How to use the authentication and authorization framework in Java to implement user authentication and permission management?

How to use the authentication and authorization framework in Java to implement user authentication and permission management?

Introduction:
In most applications, user authentication and permission management are very important functions. There are many authentication and authorization frameworks in Java available to developers, such as Spring Security, Shiro, etc. This article will focus on how to use the Spring Security framework to implement user authentication and permission management.

1. Introduction to Spring Security
Spring Security is a powerful security framework. It is a plug-in based on the Spring framework and can be used to add authentication and authorization functions. Spring Security provides many functions, such as user authentication, role management, permission management, etc.

2. Authentication
Authentication is the process of verifying user identity. In Spring Security, user authentication can be achieved by configuring an authentication provider.

1. Configuration file
   First, you need to configure the authentication provider in the Spring configuration file. Authentication providers can be defined using the <authentication-manager></authentication-manager> element.

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService"/>
</authentication-manager>

2. Custom authentication provider
   Next, you need to customize a user details service class to load the user's detailed information, such as user name, password, role, etc. You can implement the UserDetailsService interface to implement this class.

@Service
public class CustomUserDetailsService implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;
    
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("User not found with username: " + username);
        }
        return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), getAuthorities(user.getRoles()));
    }
    
    private Collection<? extends GrantedAuthority> getAuthorities(Collection<Role> roles) {
        return roles.stream().map(role -> new SimpleGrantedAuthority(role.getName())).collect(Collectors.toList());
    }
}

3. Database Model
   You also need to create database tables to store user information. Two tables, users and roles, can be created.

CREATE TABLE users (
    id BIGINT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50) NOT NULL,
    password VARCHAR(100) NOT NULL
);

CREATE TABLE roles (
    id BIGINT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(50) NOT NULL
);

CREATE TABLE user_roles (
    user_id BIGINT,
    role_id BIGINT,
    FOREIGN KEY (user_id) REFERENCES users(id),
    FOREIGN KEY (role_id) REFERENCES roles(id),
    PRIMARY KEY (user_id, role_id)
);

4. User login
   Configure the login page as the Spring Security login page.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
    
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

3. Authorization
After successful user authentication, you can use Spring Security for permission management.

1. Configuration file
   You can implement access control to specific URLs by configuring URL rules and access permissions.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/admin/**").access("hasRole('ADMIN')")
                .anyRequest().authenticated();
    }
}

2. Annotation authorization
   Annotation-based authorization can be used.

@RestController
@RequestMapping("/api")
public class ApiController {
    @PreAuthorize("hasRole('USER')")
    @GetMapping("/users")
    public List<User> getUsers() {
        // code here
    }
    
    @PreAuthorize("hasRole('ADMIN')")
    @PostMapping("/user")
    public User createUser(@RequestBody User user) {
        // code here
    }
}

Conclusion:
Using Spring Security, user authentication and permission management can be easily achieved. This article introduces how to use the Spring Security framework to configure authentication and authorization providers, authenticate users by customizing user details service classes and database models, and manage permissions by configuring URL rules and annotations. I hope this article will help you understand and use the authentication and authorization framework in Java.

Reference:

1. Spring Security official documentation: https://docs.spring.io/spring-security/site/docs/5.4.1/reference/html5/

The above is the detailed content of How to use the authentication and authorization framework in Java to implement user authentication and permission management?. For more information, please follow other related articles on the PHP Chinese website!