Spring security control authorization method

This article introduces the method of spring security controlling authorization and shares it with you as follows:

Authorization configuration using authorization method

Each spring security control authorization expression (hereinafter referred to as expression) actually corresponds to an authorization method in the API, which is the processing method when configuring the requested URL permission. For example:

Use an authorization expression to authorize requests with multiple permission requirements

So, when do you need to use expressions for authorization processing? The permission requirements of a secure application are often complex and diverse. For example, the debugging request of the project requires that visitors not only have administrator permission, but also access through the company's internal LAN. Under such requirements, the methods provided only through the security API cannot be met, because these authorization methods cannot be called continuously.

At this point, you can use the authorization expression to solve the problem:

Example of authorization expression

Role based access control (RBAC)

You may think that the above methods can meet the security authorization management of most applications. However, in fact, the authorization of enterprise applications is often based on the dynamic change of database data. If string splicing is carried out in the above way, it will not only be very unfriendly to developers (every personnel change means that the code needs to be changed, which is obviously unreasonable), but also the application performance will be reduced. So, how to solve it?

data model

The general RBAC data model generally requires five tables (three entity tables and two relationship tables). The three entity tables include user table, role table and resource table. The two relationship tables include. The relationship between them is shown in the figure below:

RBAC data model

User table

Any user must have a user table. When the company changes personnel, the business personnel (such as human resources) will add or delete the data table.

Role table

The identity of the company, such as president, vice president, Department Manager, etc., and the business personnel operate the data in this table according to the specific situation of the company.

Resource table

The storage of resources requiring permission control is actually based on the URL, but the business personnel do not organize data items according to the URL, but work in the form of view interface. Therefore, what is stored in this table is the menu and button presented to the business personnel and the URL of their permission control.

User role relationship table

There is a many to many relationship between user table and role table (user ID and role ID). A user can be multiple roles (a user can be either a department manager or an administrator), and a role often corresponds to multiple users.

Role resource relationship table

Role table and resource table () are also many to many relationships. A role can access multiple resources (buttons or menus, etc.), and a resource can also be accessed by multiple roles.

Spring security also supports custom expressions to do this, like this

The above is the whole content of this article. I hope it will be helpful to your study, and I hope you can support programming tips.