上篇中用户信息配置在了spring-security中,登陆界面也使用的是security自带的页面,接下来就将mybatis整合进来,当然用户信息和权限信息肯定是要从数据库中获取了,除此之外,登录界面也使用自定义的。
步骤一:
首先,先写个自定义的登录页面:
<form method="post" class="am-form" action="<%=path%>/j_spring_security_check">
<label for="email">用户名:</label>
<input type="text" name="j_username">
<br>
<label for="password">密码:</label>
<input type="password" name="j_password" id="password">
<br>
<label for="remember-me">
<input id="remember-me" type="checkbox">
记住密码
</label>
<br />
<div class="am-cf">
<input type="submit" name="submit" value="登 录" class="am-btn am-btn-primary am-btn-sm am-fl">
<input type="submit" οnclick="forget();" value="忘记密码 ^_^? " class="am-btn am-btn-default am-btn-sm am-fr">
</div>
</form>
注意现在还是使用的security自己的登录验证,所以输入框的name值必须为:j_username,j_password
然后修改配置文件,只需增加一行:
<http auto-config="true">
<intercept-url pattern="/main.jsp" access="ROLE_SALE"/>
<access-denied-handler error-page="/error.jsp"/>
<span style="color:#ff6600;"><form-login login-page="/index.jsp" default-target-url="/main.jsp"/></span>
</http>
启动项目试一下:
OK了。。
步骤二
在数据库中先简单的建三张表:user、role、user_role
user:id username password
role:id name roleKey enable
user_role:id userId(FK) roleId(FK) ----中间表
引入mybatis的jar包和MySQL的驱动包,加入mybatis的配置文件spring-security.xml(这个配置文件资料太多了,就不写出来了);
稍微修改下web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-security.xml,classpath:spring-mybatis.xml
</param-value>
</context-param>
项目中加入User.java、Role.java、UserDao、RoleDao、UserService、RoleService
步骤三
要从数据库中读取用户和权限等信息实现登录验证,就需要写一个实现了UserDetailsService接口的类
package org.advancingCat.security;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.advancingCat.entity.Role;
import org.advancingCat.service.RoleService;
import org.advancingCat.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class MyUserService implements UserDetailsService{
@Autowired
private UserService userService;
@Autowired
private RoleService roleService;
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
org.advancingCat.entity.User dbUser = null;
try {
dbUser = userService.queryByName(username);
} catch (Exception e) {
e.printStackTrace();
}
if(dbUser==null){
throw new UsernameNotFoundException("用户名不存在");
}
Collection<GrantedAuthority> grantedAuth = getGrantedAuth(dbUser);
//security的User
UserDetails user = new User(dbUser.getUsername(), dbUser.getPassword(),true,true,true,true, grantedAuth);
return user;
}
/**
* 获取用户的角色:role中的roleKey字段封装到Set<GrantedAuthority>中
* @param user
* @return
*/
private Set<GrantedAuthority> getGrantedAuth(org.advancingCat.entity.User user){
Set<GrantedAuthority> authSet = new HashSet<GrantedAuthority>();
try {
List<Role> roleList = roleService.queryByUserId(user.getId());
for(Role r : roleList){
authSet.add(new SimpleGrantedAuthority(r.getRoleKey()));
}
} catch (Exception e) {
e.printStackTrace();
}
return authSet;
}
}
其中queryByUserId是根据用户ID获取用户的角色集合(有时候用户不止一个角色) Rolemapper文件:
<select id="queryByUserId" resultMap="BaseResultMap" parameterType="java.lang.Integer">
select name,roleKey from role r left join user_role ur on r.id=ur.roleId
where ur.userId=#{userId}
</select>
修改spring-security.xml,将之前的<user-service>去掉
<authentication-manager>
<authentication-provider user-service-ref="myUserService">
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserService" class="org.advancingCat.security.MyUserService">
</beans:bean>