基于SpringBoot集成Spring Security–获取角色
1.表结构
- 用户表
CREATE TABLE `sys_user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user` varchar(20) NOT NULL,
`password` varchar(20) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- 角色表
CREATE TABLE `sys_role` (
`id` int(11) NOT NULL,
`role` varchar(20) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- 角色表-用户表(关联表)
创建外键的语句:
constraint fk_字段名 foreign key (字段名) references 表名 (字段名)
CREATE TABLE `sys_user_role` (
`id` int(11) NOT NULL,
`user_id` int(11) NOT NULL,
`role_id` int(11) NOT NULL,
PRIMARY KEY (`id`),
CONSTRAINT `fk_role_id` FOREIGN KEY (`role_id`) REFERENCES `sys_role` (`id`) ON DELETE CASCADE ON UPDATE CASCADE,
CONSTRAINT `fk_user_id` FOREIGN KEY (`user_id`) REFERENCES `sys_user` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- 填充数据
#角色表填充数据,有两个角色
INSERT INTO `sys_role` VALUES ('1', 'ROLE_ADMIN');
INSERT INTO `sys_role` VALUES ('2', 'ROLE_USER');
#用户表填充数据
INSERT INTO `sys_user` VALUES ('1', 'admin', '123');
INSERT INTO `sys_user` VALUES ('2', 'zhangsan', '123');
#关联表填充数据
INSERT INTO `sys_user_role` VALUES ('1','1', '1');
INSERT INTO `sys_user_role` VALUES ('2','2', '2');
2.前端文件
- 登录页面(login.html)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>登录</title>
</head>
<body>
<h1>登录</h1>
<form method="post" action="/login">
<div>
用户名:<input type="text" name="username">
</div>
<div>
密码:<input type="password" name="password">
</div>
<div>
<button type="submit">登录</button>
</div>
</form>
</body>
</html>
- 登录成功页面(home.html)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>登录信息</title>
</head>
<body>
<h1>登陆成功</h1>
<a href="/admin">为admin角色</a>
<a href="/user">为user角色</a>
<button onclick="window.location.href='/logout'">退出登录</button>
</body>
</html>
3.配置文件(application.properties)
#配置数据库
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&useSSL=true
spring.datasource.username=root
spring.datasource.password=123456
#开启Mybatis下划线命名转驼峰命名
mybatis.configuration.map-underscore-to-camel-case=true
其中下划线命名转驼峰命名见下图解释:
4.实体类
运用lombok插件实现get,set等方法
- 用户实体类
public class SysUser implements Serializable {
static final long serialVersionUID = 1L;
private int id;
private String name;
private String password;
}
- 角色实体类
public class SysRole implements Serializable {
static final long serialVersionUID = 1L;
private int id;
private String role;
}
- 角色-用户关联实体类
public class SysUserRole implements Serializable {
static final long serialVersionUID = 1L;
private int id;
private int userId;
private int roleId;
}
5.DAO
- 用户
@Mapper
@Repository
public interface SysUserMapper {
//通过id查询用户
@Select("select * from sys_user where id=#{id}")
SysUser selectById(int id);
//通过name查询
@Select("select * from sys_user where name=#{name}")
SysUser selectByName(String name);
}
- 角色
@Mapper
@Repository
public interface SysRoleMapper {
@Select("select * from sys_role where id=#{id}")
SysRole selectById(int id);
}
- 用户-角色关联
@Mapper
@Repository
public interface SysUserRoleMapper {
@Select("select * from sys_user_role where user_id=#{userId}")
List<SysUserRole> listByUserId(int userId);
}
6.Service
- 用户
@Service
public class SysUserService {
@Autowired
private SysUserMapper sysUserMapper;
public SysUser selectById(int id){
return sysUserMapper.selectById(id);
}
public SysUser selectByName(String name){
return sysUserMapper.selectByName(name);
}
}
- 角色
@Service
public class SysRoleService {
@Autowired
private SysRoleMapper sysRoleMapper;
public SysRole selectById(int id){
return sysRoleMapper.selectById(id);
}
}
- 用户-角色关联
@Service
public class SysUserRoleService {
@Autowired
private SysUserRoleMapper sysUserRoleMapper;
public List<SysUserRole> listByUserId(int userId){
return sysUserRoleMapper.listByUserId(userId);
}
}
7.Controller
@Controller
public class LoginController {
//打印出日志信息所在类
private Logger logger=LoggerFactory.getLogger(LoginController.class);
@RequestMapping("/")
public String showHome(){
//获取当前登录用户
String name= SecurityContextHolder.getContext().getAuthentication().getName();
logger.info("当前登录用户:"+name);
return "home.html";
}
@RequestMapping("/login")
public String showLogin(){
return "login.html";
}
@RequestMapping("/admin")
@ResponseBody
//@PreAuthorize注解:用于判断用户是否有指定权限,没有就不能访问
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String printAdmin(){
return "拥有ROLE_ADMIN角色";
}
@RequestMapping("/user")
@ResponseBody
@PreAuthorize("hasRole('ROLE_USER')")
public String printUser(){
return "拥有ROLE_USER角色";
}
}
8.配置SpringSecurity
8.1 CustomerUserDetailsService
首先我们需要自定义 UserDetailsService
,将用户信息和角色注入进来。我们需要重写 loadUserByUsername
方法,参数是用户输入的用户名。返回值是UserDetails
,这是一个接口,一般使用它的子类org.springframework.security.core.userdetails.User
,它有三个参数,分别是用户名、密码和权限集。
@Service("userDetailsService")
public class CustomerUserDetailsService implements UserDetailsService {
@Autowired
private SysUserService sysUserService;
@Autowired
private SysRoleService sysRoleService;
@Autowired
private SysUserRoleService sysUserRoleService;
@Override
public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
Collection<GrantedAuthority> authorities=new ArrayList<>();
//获取用户信息
SysUser user=sysUserService.selectByName(name);
//判断用户是否存在
if(user==null){
throw new UsernameNotFoundException("用户名不存在");
}
//添加角色
List<SysUserRole> userRoles=sysUserRoleService.listByUserId(user.getId());
for(SysUserRole userRole:userRoles){
SysRole role=sysRoleService.selectById(userRole.getId());
authorities.add(new SimpleGrantedAuthority(role.getRole()));
}
//返回UserDetails实现类
return new User(user.getName(),user.getPassword(),authorities);
}
}
8.2 WebSecurityConfig
该类是 Spring Security
的配置类,该类的三个注解分别是标识该类是配置类、开启 Security
服务、开启全局 Securtiy
注解。首先将我们自定义的 userDetailsService
注入进来,在 configure()
方法中使用 auth.userDetailsService()
方法替换掉默认的 userDetailsService
。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired(required = false)
private CustomerUserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new PasswordEncoder() {
@Override
public String encode(CharSequence charSequence) {
return charSequence.toString();
}
@Override
public boolean matches(CharSequence charSequence, String s) {
return s.equals(charSequence.toString());
}
});
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// 如果有允许匿名的url,填在下面
// .antMatchers().permitAll()
.anyRequest().authenticated()
.and()
// 设置登陆页
.formLogin().loginPage("/login")
// 设置登陆成功页
.defaultSuccessUrl("/").permitAll()
// 自定义登陆用户名和密码参数,默认为username和password
// .usernameParameter("username")
// .passwordParameter("password")
.and()
.logout().permitAll();
// 关闭CSRF跨域
http.csrf().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
// 设置拦截忽略文件夹,可以对静态资源放行
web.ignoring().antMatchers("/css/**","/js/**");
}
}
9.文件目录以及运行结果