[英]Custom User, roles, permissions implementing UserDetail and UserDetailService with Spring Security
I am looking to use Spring Security w/ MySql to store Users, Roles, Permissions (authorities).我希望使用 Spring 安全性 w/MySql 来存储用户、角色、权限(权限)。 I have done the following:
我做了以下事情:
ApplicationUser (id, firstName, lastName, username, password, roles ) ApplicationUser(id、firstName、lastName、username、password、 roles )
ApplicationRole (id, name, description, permissions ) implements GrantedAuthority ApplicationRole (id, name, description, permissions ) 实现 GrantedAuthority
ApplicationPermission (id, name, description) implements GrantedAuthority ApplicationPermission (id, name, description) 实现 GrantedAuthority
I created a class that implements UserDetailService.我创建了一个实现 UserDetailService 的 class。 In the loadUserByUsername method I doing the following:
在 loadUserByUsername 方法中,我执行以下操作:
ApplicationUser applicationUser = userRepository.findByUsername(username);
if(applicationUser == null) {
throw new UsernameNotFoundException(username);
}
// Extract role/role permission grantedAuthorities from db user
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
for (Role role: applicationUser.getRoles()) {
grantedAuthorities.add(role);
grantedAuthorities.addAll(role.getPermissions());
}
return new User(applicationUser.getUsername(), applicationUser.getPassword(), grantedAuthorities);
However, this still leaves me a bit confused and here are a few of my questions...然而,这仍然让我有点困惑,这里有一些我的问题......
I think my problem is that I am confused as to when/how to properly implement UserDetail and UserDetailService making sure I am loading the authorities from the database and setting them each time a user logs in. Additionally, is there any point in implementing GrantedAuthority with my ApplicationRole and ApplicationPermission class the way I am?我认为我的问题是我对何时/如何正确实施 UserDetail 和 UserDetailService 感到困惑,以确保我从数据库中加载权限并在每次用户登录时设置它们。此外,使用 GrantedAuthority 实施是否有任何意义我的 ApplicationRole 和 ApplicationPermission class 我是这样的吗?
It's not necessary and I wouldn't recommend it either.这不是必需的,我也不推荐它。 It's good to keep these different aspects of your application separate.
最好将应用程序的这些不同方面分开。 As far as I know it's a common practice to fetch the roles in your custom
UserDetailsService
and wrap their textual representation in a SimpleGrantedAuthority
(ie their name).据我所知,在您的自定义
UserDetailsService
ervice 中获取角色并将其文本表示形式包装在SimpleGrantedAuthority
(即他们的名称)中是一种常见的做法。 Note that to differentiate between roles and authorities within Spring Security you have to prefix roles with the ROLE_
tag by default (see hasRole
and hasAuthority
access-control expressions).请注意,为了区分 Spring Security 中的角色和权限,您必须在默认情况下为角色添加
ROLE_
标记(请参阅hasRole
和hasAuthority
访问控制表达式)。
Having a custom UserDetails
implementation is not necessary but might have benefits, for example you can store extra fields that are specific to your application.拥有自定义
UserDetails
实现不是必需的,但可能有好处,例如,您可以存储特定于您的应用程序的额外字段。 The default implementation is org.springframework.security.core.userdetails.User
, most of the time you can just extend this one.默认实现是
org.springframework.security.core.userdetails.User
,大多数时候你可以扩展这个。
See #1见#1
is there any point in implementing GrantedAuthority with my ApplicationRole and ApplicationPermission class the way I am?
以我的方式使用我的 ApplicationRole 和 ApplicationPermission class 实现 GrantedAuthority 有什么意义吗?
It wouldn't make any sense, no.这没有任何意义,不。 Many use-cases are covered by the existing implementations, but for the most simple use-cases you can just stick to
SimpleGrantedAuthority
.现有实现涵盖了许多用例,但对于最简单的用例,您可以坚持使用
SimpleGrantedAuthority
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.