权限控制:效果如下
编写代码步骤:Spring Security是靠过滤器吃饭的,So
一:配置过滤器,告诉他什么url需要控制,什么角色能进行怎样的操作
二:给验证器提供用户信息,用户信息包括用户名,密码,权限
OK!!开始
一:添加依赖
//如果有用到模板和Spring Security标签,需要引入下面两个
<!-- 模板引擎 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!-- thymeleaf模板与spring security标签依赖 -->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
<version>3.0.2.RELEASE</version>
</dependency>
<!-- spring security依赖 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
二:配置过滤器
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//url的控制
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
//访问这个映射下需要admin或者user
.antMatchers("/user/*").hasAnyRole("ADMIN","USER")
//访问这个映射下需要admin权限
.antMatchers("/admin/*").hasRole("ADMIN")
.antMatchers("/index").permitAll()
// 所有访问都需要验证
.anyRequest().authenticated()
.and()
// 自定义登录页面
.formLogin().loginPage("/login")
.loginProcessingUrl("/form")
// 失败页面
.failureUrl("/login_error")
// 登录成功页面
.defaultSuccessUrl("/index").permitAll().and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/index")
// 关闭csrf
.and().csrf().disable();
}
@Autowired
private MyAuthenticationProvider provider;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//用户认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(provider);
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
// 自定义内存角色
.withUser("admin").password(passwordEncoder().encode("1")).roles("USER");
}
}
认证是由 AuthenticationManager 来管理的,我们需要提供AuthenticationProvider来进行认证,认证成功就会把用户信息将入Spring Security上下文。可以通过SecurityContextHolder.getContext().getAuthentication()获得
二:杂务
public Authentication authenticate(Authentication authentication) throws AuthenticationException { }
他需要为们给他一个Token,可以给他一个token试验一下
public class MyAuthenticationProvider implements AuthenticationProvider {
@Autowired
private UserDetailsService myUserDetailsService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String name = (String) authentication.getPrincipal();
String password = authentication.getCredentials().toString();
user u = (user) myUserDetailsService.loadUserByUsername(name);
Set<GrantedAuthority> authorities = new HashSet<>();
for (String s : u.getAuthoritie()) {
authorities.add(new SimpleGrantedAuthority(s));
}
//你也可以先这样子,他需要返回token对象,参数为name,password,权限集合
// Set<GrantedAuthority> authorities = new HashSet<>();
//添加权限 权限格式为必须为ROLE_USER 全大写
// authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
// return new UsernamePasswordAuthenticationToken(name, password, authorities)
return new UsernamePasswordAuthenticationToken(name, password, authorities);
}
@Override
public boolean supports(Class<?> authentication) {
// TODO 自动生成的方法存根
return true;
}
}
UserDetailService
@Component
public class myUserDetailService implements UserDetailsService{
@Autowired
private userMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
user u = userMapper.getUser(username);
if(u!=null) {
return u;
}else {
throw new UsernameNotFoundException("用户不存在");
}
}
}
user
public class user implements Serializable,UserDetails {
private int id;
private String userName;
private String password;
private Set<String> Authoritie;
...
}
Mapper
@Mapper
public interface userMapper {
public user getUser(String username);
public Set getAuthorities(String username);
}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
<mapper namespace="com.tom.mapper.userMapper">
<resultMap id="userMap" type="com.tom.bean.user">
<id property="id" column="id"/>
<result property="userName" column="username"/>
<result property="password" column="password"/>
<collection property="Authoritie" select="getAuthorities" column="username"></collection>
</resultMap>
<select id="getAuthorities" resultType="String">
select r.roleName from user u
left join u_r ur on u.id = ur.uid
left join role r on ur.rid = r.id
where u.username=#{username}
</select>
<select id="getUser" resultMap="userMap">
select * from user where username=#{username}
</select>
</mapper
数据库表
user 表(id,username,password,).role表(id,roleName) ,u_r表(uid,rid)