实战前理论讲解
要想达到这个目的:主要是实现一个接口,UserDetilsService。
然后,把这个类配置到SpringSecurity的配置文件中。
这个接口只有一个方法:
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException{
}
这个方法的作用就是返回用户的相关信息包括用户名和密码还有该用户拥有的权限信息。
返回的这些信息将会被用作SpringSecurity验证用户登录信息的标准,及这个方法返回的用户名密码,将会和 在用户登录界面接收到的信息进行比对。这些权限信息也会被保留到SpringSecurity自身的其它类中存储起来,在以后访问页面时将会验证当前用户的权限。
所以经过上面的分析,我们就能够知道,我们可以在这个类中写数据库访问的逻辑。
通常我们数据库的表结构,有以下五个就够了。
user(username 主键 , password)
role(rid 主键 , rname , rdescription)
user_role(urid 主键 , username 外键 , rid 外键)
res(res_id 主键 , res_url , res_description)
res_role(res_r_id 主键 , res_id 外键 , r_id 外键)
实现UserDetilsService
/**
* Created by Administrator on 2017/8/9.
*/
@Component("customUserService")
public class CustomUserService implements UserDetailsService{
@Autowired
private UserMapper userMapper;
@Autowired
private UserRoleMapper userRoleMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserCustom requestMessage = new UserCustom(username,"");
cn.domarvel.po.User resultUser = userMapper.findUserByUsername(requestMessage);
if (resultUser == null) {
return null;
}
String password = resultUser.getPassword();
boolean enabled = true;
boolean accountNonLoked = true;
boolean accountNonExpired = true;
boolean credentialsNonExipred = true;
Collection<GrantedAuthority> authorities = new ArrayList<>();
List<Role> roles = userRoleMapper.findRolesByUsername(requestMessage);
if (roles == null) {
return null;
}
for (Role role : roles) {
authorities.add(new SimpleGrantedAuthority(role.getRname()));
}
//前面的所有铺垫都是为了返回这个User参数。所以你只需要看这一步就行了。相关参数 自行百度!!谢谢!!
User user = new User(username,password,enabled,accountNonExpired,credentialsNonExipred,accountNonLoked,authorities);
return user;
}
}
配置 SpringSecurity文件
<!-- 配置用户角色信息 -->
<security:authentication-manager alias="authenticationManagerw">
<security:authentication-provider user-service-ref="customUserService">
</security:authentication-provider>
</security:authentication-manager>
总的配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- 配置不过滤的资源(静态资源及登录相关) -->
<security:http pattern="/**/*.css" security="none"></security:http>
<security:http pattern="/**/*.jpg" security="none"></security:http>
<security:http pattern="/**/*.jpeg" security="none"></security:http>
<security:http pattern="/**/*.gif" security="none"></security:http>
<security:http pattern="/**/*.png" security="none"></security:http>
<security:http pattern="/**/*.js" security="none"></security:http>
<security:http pattern="/login.jsp" security="none"></security:http>
<security:http pattern="/index.jsp" security="none"></security:http>
<security:http pattern="/getCode" security="none" /><!-- 不过滤验证码 -->
<security:http pattern="/test/**" security="none"></security:http><!-- 不过滤测试内容 -->
<!-- 配置资源权限信息 -->
<security:http auto-config="true" use-expressions="false">
<security:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
<!-- 配置登出 -->
<!-- 有时候,你会发现,就算重启了 Tomcat ,session 也不会过期,那么你需要配置退出时,session 过期。 -->
<security:logout logout-url="/logoutSecurity" invalidate-session="true" delete-cookies="JSESSIONID"/>
<!-- 在配置登出时,如果不把 csrf 设置为 true 的话,那么登出时的链接将会发生 404 错误。 -->
<security:csrf disabled="true"/>
</security:http>
<!-- 配置用户角色信息 -->
<security:authentication-manager alias="authenticationManagerw">
<security:authentication-provider user-service-ref="customUserService">
</security:authentication-provider>
</security:authentication-manager>
<bean id="MyaccessManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg name="decisionVoters">
<list>
<ref bean="roleVoter"/>
<ref bean="authVoter"/>
</list>
</constructor-arg>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="ROLE_"/>
</bean>
<bean id="authVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
<bean id="securityMetadataSource" class="cn.domarvel.springsecurity.model.URLFilterInvocationSecurityMetadataSource" />
<!-- 数据库管理url -->
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="accessDecisionManager" ref="MyaccessManager"></property>
<property name="authenticationManager" ref="authenticationManagerw"></property>
<property name="securityMetadataSource" ref="securityMetadataSource"></property>
</bean>
</beans>