在 Spring Boot JPA 应用程序中使用角色

Question

我目前正在使用 Spring Boot 在 Java 中开发 Web 应用程序。

我正在使用的应用程序：

• MySQL 作为数据源
• 用于 ORM 的休眠 JPA
• Thymeleaf 用于模板

目前我的数据库有一个用户和角色表。登录、注册和会话工作正常。

我在网站上创建了一个仅限管理员的页面。

我在为用户创建和使用角色时遇到问题。

我希望数据库中的每个用户都有一个角色并能够使用它 在网站上。注册时的默认角色是“USER”，我 将能够在 MySQL 管理员。

这是目前我的用户实体类：

@Entity
@Table(name = "user")
public class User extends Auditable {

@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "id")
private int id;

@Column(name = "email", nullable = false, unique = true)
@Email(message = "Please provide a valid e-mail")
@NotEmpty(message = "Please provide an e-mail")
private String email;

@Column(name = "password")
@Transient
private String password;

@Column(name = "first_name")
@NotEmpty(message = "Please provide your first name")
private String firstName;

@Column(name = "last_name")
@NotEmpty(message = "Please provide your last name")
private String lastName;

@Column(name = "enabled")
private boolean enabled;

@Column(name = "confirmation_token")
private String confirmationToken;

@OneToOne(mappedBy="user", cascade={CascadeType.ALL})
private Role role;


public User() {
}

public User(String firstName, String lastName, String email, String password, Role role) {
    this.firstName = firstName;
    this.lastName = lastName;
    this.email = email;
    this.password = password;
    this.role = role;
}

/** Getters and setters */

}

这是我的角色实体：

@Entity(name="role")
public class Role {

@Id
private Long id;

@OneToOne
private User user;
private Integer role;

/** Getters and setters */
}

在 UserService 中按用户名加载：

@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
    User user = userRepository.findByEmail(email);
    if (user == null){
        throw new UsernameNotFoundException("Invalid username or password.");
    }
    return new org.springframework.security.core.userdetails.User(user.getEmail(),
            user.getPassword(), getAuthorities(user.getRole().getRole()));
}

但由于某种原因，这不起作用。它在数据库中创建“角色”表，其中有两行

ID 名称
1 ROLE_USER
2 管理员

问题是，将用户保存到数据库时需要做什么才能为我保存的用户设置角色？目前，我的表中的所有用户行都没有角色列。 我怎样才能让它工作，这样当我的securityconfig中有规则时；

.hasRole("ADMIN")

它不会允许没有该角色的用户访问？目前，当我尝试使用该规则访问页面时，它总是返回我配置的禁止访问页面。

Answer 1

下面是我实现注册并将 rolse 分配给注册用户的代码。

1) 用户.java (@Entity)

@Entity
@Table(name = "users")
public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long user_id;
    private String username;
    private String password;
    private boolean active;
    private String email;

    // user roles
    @ElementCollection(targetClass = Role.class, fetch = FetchType.EAGER)
    @CollectionTable(name = "user_role", joinColumns = @JoinColumn(name = "user_id"))
    @Enumerated(EnumType.STRING)
    private Set<Role> roles;

    // Constructors
    private User() {}

    public User(String username, String password, String email) {
        this.username = username;
        this.password = password;
        this.email = email;
    }

    // if user is admin
    public boolean isAdmin() {
        return roles.contains(Role.ADMIN);
    }


    // Below you can generate getters & setters & toString method.

    // Getter and setter for user roles
    public Set<Role> getRoles() {
        return roles;
    }

    public void setRoles(Set<Role> roles) {
        this.roles = roles;
    }
}

Role.java（枚举类型）

public enum Role {
    USER,
    ADMIN;

}

UserController.java (@Controller)

@Controller
public class UserController{

    //login page
    @GetMapping("/signin")
    public String loginPage() {
        return "frontend/login";
    }

    // registration page
    @GetMapping("/signup")
    public String signUpPage() {
        return "frontend/registration";
    }

    // User Registration
    @PostMapping("/signup")
    public String addUser(User user, Map<String, Object> model) {

        User userFromDB = userRepository.findByUsername(user.getUsername());
        if(userFromDB !=null ) {
            model.put("alreadyexists", "Username already exists!");
            return "frontend/registration";
        }

        // Set user apssword (also you can implement BCrypt)
        user.setPassword(user.getPassword());

        // set user activa
        user.setActive(true);

        // assign Rolr USER to newly registered user
        user.setRoles(Collections.singleton(Role.USER));


        userRepository.save(user);

        return "redirect:/profile";
    }
}

WebsecurityConfig.java (Spring Security)

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

                .authorizeRequests()
                .antMatchers("/","/signup").permitAll()
                .anyRequest().authenticated()
                .and()
                    .formLogin()
                    .loginPage("/signin").defaultSuccessUrl("/profile")
                    .permitAll()
                .and()
                    .logout().logoutRequestMatcher(new AntPathRequestMatcher("/signout")).logoutSuccessUrl("/signin?bye")
                    .permitAll();
    }


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication()
                .dataSource(dataSource)
                .usersByUsernameQuery("SELECT username, password, active FROM users WHERE username=?")
                .authoritiesByUsernameQuery("SELECT u.username, ur.roles FROM users u INNER JOIN user_role ur ON u.user_id = ur.user_id WHERE u.username=?");
    }
}