#项目架构、功能点
架构:
- Springboot2.5.+
- MySQL数据库8.0+(记录用户信息、角色清单、用户角色对照表)
- 持久层Mybatis
- 用户注册页面RegisterPage采用Thymeleaf动态网页
- 登录页面Login采用SpringSecurity标准表单登录网页
功能点:
- 实现用户自助注册登录
- 实现用户自助选择角色
- 用户信息、角色清单、用户角色对照表采用SpringSecurity标准架构
- 用户密码采用SpringSecurity首推的BCryptPasswordEncoder加密算法记录
- 实现登陆后URL访问与角色对应
#用户自助注册及登录流程图
#项目文件结构、数据库设计、Maven依赖、aplication配置
文件结构:
数据库设计:
user表,记录用户信息
role表,记录角色清单
user_role表,用户角色对照表
Maven依赖:
<!--Spring Security-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--mybatis-->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.2.0</version>
</dependency>
<!--Mysql-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<!--Thymeleaf-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>因为使用Mybatis,所以build要添加XML资源目录,否则编译会缺少UserMapper.XML。
<resources>
<resource>
<!-- XML默认是放在resource下面,如果有自定义,需要把resource加上 -->
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
</resource>
</resources>aplication配置:
#datasource mybatis配置--------------------------------
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/jpa?characterEncoding=UTF-8
spring.datasource.username=root
spring.datasource.password=12345678
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
#datasource mybatis配置--------------------------------
#thymeleaf配置--------------------------------
spring.thymeleaf.cache=true
spring.thymeleaf.checktemplate=true
spring.thymeleaf.check-template-location=true
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.servlet.content-type=text/html
spring.thymeleaf.suffix=.html
spring.thymeleaf.prefix=classpath:/templates/
#Thymeleaf配置--------------------------------#用户前端注册页面registerPage.html代码(Thymeleaf模板动态网页)
这里通过用户注册接口registerController去数据库查询角色清单(role表),将查询结果写入roles集合中,通过Thymeleaf模板进行调用并加入select-option选择列表,供用户注册时选择某一角色。
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>新用户注册</title>
</head>
<body>
<h2 align="center">新用户注册</h2>
<hr width="40%" color="gray"/>
<form action="/doregister" method="post" enctype="application/x-www-form-urlencoded">
<table width="40%" bgcolor="gray" align="center">
<tr>
<td align="right">用户名:</td>
<td>
<input type="text" name="username" size="25px" maxlength="10" placeholder="请输入用户名最长10位" required/>
</td>
</tr>
<tr>
<td align="right">密码:</td>
<td>
<input type="password" name="password" size="25px" maxlength="20" placeholder="请输入密码最长20位" required>
</td>
</tr>
<tr>
<td align="right">角色:</td>
<td>
<label>
<select name="role">
<option>--请选择角色--</option>
<option th:each="role:${roles}"
th:value="${role.id}"
th:text="${role.nameZH}"
th:selected="${role==role.id}"></option>
</select>
</label>
</td>
</tr>
<tr>
<td align="right">
<input type="submit" value="提交注册">
</td>
<td>
</td>
</tr>
</table>
</form>
</body>
</html>#实体类、Mybatis持久层接口、用户服务类、用户注册及登录接口
角色实体类Role:
package com.example.springsecurity.Entity;
import java.io.Serializable;
public class Role implements Serializable {
private Integer id;
private String name;
private String nameZH;
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getNameZH() {
return nameZH;
}
public void setNameZH(String nameZH) {
this.nameZH = nameZH;
}
}用户实体类User(包含所具有的角色) :
该实体类主要用于用户登录,需要使用标准的UserDetails接口。
package com.example.springsecurity.Entity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
public class User implements UserDetails {
private Integer id;
private String username;
private String password;
private Boolean enabled;
private Boolean locked;
private List<Role> roles;
@Override
public Collection<? extends GrantedAuthority> getAuthorities(){
List<SimpleGrantedAuthority> authorities= new ArrayList<>();
for (Role r:roles){
authorities.add(new SimpleGrantedAuthority(r.getName()));
}
return authorities;
}
@Override
public String getPassword(){
return password;
}
@Override
public String getUsername(){
return username;
}
@Override
public boolean isAccountNonExpired(){
return true;
}
@Override
public boolean isAccountNonLocked(){
return true;
}
@Override
public boolean isCredentialsNonExpired(){
return true;
}
@Override
public boolean isEnabled(){
return true;
}
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public void setUsername(String username) {
this.username = username;
}
public void setPassword(String password) {
this.password = password;
}
public Boolean getEnabled() {
return enabled;
}
public void setEnabled(Boolean enabled) {
this.enabled = enabled;
}
public Boolean getLocked() {
return locked;
}
public void setLocked(Boolean locked) {
this.locked = locked;
}
public List<Role> getRoles() {
return roles;
}
public void setRoles(List<Role> roles) {
this.roles = roles;
}
}用户注册实体类UserRegister(包含用户需要申请的角色) :
该实体类主要用于用户注册。
package com.example.springsecurity.Entity;
public class UserRegister {
private Integer id;
private String username;
private String password;
private Boolean enabled;
private Boolean locked;
private Integer role;
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public Boolean getEnabled() {
return enabled;
}
public void setEnabled(Boolean enabled) {
this.enabled = enabled;
}
public Boolean getLocked() {
return locked;
}
public void setLocked(Boolean locked) {
this.locked = locked;
}
public Integer getRole() {
return role;
}
public void setRole(Integer role) {
this.role = role;
}
}Mybatis持久层接口:
主要包含UserMapper.xml和UserMapper interface,包含:
loadUserByUsername方法,通过用户名查询用户
getUserRolesByUid方法,通过用户ID获取用户所有角色
addUserByUsername方法,通过UserRegister实体类注册新用户
getAllRole方法,获取当前系统所有角色
addRole方法,通过用户ID和角色ID,给用户添加角色
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.example.springsecurity.Repository.UserMapper">
<select id="loadUserByUsername" resultType="com.example.springsecurity.Entity.User">
select * from user where username=#{username}
</select>
<select id="getUserRolesByUid" resultType="com.example.springsecurity.Entity.Role">
select * from role r,user_role ur where r.id=ur.rid and ur.uid=#{id}
</select>
<insert id="addUserByUsername" parameterType="com.example.springsecurity.Entity.UserRegister">
insert into user(username,password,enabled,locked) values(#{username},#{password},#{enabled},#{locked})
</insert>
<select id="getAllRole" resultType="com.example.springsecurity.Entity.Role">
select * from role
</select>
<insert id="addRole">
insert into user_role(uid,rid) values(#{uid},#{rid})
</insert>
</mapper>package com.example.springsecurity.Repository;
import com.example.springsecurity.Entity.Role;
import com.example.springsecurity.Entity.User;
import com.example.springsecurity.Entity.UserRegister;
import org.apache.ibatis.annotations.Mapper;
import java.util.List;
@Mapper
public interface UserMapper {
User loadUserByUsername(String username);
List<Role> getUserRolesByUid(Integer id);
int addUserByUsername(UserRegister userRegister);
List<Role> getAllRole();
int addRole(Integer uid,Integer rid);
}用户服务类UserService:
是上述接口方法的实现类,包含:
loadUserByUsername实现方法,用于查询用户以及所具有的角色
addUserByUsername实现方法,用于实现用户注册以及角色注册
getAllRole实现方法,用户查询所有角色清单
package com.example.springsecurity.Service;
import com.example.springsecurity.Entity.Role;
import com.example.springsecurity.Entity.User;
import com.example.springsecurity.Entity.UserRegister;
import com.example.springsecurity.Repository.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import java.util.List;
@Service
public class UserService implements UserDetailsService {
@Autowired
UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException{
User user = userMapper.loadUserByUsername(username);
if(user == null){
throw new UsernameNotFoundException("账户不存在!");
}
user.setRoles(userMapper.getUserRolesByUid(user.getId()));
return user;
}
public String addUserByUsername(UserRegister userRegister){
User newuser = userMapper.loadUserByUsername(userRegister.getUsername());
if (newuser != null){
return "账户存在,注册失败!";
}else {
//新用户密码采用BCryptPasswordEncoder(10)格式存入数据库
userRegister.setPassword(new BCryptPasswordEncoder(10).encode(userRegister.getPassword()));
//设置用户状态可用,没有锁定
userRegister.setEnabled(true);
userRegister.setLocked(false);
//执行用户注册
int adduser = userMapper.addUserByUsername(userRegister);
//用户成功注册后,添加用户角色
if(adduser > 0){
User getuser =userMapper.loadUserByUsername(userRegister.getUsername());
int addrole = userMapper.addRole(getuser.getId(),userRegister.getRole());
if (addrole > 0){
return "账户注册成功,角色注册成功!";
}else{
return "账户注册成功!角色注册失败!";
}
}else {
return "账户注册失败!";
}
}
}
public List<Role> getAllRole(){
return userMapper.getAllRole();
}
}
登录接口:
登录接口包含:
registerController用户注册接口
doRegisterController执行用户注册接口及返回注册结果
HelloController登录接口
package com.example.springsecurity.Controller;
import com.example.springsecurity.Service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class registerController {
@Autowired
UserService userService;
@GetMapping("/register")
//registerController用户注册接口,将所有角色信息数据库取值并绑定roles赋给前端registerPage.html
public ModelAndView resgister(){
ModelAndView mv = new ModelAndView();
mv.addObject("roles",userService.getAllRole());
mv.setViewName("registerPage");
return mv;
}
}package com.example.springsecurity.Controller;
import com.example.springsecurity.Entity.UserRegister;
import com.example.springsecurity.Service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class doRegisterController {
@Autowired
UserService userService;
@PostMapping("/doregister")
//doRegisterController执行用户注册接口及返回注册结果
public String doregister(UserRegister userRegister){
return userService.addUserByUsername(userRegister);
}
}package com.example.springsecurity.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
//HelloController登录接口,URL访问权限控制,分别对应不同的角色方能访问
public class HelloController {
@GetMapping("/admin/hello")
public String admin(){
return "hello admin";
}
@GetMapping("/user/hello")
public String user(){
return "hello user";
}
@GetMapping("/db/hello")
public String dba(){
return "hello dba";
}
@GetMapping("/hello")
public String hello(){
return "hello";
}
}#Spring Security核心配置类WebSecurityLoginConfig
①注入用户服务类用于登录验证。
②配置用户登录密码需要BCryptPasswordEncoder(10)密文认证。
③对可访问资源URL限定固定的角色方能访问。
④用户注册接口和执行用户注册接口允许访问。
⑤成功登陆后跳转hello接口。
package com.example.springsecurity.Config;
import com.example.springsecurity.Service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
public class WebSecurityLoginConfig extends WebSecurityConfigurerAdapter {
//注入用户服务
@Autowired
UserService userService;
//配置用户登录密码需要BCryptPasswordEncoder密文认证
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder(10);
}
//基于数据库的用户账号密码、角色、过期、锁定等认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userService);
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests()
//对可访问URL资源进行角色控制
.antMatchers("/admin/**")
.hasRole("admin")
.antMatchers("/user/**")
.access("hasAnyRole('admin','user')")
.antMatchers("/db/**")
.access("hasRole('dba') and hasRole('admin')")
//用户注册接口和执行用户注册接口允许访问
.antMatchers("/register","/doregister")
.permitAll()
//用户访问其他URL资源都必须认证后访问,即登陆后访问
.anyRequest()
.authenticated()
//开启表单登录,即登录界面,登录URL为/login,登录参数用户名username密码password
//Ajax或移动端通过POST请求登录,接口为/login,permitAll表示登录不需要认证即可访问
.and()
.formLogin()
.loginProcessingUrl("/login")
.permitAll()
//成功登录后跳转到hello页面
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
response.setContentType("application/json;charset=utf-8");
response.sendRedirect("/hello");
}
})
.and()
.csrf()
.disable();
}
}
#启动数据库和项目,开始验证测试
第一步测试注册:
输入用户注册接口http://localhost:8080/register,自动跳转到registerPage.html,并将所有角色信息从数据库取出赋值给前端。
提交注册,跳转到http://localhost:8080/doregister接口,返回注册结果。
数据库中user表已经新增ceshi用户。
用户角色表user_role中新增数据:ceshi用户(uid:15)对应用户角色(rid:3)。
第二步测试登录:
我们输入登录网址http://localhost:8080/login或者任意输入后缀地址,均可以访问登录接口。
用ceshi用户登陆后,具有用户角色,可以访问/user/hello接口或者hello接口,当然系统会自动跳转到hello接口页面。
当我们访问管理员接口/admin/hello接口,系统会因为缺少权限而拒绝访问Forbidden。
#总结
SpringSecurity可以非常轻松的实现用户登录验证、注册、跳转、URL接口访问控制等。
Thymeleaf可以将后端数据赋值给前端,便于前端使用,非常适合做登录网页前端设计。
Mybatis持久层非常灵活,可以实现用户自助注册、角色赋值、用户查询、角色查询等各种方法并于数据库交互,实现存储加密。
通过以上技术,我们就可以轻松打造简单安全的注册登录页面了,而不去纠结于各项安全设置和各种接口的设计。
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
