之前说在springSecurity.xml文件中用户名和密码不会固定死,需要从数据库中查询,需要在service层实现UserDetailSerive接口,重写方法loadUserByUsername方法.完成调用dao层实现和数据库的交互.
1.UserDetailService实现类的编写.
a.返回值如果为null,用户登陆都会失败;
b.查询数据库后,返回密码和springscurity的上下问中比较密码是否匹配.
public class UserDetailsServiceImpl implements UserDetailsService {
private LoginService loginService;
public void setLoginService (LoginService loginService) {
this.LoginService = loginService;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println("经过userdetailsServiceImpl");
List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_loginUser"));
User user = loginService.findOne(username);
if (seller!=null) {
if ("1".equals(user.getStatus())) {
return new User(username,user.getPassword(),grantedAuths);
}
}
return null;
}
}
2.springSecurity.xml配置文件的编写
a.只需要修改认证管理器中的类容,
b.利用dubbo引入service实现和数据库的交互.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 设置页面不登陆也可以访问 -->
<http pattern="/*.html" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/plugins/**" security="none"></http>
<http pattern="/seller/add.do" security="none"></http>
<!-- 页面的拦截规则 use-expressions:是否启动SPEL表达式 默认是true -->
<http use-expressions="false">
<!-- 当前用户必须有ROLE_USER的角色 才可以访问根目录及所属子目录的资源 -->
<intercept-url pattern="/**" access="ROLE_userLogin"/>
<!-- 开启表单登陆功能 -->
<form-login login-page="/shoplogin.html" default-target-url="/admin/index.html" authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>
<csrf disabled="true"/>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
<logout/>
</http>
<!-- 认证管理器 -->
<authentication-manager>
<authentication-provider user-service-ref="userDetailService">
</authentication-provider>
</authentication-manager>
<!-- 认证类 -->
<beans:bean id="userDetailService" class="com.pinyougou.service.UserDetailsServiceImpl">
<beans:property name="userService" ref="userService"></beans:property>
</beans:bean>
<!-- 引用dubbo 服务 -->
<dubbo:application name="maven-demo" />
<dubbo:registry address="zookeeper://192.168.25.129:2181"/>
<dubbo:reference id="userService" interface="com.maven.demo.service.UserService"></dubbo:reference>
</beans:beans>
spring security里面的四个重要的类
1、UserDetailsService 读取登录用户信息、权限
2、AbstractSecurityInterceptor 这个类是用来继承的,还要实现servler的Filter,作用过滤url
3、FilterInvocationSecurityMetadataSource 读取url资源
4、AccessDecisionManager 控制访问权限