springboot基于数据库的认证Spring Security

129 篇文章 0 订阅

Spring Boot针对Spring Security提供了自动化配置方案,因此可以使Spring Security非常容易地整合进Spring Boot项目中,这也是在Spring Boot项目中使用Spring Security的优势。

基本用法

创建项目,添加依赖

创建一个Spring Boot Web项目,然后添加spring-boot-starter-security依赖即可,代码如下:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

只要开发者在项目中添加了spring-boot-starter-security依赖,项目中所有资源都会被保护起来。

添加hello接口

接下来在项目中添加一个简单的/hello接口,内容如下:

package com.shrimpking.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

/**
 * Created by IntelliJ IDEA.
 *
 * @Author : Shrimpking
 * @create 2023/6/6 17:22
 */
@RestController
public class HelloController
{
    @GetMapping("/hello")
    public String hello()
    {
        return "hello";
    }
}

配置用户名和密码

如果开发者对默认的用户名和密码不满意,可以在application.properties中配置默认的用户名、密码以及用户角色,配置方式如下:

server.port=8099

spring.security.user.name=user
spring.security.user.password=1234
spring.security.user.roles=admin

启动项目测试

接下来启动项目,启动成功后,访问/hello接口会自动跳转到登录页面,这个登录页面是由Spring Security提供的,如图所示。

 

 基于数据库的认证

 在真实项目中,用户的基本信息以及角色等都存储在数据库中,因此需要从数据库中获取数据进行认证。介绍如何使用数据库中的数据进行认证和授权。

设计数据表

首先需要设计一个基本的用户角色表,一共三张表,分别是用户表、角色表以及用户角色关联表。为了方便测试,预置几条测试数据

drop table if EXISTS r_user; 
create table r_user(
	id int(11) not null auto_increment primary key,
	userName varchar(32) not null,
	password varchar(50) not null,
	enabled tinyint default 1 comment '是否启用,0未启用,1启用',
	locked tinyint default 0 comment '是否锁定,0锁定,1未锁定'
) comment '用户表';
insert into r_user(userName,password) values ('root','1234');
insert into r_user(userName,password) values ('admin','1234');
insert into r_user(userName,password) values ('king','1234');

drop table if EXISTS r_role;
create table r_role(
	id int(11) not null auto_increment,
	name varchar(32) not null comment '角色英文名称',
	displayName varchar(32) not null comment '角色中文名称',
	primary key(id)
) comment '角色表';
insert into r_role(name,displayName) values('ROLE_dba','数据库管理员');
insert into r_role(name,displayName) values('ROLE_admin','系统管理员');
insert into r_role(name,displayName) values('ROLE_user','用户');

drop table if EXISTS r_user_role;
create table r_user_role(
	id int(11) not null auto_increment primary key,
	userId int not null comment '用户id',
	roleId int not null comment '角色id'
) comment '用户角色关联表';
insert into r_user_role(userId,roleId) values (1,1);
insert into r_user_role(userId,roleId) values (1,2);
insert into r_user_role(userId,roleId) values (1,3);
insert into r_user_role(userId,roleId) values (2,2);
insert into r_user_role(userId,roleId) values (2,3);
insert into r_user_role(userId,roleId) values (3,3);


创建项目,选择MyBatis,因此创建Spring Boot Web项目添加如下依赖:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>1.3.2</version>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.47</version>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.1.10</version>
        </dependency>

  

配置数据库

 在application.properties中进行数据库连接配置:

server.port=8099
#数据源
spring.datasource.type=com.alibaba.druid.pool.DruidDataSource
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimeZone=UTC
spring.datasource.username=root
spring.datasource.password=mysql123

创建实体类

分别创建角色表和用户表对应的实体类,代码如下:

Role.java

package com.shrimpking.pojo;

/**
 * Created by IntelliJ IDEA.
 *
 * @Author : Shrimpking
 * @create 2023/6/6 18:27
 */
public class Role
{
    private String id;
    private String name;
    private String displayName;

    public Role()
    {
    }

    public Role(String name, String displayName)
    {
        this.name = name;
        this.displayName = displayName;
    }

    public String getId()
    {
        return id;
    }

    public void setId(String id)
    {
        this.id = id;
    }

    public String getName()
    {
        return name;
    }

    public void setName(String name)
    {
        this.name = name;
    }

    public String getDisplayName()
    {
        return displayName;
    }

    public void setDisplayName(String displayName)
    {
        this.displayName = displayName;
    }

    @Override
    public String toString()
    {
        return "Role{" + "id='" + id + '\'' + ", name='" + name + '\'' + ", displayName='" + displayName + '\'' + '}';
    }
}

User.java

package com.shrimpking.pojo;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

/**
 * Created by IntelliJ IDEA.
 *
 * @Author : Shrimpking
 * @create 2023/6/6 18:29
 */
public class User implements UserDetails
{
    private int id;
    private String userName;
    private String password;
    private boolean enabled;
    private boolean locked;
    private List<Role> roles;

    public User()
    {
    }

    public User(String userName, String password)
    {
        this.userName = userName;
        this.password = password;
    }

    public int getId()
    {
        return id;
    }

    public void setId(int id)
    {
        this.id = id;
    }

    public String getUserName()
    {
        return userName;
    }

    public void setUserName(String userName)
    {
        this.userName = userName;
    }

    /**
     * 获取当前用户对象的密码
     * @return
     */
    @Override
    public String getPassword()
    {
        return password;
    }

    public void setPassword(String password)
    {
        this.password = password;
    }

    /**
     * 当前账号是否可用
     * @return
     */
    @Override
    public boolean isEnabled()
    {
        return enabled;
    }

    public void setEnabled(boolean enabled)
    {
        this.enabled = enabled;
    }

    public boolean isLocked()
    {
        return locked;
    }

    public void setLocked(boolean locked)
    {
        this.locked = locked;
    }

    public List<Role> getRoles()
    {
        return roles;
    }

    public void setRoles(List<Role> roles)
    {
        this.roles = roles;
    }

    @Override
    public String toString()
    {
        return "User{" + "id=" + id + ", userName='" + userName + '\'' + ", password='" + password + '\'' + ", enabled=" + enabled + ", locked=" + locked + ", roles=" + roles + '}';
    }


    /**
     * 获取当前用户对象所具有的角色信息
     * @return
     */
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities()
    {

        List<SimpleGrantedAuthority> authorities = new ArrayList<>();
        for (Role role : roles)
        {
            authorities.add(new SimpleGrantedAuthority(role.getName()));
        }
        return authorities;
    }

    /**
     * 获取当前用户对象的用户名
     * @return
     */
    @Override
    public String getUsername()
    {
        return userName;
    }

    /**
     * 当前账号是否未过期
     * @return
     */
    @Override
    public boolean isAccountNonExpired()
    {
        return true;
    }

    /**
     * 当前账号是否未锁定
     * @return
     */
    @Override
    public boolean isAccountNonLocked()
    {
        return !locked;
    }

    /**
     * 当前账号密码是否未过期
     * @return
     */
    @Override
    public boolean isCredentialsNonExpired()
    {
        return true;
    }
}

代码解释:

• 用户实体类需要实现UserDetails接口,并实现该接口中的7个方法,getAuthorities,getUsername,isAccountNonExpired,isAccountNonLocked,isCredentialsNonExpired,isEnabled,getPassword。

用户根据实际情况设置这7个方法的返回值。因为默认情况下不需要开发者自己进行密码角色等信息的比对,开发者只需要提供相关信息即可,例如getPassword()方法返回的密码和用户输入的登录密码不匹配,会自动抛出BadCredentialsException异常,isAccountNonExpired()方法返回了false,会自动抛出AccountExpiredException异常,因此对开发者而言,只需要按照数据库中的数据在这里返回相应的配置即可。本案例因为数据库中只有enabled和locked字段,故账户未过期和密码未过期两个方法都返回true。

• getAuthorities()方法用来获取当前用户所具有的角色信息,本案例中,用户所具有的角色存储在roles属性中,因此该方法直接遍历roles属性,然后构造SimpleGrantedAuthority集合并返回。

创建UserService

接下来创建UserService,代码如下:

package com.shrimpking.service;

import com.shrimpking.mapper.UserMapper;
import com.shrimpking.pojo.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

/**
 * Created by IntelliJ IDEA.
 *
 * @Author : Shrimpking
 * @create 2023/6/6 19:01
 */
@Service
public class UserService implements UserDetailsService
{
    @Autowired
    private UserMapper userMapper;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
    {
        User user = userMapper.loadUserByUsername(username);
        if(user == null)
        {
            throw new UsernameNotFoundException("账号不存在");
        }
        user.setRoles(userMapper.getUserRolesByUid(user.getId()));
        return user;
    }
}

代码解释:

定义UserService实现UserDetailsService接口,并实现该接口中的loadUserByUsername方法,该方法的参数就是用户登录时输入的用户名,通过用户名去数据库中查找用户,如果没有查找到用户,就抛出一个账户不存在的异常,如果查找到了用户,就继续查找该用户所具有的角色信息,并将获取到的user对象返回,再由系统提供的DaoAuthenticationProvider类去比对密码是否正确。

• loadUserByUsername方法将在用户登录时自动调用。

还涉及UserMapper和UserMapper.xml,相关源码如下:

UserMapper.java

package com.shrimpking.mapper;


import com.shrimpking.pojo.Role;
import com.shrimpking.pojo.User;
import org.apache.ibatis.annotations.Mapper;

import java.util.List;

/**
 * Created by IntelliJ IDEA.
 *
 * @Author : Shrimpking
 * @create 2023/6/6 19:02
 */
@Mapper
public interface UserMapper
{
    User loadUserByUsername(String username);
    List<Role> getUserRolesByUid(int id);
}

UserMapper.xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
        "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.shrimpking.mapper.UserMapper">

    <select id="loadUserByUsername" resultType="com.shrimpking.pojo.User">
        select id,userName,password,enabled,locked
        from r_user where userName = #{userName}
    </select>

    <select id="getUserRolesByUid" resultType="com.shrimpking.pojo.Role">
        select
        r.id,
        r.name,
        r.displayName
        from r_role r,r_user_role ur
        where r.id = ur.roleId
        and ur.userId = #{id}
    </select>

</mapper>

配置Spring Security

接下来对Spring Security进行配置,代码如下:

package com.shrimpking.config;

import com.shrimpking.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

/**
 * Created by IntelliJ IDEA.
 *
 * @Author : Shrimpking
 * @create 2023/6/6 19:20
 */
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    @Autowired
    private UserService userService;

    @Bean
    PasswordEncoder passwordEncoder()
    {
        //return new BCryptPasswordEncoder(10); //默认10,取值范围4-31之间

        //本案例使用NoOpPasswordEncoder,即不对密码进行加密。
        return NoOpPasswordEncoder.getInstance();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.userDetailsService(userService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.authorizeRequests()
                .antMatchers("/admin/**").hasRole("admin")
                .antMatchers("/db/**").hasRole("dba")
                .antMatchers("/user/**").hasRole("user")
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/login").permitAll()
                .and()
                .csrf().disable();
    }

}

    /*
    首先配置了三个用户,
    root用户具备ADMIN和DBA的角色,
    admin用户具备ADMIN和USER的角色,
    king用户具备USER的角色。

    调用authorizeRequests()方法开启HttpSecurity的配置,
    antMatchers配置分别表示用户访问“/admin/**”模式的URL必须具备ADMIN的角色;
    antMatchers用户访问“/user/**”模式的URL必须具备ADMIN或USER的角色;
    antMatchers用户访问“/db/**”模式的URL必须具备ADMIN和DBA的角色。
    anyRequest用户访问URL都必须认证后访问(登录后访问)。
    formLogin表示开启表单登录,即读者一开始看到的登录页面,
    loginProcessingUrl同时配置了登录接口为“/login”,即可以直接调用“/login”接口,
    发起一个POST请求进行登录,登录参数中用户名必须命名为username,
    密码必须命名为password,
    配置loginProcessingUrl接口主要是方便Ajax或者移动端调用登录接口。
    permitAll,表示和登录相关的接口都不需要认证即可访问。
    表示关闭csrf。
     */

创建Controller进行测试了,

 HelloController.java

package com.shrimpking.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

/**
 * Created by IntelliJ IDEA.
 *
 * @Author : Shrimpking
 * @create 2023/6/6 19:29
 */
@RestController
public class HelloController
{
    @GetMapping("/admin/hello")
    public String admin()
    {
        return "hello admin";
    }

    @GetMapping("/user/hello")
    public String user()
    {
        return "hello user";
    }

    @GetMapping("/db/hello")
    public String dba()
    {
        return "hello dba";
    }

    @GetMapping("/hello")
    public String hello()
    {
        return "hello";
    }
}

记得pom.xml中过滤条件的配置

        <resources>
            <resource>
                <directory>src/main/java</directory>
                <includes>
                    <include>**/*.xml</include>
                    <include>**/*.properties</include>
                </includes>
                <filtering>false</filtering>
            </resource>
            <resource>
                <directory>src/main/resources</directory>
                <includes>
                    <include>**/*.xml</include>
                    <include>**/*.properties</include>
                </includes>
                <filtering>false</filtering>
            </resource>
        </resources>

 

权限大小依次为 root > admin > king。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

虾米大王

有你的支持,我会更有动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值