摘要
今天是实习的第六天,今天上午先到海天集团进行了参观,然后下午学习了拦截器、过滤器和Spring-Security的使用,下面是详细实现过程。
1. 实习参观
今天是到宁波海天集团参观,主要参观了海天集团的几个厂房,然后开了个总结会,是一个丰富自己知识的过程。
2. 拦截器和过滤器的使用
- 拦截器和过滤器区别
拦截器拦截的是action或者是访问路径;过滤器几乎过滤掉所有的东西。 - 详细配置
- 配置拦截器
public class LoginInterceptor implements HandlerInterceptor {
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
//在拦截点执行前的拦截,返回true则不执行拦截点后的操作
//获取Session
HttpSession session = request.getSession();
//获取访问路径
String uri = request.getRequestURI();
//求出字符串内路径出现的下标
if(session.getAttribute("userInfo") != null) {
//登录成功不拦截
return true;
} else {
//拦截成功,非法操作返回到登录界面
response.sendRedirect(request.getContextPath() + "/user/dologin.do");
return false;
}
}
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
<filter>
<filter-name>SessionFilter</filter-name>
<filter-class>com.whut.filter.LoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/pages/*</url-pattern>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
- 配置过滤器
public class LoginFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
//过滤器开始
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
//区别:Iterceptor进入了servlet,所以重写的参数是HttpServlet Requset/Response
//Filter没有进入Servlet,HttpServletRequest是实现,这里有些方法是是HTTPServletRequest中独有的
//例如:getSession()
//1.强制转换
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
HttpSession session = request.getSession();
if(session.getAttribute("userInfo") == null
&& request.getRequestURI().indexOf("/user/dologin.do") == -1) {
//没有登录
response.sendRedirect(request.getContextPath() + "/user/dologin.do");
} else {
//已经登录,请继续请求下一步操作
filterChain.doFilter(request, response);
}
}
public void destroy() {
//过滤器结束
}
}
3. Spring-Security的使用
- 引入依赖
<spring.security.version>5.0.1.RELEASE</spring.security.version>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
- 配置文件
<!--web.xml-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
由于篇幅原因,spring-security.xml不再放出。
3. 实体类的封装
新建Role用来存放用户角色,然后把用户信息类中UserInfo添加List用于存放该用户角色进行封装,并配置Role的Dao层,然后进行下一步。
4.Service层具体配置
public class UserInfoServiceImpl implements UserInfoService {
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//1. 查询当前登录的用户信息
UserInfo userInfo = userDao.doLogin(username);
//2. 查询当前用户有多少角色
List<Role> roleList = roleDao.findRoleByUserId(userInfo.getId());
//3. 需要把角色放进用户中
userInfo.setRoleList(roleList);
//4. 把查询到的User和Role数据给到Spring-Security中的内置对象User来管理
User user = new User(userInfo.getUsername(), "{noop}" + userInfo.getPassword(), getAuthority(userInfo.getRoleList()));
return user;
}
//simple ctrl + alt + b
private Collection<? extends GrantedAuthority> getAuthority(List<Role> roleList) {
List<SimpleGrantedAuthority> list = new ArrayList();
for(Role role:roleList) {
list.add(new SimpleGrantedAuthority("ROLE_" + role.getRoleName()));
}
return list;
}
}
5.最后登录测试,发现用户"用户管理"功能只有管理员才能看到并使用,并且不能再通过输入jsp路径进行非法访问,因此使用Spring-security进行权限控制是十分安全的。
——2019.07.16 浙江.宁波
Will Also