang
+ * @since 2023/12/19 9:53
+ */
+@RequiredArgsConstructor
+public class PermissionAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
+
+    /**
+     * 有权限
+     */
+    protected static final AuthorizationDecision GRANTED = new AuthorizationDecision(true);
+    /**
+     * 没有权限
+     */
+    protected static final AuthorizationDecision UN_AUTHORIZED = new AuthorizationDecision(false);
+
+    protected final IPermissionUriService permissionUriService;
+
+    protected AntPathMatcher antPathMatcher = new AntPathMatcher();
+
+    /**
+     * Determines if access is granted for a specific authentication and object.
+     *
+     * @param authentication the {@link Supplier} of the {@link Authentication} to check
+     * @param object         the {@link T} object to check
+     * @return an {@link AuthorizationDecision} or null if no decision could be made
+     */
+    @Override
+    public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext object) {
+
+        // 获取当前请求的 URL 地址
+        String requestURI = object.getRequest().getRequestURI();
+        boolean matchPermission = matchPermission(requestURI);
+        if (matchPermission) {
+            return GRANTED;
+        }
+
+        // 沒有匹配到, 查看当前 requestURI 是否需要权限控制
+        return urlNeedPermission(requestURI) ? UN_AUTHORIZED : GRANTED;
+    }
+
+    /**
+     * url 是否需要授权
+     * TODO 放在 service 立马
+     *
+     * @return
+     */
+    public boolean urlNeedPermission(String requestURI) {
+
+        Collection<String> allPermissionUrls = getAllPermissionUrls();
+        for (String url : allPermissionUrls) {
+            if (antPathMatcher.match(url, requestURI)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * 当前用户是否可以匹配到访问该url权限
+     *
+     * @param requestURI
+     * @return
+     */
+    public boolean matchPermission(String requestURI) {
+        Collection<String> permissionUrls = getPermissionUrls();
+
+        if (permissionUrls == null || permissionUrls.isEmpty()) {
+            return false;
+        }
+
+        for (String url : permissionUrls) {
+            if (antPathMatcher.match(url, requestURI)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * 当前用户拥有的权限
+     *
+     * @return
+     */
+    public Collection<String> getPermissionUrls() {
+
+        return permissionUriService.getMyPermissionUrls();
+    }
+
+
+    /**
+     * 获取全部权限
+     *
+     * @return
+     */
+    protected Collection<String> getAllPermissionUrls() {
+        return permissionUriService.allPermissionUri();
+    }
+}

security-spring-boot-starter/src/main/java/com/admin4j/framework/security/configuration/MultiAuthenticationManagerAutoConfiguration.java

@@ -50,7 +50,7 @@ public MultiUserDetailsService usernamePasswordUserDetailsService(
 
 
     /**
-     * 获取 AuthenticationManager
+     * 获取 PermissionAuthorizationManager
      * <p>
      * 或者：
      * <code>

security-spring-boot-starter/src/main/java/com/admin4j/framework/security/configuration/PermissionAutoConfiguration.java

@@ -0,0 +1,22 @@
+package com.admin4j.framework.security.configuration;
+
+import com.admin4j.framework.security.authorization.IPermissionUriService;
+import com.admin4j.framework.security.authorization.PermissionAuthorizationManager;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.context.annotation.Bean;
+
+/**
+ * @author andanyang
+ * @since 2023/12/19 14:40
+ */
+@ConditionalOnBean(IPermissionUriService.class)
+@ConditionalOnMissingBean(PermissionAuthorizationManager.class)
+public class PermissionAutoConfiguration {
+
+    @Bean
+    public PermissionAuthorizationManager permissionAuthorizationManager(IPermissionUriService permissionUriService) {
+
+        return new PermissionAuthorizationManager(permissionUriService);
+    }
+}

security-spring-boot-starter/src/main/java/com/admin4j/framework/security/configuration/SecurityConfiguration.java

@@ -1,6 +1,7 @@
 package com.admin4j.framework.security.configuration;
 
 import com.admin4j.framework.security.ISecurityIgnoringUrl;
+import com.admin4j.framework.security.authorization.PermissionAuthorizationManager;
 import com.admin4j.framework.security.filter.ActuatorFilter;
 import com.admin4j.framework.security.ignoringUrl.AnonymousAccessUrl;
 import com.admin4j.framework.security.multi.MultiSecurityConfigurerAdapter;
@@ -16,8 +17,9 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
@@ -33,7 +35,7 @@
 
 /**
  * TODO 需要注入，取消 UserDetailsServiceAutoConfiguration 开启
- * 		value = { AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class,
+ * 		value = { PermissionAuthorizationManager.class, AuthenticationProvider.class, UserDetailsService.class,
  * 				AuthenticationManagerResolver.class },
  *
  * @author andanyang
@@ -79,7 +81,8 @@ public class SecurityConfiguration {
     CorsFilter corsFilter;
     @Autowired(required = false)
     MultiSecurityConfigurerAdapter multiSecurityConfigurerAdapter;
-
+    @Autowired(required = false)
+    PermissionAuthorizationManager permissionAuthorizationManager;
     /**
      * 取消ROLE_前缀
      */
@@ -131,11 +134,6 @@ public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Excepti
         // 添加Logout filter
         httpSecurity.logout().logoutUrl(formLoginProperties.getLogOutProcessingUrl()).permitAll().logoutSuccessHandler(logoutSuccessHandler);
 
-        // 授权请求配置
-        // 忽略URl配置
-        ignoringRequestMatcherRegistry(httpSecurity.authorizeRequests());
-        // 除上面外的所有请求全部需要鉴权认证;其他路径必须验证
-        httpSecurity.authorizeRequests().anyRequest().authenticated();
 
         // 添加CORS filter
         if (corsFilter != null) {
@@ -160,14 +158,31 @@ public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Excepti
                     .permitAll();
         }
 
+        // 授权请求配置 authorizeHttpRequests(6.0 新版) authorizeRequests（旧版） 区别
+        // httpSecurity.authorizeRequests().anyRequest().authenticated();
+        httpSecurity.authorizeHttpRequests(register -> {
+
+            // 忽略URl配置
+            ignoringRequestMatcherRegistry(register);
+            if (permissionAuthorizationManager != null) {
+                // 自定义授权
+                register.anyRequest().access(permissionAuthorizationManager);
+            } else {
+                // 除上面外的所有请求全部需要鉴权认证;其他路径必须验证
+                register.anyRequest().authenticated();
+            }
+
+        });
+
         return httpSecurity.build();
     }
 
 
     /**
      * 忽略URl配置
      */
-    private void ignoringRequestMatcherRegistry(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {
+    private void ignoringRequestMatcherRegistry(AbstractRequestMatcherRegistry<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizedUrl> matcherRegistry) {
+
 
         if (securityIgnoringUrls != null && !securityIgnoringUrls.isEmpty()) {
             securityIgnoringUrls.forEach(url -> {
@@ -177,33 +192,33 @@ private void ignoringRequestMatcherRegistry(ExpressionUrlAuthorizationConfigurer
                 }
 
                 if (url.support() == null) {
-                    expressionInterceptUrlRegistry.antMatchers(url.ignoringUrls()).permitAll();
+                    matcherRegistry.mvcMatchers(url.ignoringUrls()).permitAll();
                 } else {
-                    expressionInterceptUrlRegistry.antMatchers(url.support(), url.ignoringUrls()).permitAll();
+                    matcherRegistry.antMatchers(url.support(), url.ignoringUrls()).permitAll();
                 }
             });
         }
 
         if (ignoringUrlProperties != null) {
 
             if (ignoringUrlProperties.getUris() != null && ignoringUrlProperties.getUris().length > 0) {
-                expressionInterceptUrlRegistry.antMatchers(ignoringUrlProperties.getUris()).permitAll();
+                matcherRegistry.antMatchers(ignoringUrlProperties.getUris()).permitAll();
             }
             if (ignoringUrlProperties.getGet() != null && ignoringUrlProperties.getGet().length > 0) {
-                expressionInterceptUrlRegistry.antMatchers(HttpMethod.GET, ignoringUrlProperties.getGet()).permitAll();
+                matcherRegistry.antMatchers(HttpMethod.GET, ignoringUrlProperties.getGet()).permitAll();
             }
 
             if (ignoringUrlProperties.getPost() != null && ignoringUrlProperties.getPost().length > 0) {
-                expressionInterceptUrlRegistry.antMatchers(HttpMethod.POST, ignoringUrlProperties.getPost()).permitAll();
+                matcherRegistry.antMatchers(HttpMethod.POST, ignoringUrlProperties.getPost()).permitAll();
             }
             if (ignoringUrlProperties.getPut() != null && ignoringUrlProperties.getPut().length > 0) {
-                expressionInterceptUrlRegistry.antMatchers(HttpMethod.PUT, ignoringUrlProperties.getPut()).permitAll();
+                matcherRegistry.antMatchers(HttpMethod.PUT, ignoringUrlProperties.getPut()).permitAll();
             }
             if (ignoringUrlProperties.getPatch() != null && ignoringUrlProperties.getPatch().length > 0) {
-                expressionInterceptUrlRegistry.antMatchers(HttpMethod.PATCH, ignoringUrlProperties.getPatch()).permitAll();
+                matcherRegistry.antMatchers(HttpMethod.PATCH, ignoringUrlProperties.getPatch()).permitAll();
             }
             if (ignoringUrlProperties.getDelete() != null && ignoringUrlProperties.getDelete().length > 0) {
-                expressionInterceptUrlRegistry.antMatchers(HttpMethod.DELETE, ignoringUrlProperties.getDelete()).permitAll();
+                matcherRegistry.antMatchers(HttpMethod.DELETE, ignoringUrlProperties.getDelete()).permitAll();
             }
         }
 
@@ -213,7 +228,7 @@ private void ignoringRequestMatcherRegistry(ExpressionUrlAuthorizationConfigurer
             Map<HttpMethod, String[]> anonymousUrl = anonymousAccessUrl.getAnonymousUrl();
             anonymousUrl.keySet().forEach(i -> {
 
-                expressionInterceptUrlRegistry.antMatchers(i, anonymousUrl.get(i)).permitAll();
+                matcherRegistry.antMatchers(i, anonymousUrl.get(i)).permitAll();
             });
         }
     }

security-spring-boot-starter/src/main/java/com/admin4j/framework/security/multi/MultiAuthenticationFilter.java

@@ -47,7 +47,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
         MultiAuthenticationToken token = obtainToken(request);
         setDetails(request, token);
-        // 匹配成功交给 AuthenticationManager 去认证
+        // 匹配成功交给 PermissionAuthorizationManager 去认证
         return this.getAuthenticationManager().authenticate(token);
     }