1.Spring Security 的前身是 Acegi Security ,是 Spring 项目组中用来提供安全认证服务的框架
2.安全包括两个主要操作。
“认证”,是为用户建立一个他所声明的主体。主题一般式指用户,设备或可以在你系统中执行动作的其他系统。
“授权”指的是一个用户能否在你的应用中执行某个操作,在到达授权判断之前,身份的主题已经由身份验证过程建立了。
需求:用户登陆后台不仅仅需要用户名和密码 ,并且需要相应的权限(如:authorities="ROLE_USER"才可以登陆)
4.环境搭建
1>Maven依赖
<properties> <spring.security.version>5.0.1.RELEASE</spring.security.version> </properties> <!--spring security授权认证.jar --> < dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> <scope>provided</scope> </dependency> < /dependencies>
2>web.xml
<!--配置Spring的监听器,默认只加载WEB-INF目录下的applicationContext.xml配置文件 --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!--设置配置文件的路径 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:applicationContext.xml,classpath:spring-security.xml</param-value> </context-param> <!--spring-serurity的过滤器 --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
3>spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 配置不拦截的资源 --> <security:http pattern="/login.jsp" security="none"/> <security:http pattern="/failer.jsp" security="none"/> <security:http pattern="/css/**" security="none"/> <security:http pattern="/img/**" security="none"/> <security:http pattern="/plugins/**" security="none"/> <!-- 配置具体的规则 auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面 use-expressions="false" 是否使用SPEL表达式(没学习过) --> <security:http auto-config="true" use-expressions="false"> <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" --> <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/> <!-- 定义跳转的具体的页面 --> <security:form-login
//那个页面发起的long请求 login-page="/WEB-INF/pages/login.jsp"
//匹配请求 login-processing-url="/login
//默认目标地址 default-target-url="/index.jsp"
//失败跳转地址 authentication-failure-url="/failer.jsp"
//成功跳转地址 authentication-success-forward-url="/WEB-INF/pages/main.jsp" /> <!-- 关闭跨域请求 --> <security:csrf disabled="true"/> <!-- 退出 --> <security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp" /> </security:http> <!-- 切换成数据库中的用户名和密码 --> <security:authentication-manager> <security:authentication-provider user-service-ref="userService"> <!-- 配置加密的方式 <security:password-encoder ref="passwordEncoder"/>--> </security:authentication-provider> </security:authentication-manager> <!-- 配置加密类 --> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> <!-- 提供了入门的方式,在内存中存入用户名和密码 <security:authentication-manager> <security:authentication-provider> <security:user-service> <security:user name="admin" password="{noop}admin" authorities="ROLE_USER"/> </security:user-service> </security:authentication-provider> </security:authentication-manager> --> </beans>
5. <security:authentication-provider user-service-ref="userService">
userService 需要继承UserDatailsService
public interface UserService extends UserDetailsService{ }
6.userServiceImpl
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserInfo userInfo = userDao.findByUserName(username);
//不需要对用户的状态进行判断的3个参数即可(username,password,Authority) // User user = new User(userInfo.getUsername(), "{noop}" + userInfo.getpassword(),getAuthority(userInfo.getRoles()));
//对用户状态进行判断 User user = new User(userInfo.getUsername(), "{noop}" + userInfo.getpassword(), userInfo.getStatus() == 0 ? false : true, true, true, true, getAuthority(userInfo.getRoles())); System.out.println(userInfo); return user; }
//将userInfo对象转化成Collection<? extends GrantedAuthority> authorities public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) {
ArrayList<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>(); for (Role role : roles) { list.add(new SimpleGrantedAuthority("ROLE_" + role.getRoleName())); } return list; }
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。