我们接着上一章 (三)Spring Security增加验证码验证,进行开发
一:核心组件值之UserDetails
UserDetails => Spring Security基础接口,包含某个用户的账号,密码,权限,状态(是否锁定)等信息。只有getter方法。
Authentication => 认证对象,认证开始时创建,认证成功后存储于SecurityContext
principal => 用户信息对象,是一个Object,通常可转为UserDetails
public class SecurityUser extends User implements UserDetails {
private static final long serialVersionUID = -8086897203124221305L;
private static final Logger log = LoggerFactory.getLogger(SecurityUser.class);
SecurityUser(User user){
if (user != null){
this.setUserId(user.getUserId());
this.setUsername(user.getUsername());
this.setPassword(user.getPassword());
this.setRealname(user.getRealname());
this.setSex(user.getSex());
this.setRoles(user.getRoles());
}
}
/**
* 权限集合
* @return
*/
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> authorities = new ArrayList<>();
Set<Role> roles = this.getRoles();
if(roles != null){
for (Role role : roles) {
SimpleGrantedAuthority authority = new SimpleGrantedAuthority(role.getRolename());
authorities.add(authority);
}
}
log.info("获取登录用户已具有的权限:{}", authorities.toString());
return authorities;
}
/**
* 指示用户的账户是否已过期。无法验证过期的账户。
* @return 如果用户的账户有效(即未过期),则返回true,如果不在有效就返回false
*/
@Override
public boolean isAccountNonExpired() {
return true;
}
/**
* 指示用户是锁定还是解锁。无法对锁定的用户进行身份验证。
* @return 如果用户未被锁定,则返回true,否则返回false
*/
@Override
public boolean isAccountNonLocked() {
return true;
}
/**
* 指示用户的凭证(密码)是否已过期。过期的凭证阻止身份验证
* @return 如果用户的凭证有效(即未过期),则返回true
* 如果不在有效(即过期),则返回false
*/
@Override
public boolean isCredentialsNonExpired() {
return true;
}
/**
* 指示用户是启用还是禁用。无法对禁用的用户进行身份验证
* @return 如果启用了用户,则返回true,否则返回false
*/
@Override
public boolean isEnabled() {
return true;
}
}
二:核心组件值之UserDetailsService
UserDetailsService用来加载用户的信息,没有其他的功能
默认实现:
UserDetailsService => UserDetailsManager => InMemoryUserDetailsManager => 存储于内存
UserDetailsService => JdbcDaoImpl => 存储于数据库(磁盘)
@Component
public class CustomUserDetailsService implements UserDetailsService {
private static final Logger LOGGER = LoggerFactory.getLogger(CustomUserDetailsService.class);
private final UserService userService;
@Autowired
public CustomUserDetailsService(UserService userService) {
this.userService = userService;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
LOGGER.info("对用户 [{}] 进行信息加载...",username);
/* 从数据库里面查出用户 */
User user = userService.findUserByUsername(username);
if(user==null){
LOGGER.error("用户 [{}] 未找到",username);
throw new UsernameNotFoundException("Username:["+username+"] not found");
}
LOGGER.info("用户 [{}] 信息加载完成",username);
// SecurityUser 实现UserDetails
return new SecurityUser(user);
}
}
三:WebSecurityConfig配置userDetailsService
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
/* 向DaoAuthenticationProvider提交用户信息 */
}
示例