1 权限模块大概表的设计
权限模块的对象有 角色 用户 权限 用户和角色对对多关系 权限和角色多对多的关系
2 spring_security
1 配置拦截器,用于角色模块的拦截
web.xml配置
<filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
委派过滤器,整合spring security 过滤器的名称是springSecurityFilterChain
2 配置模块和所需要的权限
1 配置不需要权限认证的的文件或者文件夹
<security:http security="none" pattern="/js/**"></security:http>
2 权限认证配置
<security:http auto-config="true" use-expressions="true"> //如果有页面嵌套需要配置,spring security默认禁止页面嵌套 <security:headers> <security:frame-options policy="SAMEORIGIN"></security:frame-options> </security:headers> //配置需要权限认证的路径,和需要的权限 <security:intercept-url pattern="/pages/**" access="isAuthenticated()"></security:intercept-url> <security:form-login login-page="/login.html" //配置登录页面 username-parameter="username" //配置用户名 password-parameter="password" //配置密码 login-processing-url="/login.do" //配置登录的请求路径 default-target-url="/pages/main.html" //配置登录后的页面 always-use-default-target="true" authentication-failure-forward-url="/login.html"> //配置登录失败跳转的页面 </security:form-login> //如果有配置登录页面需要配置该选项 <security:csrf disabled="true"></security:csrf> //配置退出请求路径 <security:logout logout-success-url="/login.html" logout-url="/logout.do" invalidate-session="true"></security:logout> </security:http>
3 配置service ,spring会调用service查询用户
<security:authentication-manager> //配置service,spring security会调用该service //定义的service需要实现UserDetailsService类 //定义service需要返回org.springframework.security.core.userdetails.User //list.add(new SimpleGrantedAuthority(permission.getKeyword())); //UserDetails userDetails = new org.springframework.security.core.userdetails.User(username,user.getPassword(),list); <security:authentication-provider user-service-ref="springSecurityUserService"> //配置加密方式 //spring secrity 默认加密方式 //org.springframework.security.crypto.bcrypt.BCryptPasswordEncode <security:password-encoder ref="passwordEncoder"></security:password-encoder> </security:authentication-provider> </security:authentication-manager>
5 controler的注解模块
@PreAuthorize("hasAuthority('CHECKITEM_EDIT')")//权限校验
其中CHECKITEM_EDIT是自己权限表中定义的