</security:authentication-provider>
</security:authentication-manager>
在这里,您执行SQL查询以从数据库中的“users”表中获取用户名和密码。
类似地,用户名的授权权限也从“user_roles”数据库表中获取。
在这里您可以注意到我在<security:authentication-provider>标记中提到了user-service-ref =“loginService”。
spring安全性将使用名为“loginService”的存储库服务获取身份验证。
我们可以为我们的登录服务创建数据访问对象接口和实现。
比如:我们创建一个名为“LoginDAO.java”的接口java类
package com.stiti.dao;
import com.stiti.model.AppUser;
public interface LoginDAO {
Object findUserByUsername(String username);
}
com.stiti.model.AppUser和 AppUserRole是Model类。
您可以使用自己的方式获取数据库用户和用户角色表并定义 *findUserByUsername(String username)*函数体。
*findUserByUsername(String username)*返回AppUser类型对象。
package com.stiti.dao.impl;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.hibernate.HibernateException;
import org.springframework.stereotype.Repository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.transaction.annotation.Transactional;
import com.stiti.dao.LoginDAO;
import com.stiti.model.AppUser;
import com.stiti.model.AppUserRole;
/**
- @author Stiti Samantray
*/
@Repository(“loginDao”)
@Transactional
public class LoginDAOImpl implements LoginDAO {
@Autowired
SessionFactory sessionFactory;
/**
- Finds the AppUser which has a matching username
- @param username
- @return
*/
@Override
public AppUser findUserByUsername( String username )
{
Session session = sessionFactory.getCurrentSession();
List users = new ArrayList();
List userData = new ArrayList();
Set userRoles = new HashSet(0);
try {
String hql = “FROM AppUser U WHERE U.username = :username”;
org.hibernate.Query query = session.createQuery(hql)
.setParameter(“username”, username);
users = query.list();
} catch (HibernateException e) {
System.err.println("ERROR: "+ e.getMessage());
}
AppUser user = null;
if(users.size() > 0) {
user = (AppUser) users.get(0);
// Get the user roles
try {
String hql = “FROM AppUserRole R WHERE R.username = :username”;
org.hibernate.Query query = session.createQuery(hql)
.setParameter(“username”, username);
userRoles = new HashSet(query.list());
} catch (HibernateException e) {
// You can log the error here. Or print to console
}
user.setUserRole(userRoles);
}
return user;
}
}
findUserByUsername(String username) 返回AppUser类型对象。
package com.stiti.service;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.stiti.model.AppUser;
import com.stiti.model.AppUserRole;
import com.stiti.dao.LoginDAO;
/**
- This class gets the appuser information from the database and
- populates the “org.springframework.security.core.userdetails.User” type object for appuser.
- @author Stiti Samantray
*/
@Service(“loginService”)
public class LoginServiceImpl implements UserDetailsService {
@Autowired
private LoginDAO loginDao;
/**
- @see UserDetailsService#loadUserByUsername(String)
*/
@Override
public UserDetails loadUserByUsername( String username ) throws UsernameNotFoundException
{
AppUser user = (AppUser) loginDao.findUserByUsername(username);
List authorities = buildUserAuthority(user.getUserRole());
return buildUserForAuthentication(user, authorities);
}
private List buildUserAuthority(Set appUserRole) {
Set setAuths = new HashSet();
// Build user’s authorities
for (AppUserRole userRole : appUserRole) {
System.out.println(“****” + userRole.getUserRole());
setAuths.add(new SimpleGrantedAuthority(userRole.getUserRole()));
}
List Result = new ArrayList(setAuths);
return Result;
}
private User buildUserForAuthentication(AppUser user, List authorities) {
return new User(user.getUsername(), user.getPassword(), true, true, true, true, authorities);
}
}
编写Spring MVC应用程序的Controller
现在我们需要编写Spring MVC应用程序的Controller。
我们需要在Controller类中为应用程序的主路径定义一个RequestMapping方法,该路径在我的示例“/”中。当用户打开应用程序URL例如“http://www.example.com/”时,执行为该请求映射定义的以下方法“loadHomePage()”。在此方法中,它首先获得对此URL的用户身份验证和授权。
Spring-security将首先检查spring配置中的<security:intercept_url>,以查找允许访问此url路径的角色。在此示例中,它查找允许具有角色“USER”的用户访问此URL路径。如果用户有一个角色= USER,那么它将加载主页。
否则,如果它是匿名用户,则spring安全校验会将它重定向到登录页面。
package com.stiti.controller;
import java.util.HashSet;
import java.util.Set;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
@Controller
@SessionAttributes(value={“accountname”}, types={String.class})
public class HomeController {
@SuppressWarnings(“unchecked”)
@RequestMapping(value=“/”, method = RequestMethod.GET)
public String executeSecurityAndLoadHomePage(ModelMap model) {
String name = null;
Set role = new HashSet();
//check if user is login
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!(auth instanceof AnonymousAuthenticationToken)) {
// Get the user details
UserDetails userDetail = (UserDetails) auth.getPrincipal();
name = userDetail.getUsername();
role = (Set) userDetail.getAuthorities();
}
// set the model attributes
model.addAttribute(“accountname”, name);
model.addAttribute(“userRole”, role);
// go to Home page
return “Home”;
}
}
在我们的Controller类中定义RequestMapping方法以加载自定义“登录页面”,前提是您在Spring <security:http> <security:form-login …>标记中提到了自定义登录页面URL。否则无需为Login页面定义任何控制器方法,spring会自动将用户带到spring-security的默认登录表单页面,这是一个由spring-security本身编写的简单JSP页面。
// Show Login Form
@RequestMapping(value=“/login”, method = RequestMethod.GET)
public String login(ModelMap model,
@RequestParam(value=“error”,defaultValue=“”) String error) {
// If fails to login
if (!error.isEmpty()){
model.addAttribute(“error”, “true”);
}
return “Login”;
}
在我们的Controller类中为spring-security config中<security:logout>标记中定义的“logout-success-url”定义一个方法。对于此示例,我将“logout-success-url”定义为“/ logout”。
// Logout page
@RequestMapping(value=“/logout”, method = RequestMethod.GET)
public String logout(ModelMap model) {
return “Login”;
}
在Login.jsp中写入Login表单
现在让我们看一下登录表单中Login.jsp应包含的内容。
User: |