Spring Security --- 权限控制安全框架入门简介

一、Spring Security简介

 

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC，DI（控制反转Inversion of Control ,DI:Dependency Injection 依赖注入）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。

 

二、入门案例

 

1、引入Jar

 

<dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-web</artifactId>
                <version>4.1.0.RELEASE</version>
            </dependency>
            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-config</artifactId>
                <version>4.1.0.RELEASE</version>
            </dependency>

2、web.xml配置

 

 

<context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring/spring-security.xml</param-value>
    </context-param>
    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

3、spring-security.xml配置

 

 

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
						http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <!-- 不登录可以访问 -->
    <!--<http pattern="/favicon.ico" security="none" ></http>-->
    <http pattern="/*.html" security="none" ></http>
    <http pattern="/css/**" security="none" ></http>
    <http pattern="/img/**" security="none" ></http>
    <http pattern="/js/**" security="none" ></http>
    <http pattern="/plugins/**" security="none" ></http>
    <http pattern="/seller/add.do" security="none" ></http>

    <!--配置页面的拦截规则 use-expressions是否启用SPEL表达式，默认true -->
    <http use-expressions="false">
        <!-- 如果不加use-expressions="false"，则intercept-url中的access需要写成hasRole('ROLE_USER') -->
        <!-- 当前用户必须有ROLE_USER的角色，才可以访问根目录及所有子目录的资源 -->
        <intercept-url pattern="/**" access="ROLE_SELLER"/>

        <!-- 开启表达登录功能 -->
        <!--
            参数说明：
            login-processing-url : 配置登录提交的action，默认/login
            login-page : 配置登录的页面
            default-target-url : 登录成功后的访问页
            authentication-failure-url : 登录失败的跳转页
            username-parameter : 指定用户名<input>的name属性值，默认username
            password-parameter : 指定密码<input>的name属性值，默认password

            注意：页面上的form表单的method必须是post
        -->
        <form-login login-page="/shoplogin.html" default-target-url="/admin/index.html"
                    authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>

        <!-- 关闭csrf验证 -->
        <csrf disabled="true"/>

        <!--spring security默认拦截内置框架页，如iframe，需要如下配置取消拦截 -->
        <headers>
            <frame-options policy="SAMEORIGIN"/>
        </headers>

        <!-- 退出
            参数说明；
            logout-url退出地址，默认/logout
            logout-success-url退出成功的访问地址
         -->
        <logout/>
    </http>

    <!-- 认证管理器 -->
    <authentication-manager>
        <!-- 提供者 -->
        <authentication-provider user-service-ref="userDetailService">
            <password-encoder ref="bCryptPasswordEncoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="userDetailService" class="com.xxx.shop.service.UserDetailsServiceImpl">
        <beans:property name="sellerService" ref="sellerService"></beans:property>
    </beans:bean>

    <!-- 引用dubbo 服务 -->
    <dubbo:application name="xxx-shop-web" />
    <dubbo:registry address="zookeeper://192.168.25.128:2181"/>
    <!-- 通过接口去匹配dubbox上的实现类，并返回实现类，完成远程属性注入 -->
    <dubbo:reference id="sellerService" interface="com.xxx.sellergoods.service.SellerService"></dubbo:reference>

    <beans:bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></beans:bean>

</beans:beans>

4、UserDetailsServiceImpl实现类

 

 

package com.xxx.shop.service;

import com.xxx.pojo.TbSeller;
import com.xxx.sellergoods.service.SellerService;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import java.util.ArrayList;
import java.util.List;

public class UserDetailsServiceImpl implements UserDetailsService{

    private SellerService sellerService;

    public void setSellerService(SellerService sellerService) {
        this.sellerService = sellerService;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        System.out.println("UserDetailsServiceImpl");

        // 构建角色列表
        List<GrantedAuthority> grantAuths = new ArrayList<>();
        grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));

        TbSeller seller = sellerService.findOne(username);
        if (seller != null)
            if (seller.getStatus().equals("1"))
                return new User(username,seller.getPassword(),grantAuths);

        return null;

    }
}

参考资料：

 

http://blog.csdn.net/bao19901210/article/details/52574340