1、RBAC权限模型

RBAC（Role-Based Access Control）是一种基于角色的访问控制模型，用于管理系统中用户的权限和访问控制。它将用户、角色和权限之间的关系进行了明确的定义，以实现灵活的权限管理和控制。

1.1、RBAC模型主要包括以下几个核心概念：

1、模型概念：

用户（User）：系统中的实际操作者，拥有唯一标识符。

角色（Role）：权限的集合，可以被赋予给用户，一个用户可以拥有一个或多个角色。

权限（Permission）：系统中的具体操作权限，定义了用户可以执行的操作，可以是功能菜单的接口路径URL，也可以是其他细粒度的操作权限。

2、操作概念：

授权（Authorization）：将权限赋予用户或角色的过程，即为用户分配相应的角色或权限。

认证（Authentication）：验证用户的身份和权限，确保用户具有访问系统资源的合法权限。

RBAC模型的基本原则是：权限授权应该基于角色，而不是直接授权给特定用户。通过角色的中介，将权限与用户进行解耦，实现了权限的集中管理和灵活分配。

1.2、RBAC模型的优点包括：

• 简化权限管理：通过角色的授权机制，可以集中管理和维护权限，减少了权限管理的复杂性。
• 灵活的权限分配：通过给用户分配适当的角色，可以灵活地控制用户的权限，实现细粒度的访问控制。
• 易于扩展和维护：RBAC模型具有良好的可扩展性和维护性，可以根据业务需求进行权限的增删改操作，而不影响其他部分的权限控制。

在实际应用中，RBAC模型可以结合权限管理框架和安全框架来实现。例如，使用Spring Security框架可以方便地实现RBAC模型的权限控制，通过定义角色、权限和用户的关系，并结合注解和配置来实现权限的校验和访问控制。

总结来说，RBAC模型是一种灵活和可扩展的权限管理模型，通过角色的授权机制实现了权限的集中管理和灵活分配，为系统提供了高效、安全和可维护的访问控制机制。

1.3、RBAC级别

• RBAC0：用户和角色是多对多，角色和权限是多对多。一个用户拥有的权限，是他所有角色的集合。
• RBAC1：基于RBAC0，并引入了角色分层的概念，即一个角色分为多个等级，每个等级对应的权限是不一样的。把权限分给用户时，需要分到对应的角色等级。角色等级低时拥有的权限少，角色等级高的权限是所有角色等级低的权限的集合。
• RBAC2：基于RBAC1，对角色访问进行限制。
  • 如互斥角色限制：同一个用户分配到两个角色，且角色互斥时，那么系统应该提醒只能选择其中一个角色。比如员工拥有商务这个角色，可以创建结算单并提交给财务审核，这时，就不能赋予这个员工财务角色，否则他就自己提交结算自己审核结算单了。
  • 角色数量限制：一个用户拥有的角色数量是有限的；一个角色被分配的用户数量也是有限的。
  • 先决条件限制：用户想获得某个上级角色，必须先获得其下一级的角色。比如想获得产品总监的权限，那就需要从产品助理这一角色开始，再到产品经理角色，最后到产品总监角色。
• RBAC3：基于RBAC0，对RBAC1和RBAC2进行了整合，是最全面的权限管理。

1.4、RBAC模型复杂情况

当用户非常多的情况，可以设计用户组的概念，用户组代替原先用户的概念，这样能起到批量操作用户角色的作用；

权限组的概念也差不多，是权限过多的情况，一个一个赋权操作太繁琐，可以用权限组批量操作，非常方便。

1.5、springSecruity中实际运用简单的步骤

1. 用户表、角色表、权限表。然后两张关联表将用户和角色，角色和权限做关联。
2. 添加用户的时候，给user特定的用户角色。
3. 登录时，将查询用户信息，将角色信息放进token，或缓存(比如redis，外部缓存好处是能临时控制权限)中。
4. 登录后的操作，都会经过自定义filter，验证通过的话，可以将用户信息放进springSecruity上下文，和ThreadLocal（这里是因为登录以及验证角色权限是单线程操作，使用本地线程速度最快，比map以及外部缓存都快）。
5. 我们想使用权限，而且无侵入的去控制的话，可以弄个自定义注解，参数为角色名，验证ThreadLocal中保存的用户信息中的角色中是否包含此角色名，返回boolean类型。

2、demo实现

结合前面我写的两篇帖子，这里整理了一个demo，能够实现一个简单的无侵入的登录及权限控制方案。这里用到springSecruity、jwt、redis、mysql、threadLocal等技术

0、springboot配置

数据源自己配，就是要提前有redis和mysql

server:port: 8083spring:application:name: playerredis:host: xxxxxxxport: xxxxxxxdatasource:url: jdbc:mysql://xxxxxxx:xxxx/xxxxxxusername: rootpassword: Aa@123456driver-class-name: com.mysql.cj.jdbc.Driverjpa:hibernate:ddl-auto: nonemybatis:mapper-locations: classpath:mappers/*.xmltype-aliases-package: com.loong.nba.player.pojo

1、依赖

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-redis</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-api</artifactId><version>0.11.2</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-impl</artifactId><version>0.11.2</version><scope>runtime</scope></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-jackson</artifactId><version>0.11.2</version><scope>runtime</scope></dependency><!-- MyBatis --><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.2.0</version></dependency><!-- 数据库驱动 --><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>8.0.31</version></dependency>
</dependencies>

2、util

package com.loong.nba.player.util;import io.jsonwebtoken.*;
import io.jsonwebtoken.security.Keys;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.stereotype.Component;import java.security.Key;
import java.util.Date;
import java.util.concurrent.TimeUnit;/*** @author jilong* @date 2023/5/18*/
@Component
public class JwtUtil {private final Key secretKey;private final long expirationTime;@Autowiredprivate StringRedisTemplate redisTemplate;public JwtUtil() {this.secretKey = Keys.secretKeyFor(SignatureAlgorithm.HS256);this.expirationTime = 120000;}/*** 生成jwt令牌** @param username 用户名* @return token*/public String generateToken(String username) {Date now = new Date();Date expirationDate = new Date(System.currentTimeMillis() + expirationTime);String token = Jwts.builder().setSubject(username).setIssuedAt(now).setExpiration(expirationDate).signWith(secretKey, SignatureAlgorithm.HS256).compact();redisTemplate.opsForValue().set(username, token, expirationTime, TimeUnit.MILLISECONDS);return token;}/*** 解析令牌** @param token token* @return 内容*/public String getUsernameFormToken(String token) {return extractClaims(token).getBody().getSubject();}public boolean validateToken(String token) {try {Jws<Claims> claims = extractClaims(token);return !claims.getBody().getExpiration().before(new Date());} catch (Exception e) {e.printStackTrace();return false;}}private Jws<Claims> extractClaims(String token) {JwtParser parser = Jwts.parserBuilder().setSigningKey(secretKey).build();return parser.parseClaimsJws(token);}
}

package com.loong.nba.player.util;import com.loong.nba.player.pojo.LoginUserBO;public class SessionUtils {static ThreadLocal<LoginUserBO> loginUser = new ThreadLocal<>();public static LoginUserBO getLoginUser() {return loginUser.get();}public static void setLoginUser(LoginUserBO loginUserBO) {loginUser.set(loginUserBO);}
}

3、pojo

package com.loong.nba.player.pojo;public class UserPO {private Integer id;private String username;private String password;private String salt;public Integer getId() {return id;}public void setId(Integer id) {this.id = id;}public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}public String getSalt() {return salt;}public void setSalt(String salt) {this.salt = salt;}
}

package com.loong.nba.player.pojo;import java.util.List;public class LoginUserBO {private String username;private Integer userId;private String password;private List<Role> roleList;public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public Integer getUserId() {return userId;}public void setUserId(Integer userId) {this.userId = userId;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}public List<Role> getRoleList() {return roleList;}public void setRoleList(List<Role> roleList) {this.roleList = roleList;}
}

package com.loong.nba.player.pojo;public class Role {private Integer id;private String roleName;public Integer getId() {return id;}public void setId(Integer id) {this.id = id;}public String getRoleName() {return roleName;}public void setRoleName(String roleName) {this.roleName = roleName;}
}

package com.loong.nba.player.pojo;/*** @author jilong* @date 2023/5/19*/
public class UserDO {private String name;private String password;public UserDO() {}public UserDO(String name, String password) {this.name = name;this.password = password;}public String getName() {return name;}public void setName(String name) {this.name = name;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}
}

4、config

package com.loong.nba.player.config;import com.loong.nba.player.filter.JwtAuthenticationFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;/*** @author jilong* @date 2023/5/18*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {private final JwtAuthenticationFilter jwtAuthenticationFilter;public SecurityConfig(JwtAuthenticationFilter jwtAuthenticationFilter) {this.jwtAuthenticationFilter = jwtAuthenticationFilter;}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().disable().authorizeRequests().antMatchers("/login","/user").permitAll().anyRequest().authenticated().and().addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}}

5、dao层

package com.loong.nba.player.dao;import com.loong.nba.player.pojo.Role;
import org.apache.ibatis.annotations.Mapper;import java.util.List;@Mapper
public interface RoleMapper {List<Role> findByUserId(Integer id);}

package com.loong.nba.player.dao;import com.loong.nba.player.pojo.UserPO;
import org.apache.ibatis.annotations.Mapper;
import org.apache.ibatis.annotations.Param;@Mapper
public interface UserMapper {UserPO findById(Integer id);UserPO findByName(@Param("name") String name);Integer addUser(@Param("userPO") UserPO userPO);}

6、service

package com.loong.nba.player.service;import com.loong.nba.player.pojo.UserDO;
import com.loong.nba.player.pojo.UserPO;public interface UserService {/*** 添加用户* @return 用户id*/UserPO addUser(UserDO userDO);boolean comparePassword(UserDO userDO);}

package com.loong.nba.player.service;import com.loong.nba.player.dao.UserMapper;
import com.loong.nba.player.pojo.UserDO;
import com.loong.nba.player.pojo.UserPO;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.stereotype.Service;import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;/*** @author jilong* @date 2023/5/19*/
@Service
public class UserServiceImpl implements UserService {private final UserMapper userMapper;public UserServiceImpl(UserMapper userMapper) {this.userMapper = userMapper;}@Overridepublic UserPO addUser(UserDO userDO) {// 定义盐的长度（字节数）int saltLength = 6;// 创建一个安全的随机数生成器SecureRandom secureRandom = new SecureRandom();// 生成盐byte[] salt = new byte[saltLength];secureRandom.nextBytes(salt);// 将盐转换为字符串或字节数组String saltString = encodeSalt(salt);// 计算密码摘要String password = encryptPassword(userDO.getPassword(), saltString);UserPO userPO = new UserPO();userPO.setUsername(userDO.getName());userPO.setPassword(password);userPO.setSalt(saltString);userMapper.addUser(userPO);System.out.println("Salt (Base64 string): " + saltString);return userPO;}String encodeSalt(byte[] salt) {return Base64.getEncoder().encodeToString(salt);}byte[] decodeSaltString(String saltString) {return Base64.getDecoder().decode(saltString);}String encryptPassword(String password, String salt) {String plaintext = password + salt;try {// 创建SHA-256算法的MessageDigest实例MessageDigest digest = MessageDigest.getInstance("SHA-256");// 计算中文字符串的摘要byte[] hash = digest.digest(plaintext.getBytes(StandardCharsets.UTF_8));// 将摘要字节数组转换为十六进制字符串表示String digestHex = bytesToHex(hash);System.out.println("SHA-256摘要：" + digestHex);return digestHex;} catch (NoSuchAlgorithmException e) {e.printStackTrace();}return null;}// 将摘要字节数组转换为十六进制字符串表示private static String bytesToHex(byte[] bytes) {StringBuilder hexStringBuilder = new StringBuilder();for (byte b : bytes) {String hex = Integer.toHexString(0xff & b);if (hex.length() == 1) {hexStringBuilder.append('0');}hexStringBuilder.append(hex);}return hexStringBuilder.toString();}@Overridepublic boolean comparePassword(UserDO userDO) {UserPO user = userMapper.findByName(userDO.getName());String salt = user.getSalt();String password = encryptPassword(userDO.getPassword(), salt);return password.equals(user.getPassword());}}

7、filter

package com.loong.nba.player.filter;import com.loong.nba.player.dao.RoleMapper;
import com.loong.nba.player.dao.UserMapper;
import com.loong.nba.player.pojo.LoginUserBO;
import com.loong.nba.player.pojo.Role;
import com.loong.nba.player.pojo.UserPO;
import com.loong.nba.player.util.JwtUtil;
import com.loong.nba.player.util.SessionUtils;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils;
import org.springframework.web.filter.OncePerRequestFilter;import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.List;/*** @author jilong* @date 2023/5/18*/
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {private final String tokenHeader = "Authorization";private final String tokenPrefix = "Bearer ";private final JwtUtil jwtUtil;private final StringRedisTemplate redisTemplate;private final UserMapper userMapper;private final RoleMapper roleMapper;public JwtAuthenticationFilter(JwtUtil jwtUtil, StringRedisTemplate redisTemplate, UserMapper userMapper, RoleMapper roleMapper) {this.jwtUtil = jwtUtil;this.redisTemplate = redisTemplate;this.userMapper = userMapper;this.roleMapper = roleMapper;}@Overridepublic void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {String header = request.getHeader(tokenHeader);if (!ObjectUtils.isEmpty(header) && header.startsWith(tokenPrefix)) {String token = header.replace(tokenPrefix, "");if (!ObjectUtils.isEmpty(token) && jwtUtil.validateToken(token)) {String username = jwtUtil.getUsernameFormToken(token);UserPO userPO = userMapper.findByName(username);List<Role> roleList = roleMapper.findByUserId(userPO.getId());LoginUserBO loginUserBO = new LoginUserBO();loginUserBO.setUserId(userPO.getId());loginUserBO.setUsername(username);loginUserBO.setPassword(userPO.getPassword());loginUserBO.setRoleList(roleList);if (redisTemplate.opsForValue().get(username) != null) {UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, null, Collections.emptyList());SecurityContextHolder.getContext().setAuthentication(authenticationToken);SessionUtils.setLoginUser(loginUserBO);}}}chain.doFilter(request, response);}
}

8、controller

package com.loong.nba.player.controller;import com.loong.nba.player.pojo.UserDO;
import com.loong.nba.player.pojo.UserPO;
import com.loong.nba.player.service.UserServiceImpl;
import com.loong.nba.player.util.JwtUtil;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;import javax.servlet.http.HttpServletResponse;/*** @author jilong* @date 2023/5/15*/
@RestController
public class LoginController {private final JwtUtil jwtUtil;private final UserServiceImpl userService;public LoginController(JwtUtil jwtUtil, UserServiceImpl userService) {this.jwtUtil = jwtUtil;this.userService = userService;}@PostMapping("/login")public ResponseEntity<UserDO> postLogin(@RequestBody UserDO userDO, HttpServletResponse response) {if (!userService.comparePassword(userDO)) {return ResponseEntity.ok(new UserDO());}String token = jwtUtil.generateToken(userDO.getName());response.addHeader("Authorization", "Bearer " + token);return ResponseEntity.ok(userDO);}@PostMapping("/user")public UserPO addUser(@RequestBody UserDO userDO) {return userService.addUser(userDO);}@GetMapping("/test")@PreAuthorize("@permission.hasRole("+"'管理员'"+")")public String test() {return "hello test";}
}

9、mapper.xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.loong.nba.player.dao.RoleMapper"><select id="findByUserId" resultType="Role">SELECT role.id , role.rolename FROM role where idIN (SELECT role_id FROM user_role WHERE user_id = #{id})</select></mapper>

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.loong.nba.player.dao.UserMapper"><select id="findById" resultType="UserPO">SELECT * FROM user WHERE id = #{id}</select><select id="findByName" resultType="UserPO">SELECT * FROM user WHERE username = #{name}</select><insert id="addUser" parameterType="UserPO">INSERT INTO user (username, user_password, salt)VALUES (#{userPO.username}, #{userPO.password}, #{userPO.salt})</insert>
</mapper>