在实际运用中,不同类型用户会拥有不同的使用权限,为满足此需求,我们需要对权限管理进行实现。这里讲解两种方法,一是使用filter进行实现,二是使用Spring Security框架进行实现。
使用过滤器
(1)添加filter层,增加一个LoginFilter类(对Filter接口的实现)实现对登陆的过滤。如果未登录过就自动跳转到登陆界面。
public class LoginFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
HttpSession session = request.getSession();
if(session.getAttribute("userinfo")==null && request.getRequestURI().indexOf("/user/login.do")==-1){
response.sendRedirect(request.getContextPath()+"user/login.do");
}else{
filterChain.doFilter(request, response);
}
}
@Override
public void destroy() {
}
}
(2)修改web.xml文件,添加过滤器。对所有的.do函数都使用
<!-- 配置登陆过滤 -->
<filter>
<filter-name>loginFilter</filter-name>
<filter-class>com.zhongruan.filter.LoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
(3)修改control层。如果没有登陆数据就跳转到登陆界面,登陆成功跳转到主界面,登陆失败跳转到失败界面。
@RequestMapping("/login.do")
public ModelAndView login(UserInfo userInfo, HttpServletRequest request){
ModelAndView mv = new ModelAndView();
if(null==userInfo.getUsername()){
mv.setViewName("../index");
}else{
boolean flag = userInfoService.login(userInfo);
if(flag){
mv.setViewName("main");
request.getSession().setAttribute("userInfo", userInfo);
}else{
mv.setViewName("../failer");
}
}
return mv;
}
使用Spring Security
Spring Security框架常用于认证和授权。认证是指判断用户名密码是否正确,授权是指判断某个角色是否有权执行或访问。以下为主要流程:
(1)修改pom.xml文件,声明Spring Security的版本并添加依赖
<spring.security.version>5.0.1.RELEASE</spring.security.version>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
(2)修改web.xml文件,配置访问过滤;
<!-- 配置访问过滤 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(3)添加spring-security.xml文件到Resources文件夹下,并在web.xml下配置加载类路径的配置文件
其中spring-security.xml中的内容,注意服务依据(user-service-ref)设为“userInfoService”,与服务层保持一致
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled"></security:global-method-security>
<!-- 配置不拦截的资源 -->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<!--
配置具体的规则
auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面
use-expressions="false" 是否使用SPEL表达式(没学习过)
-->
<security:http auto-config="true" use-expressions="true">
<!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" -->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<security:form-login login-page="/login.jsp"
login-processing-url="/login.do"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"
authentication-success-forward-url="/pages/main.jsp"/>
<!-- 关闭跨域请求 -->
<security:csrf disabled="true"/>
<!--退出并跳转到首页-->
<security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp"></security:logout>
</security:http>
<!-- 切换成数据库中的用户名和密码 -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userInfoService">
<!-- 配置加密的方式
<security:password-encoder ref="passwordEncoder"/> -->
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置加密类 -->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</beans>
web.xml中的配置
<!-- 配置加载类路径的配置文件 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value>
</context-param>
(4)修改服务层接口代码,使接口继承UserDetailsService类
public interface IUserInfoService extends UserDetailsService {
List<UserInfo> findAll(int page, int size);
void addUser(UserInfo userInfo);
void deleteUser(int id);
void updateUser(UserInfo userInfo);
UserInfo searchUserById(int id);
boolean login(UserInfo userInfo);
void deleteAll(String ids);
}
(5)添加身份类型和用户身份两个表格
身份类型表格
用户身份表格
(6)增加与表格相应的实体类、持久类以及mapper文件
实体类代码
public class Role {
private int id;
private String roleName;
private String roleDesc;
public Role(int id, String roleName, String roleDesc) {
this.id = id;
this.roleName = roleName;
this.roleDesc = roleDesc;
}
public Role() {
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getRoleName() {
return roleName;
}
public void setRoleName(String roleName) {
this.roleName = roleName;
}
public String getRoleDesc() {
return roleDesc;
}
public void setRoleDesc(String roleDesc) {
this.roleDesc = roleDesc;
}
@Override
public String toString() {
return "Role{" +
"id=" + id +
", roleName='" + roleName + '\'' +
", roleDesc='" + roleDesc + '\'' +
'}';
}
}
持久层代码
public interface IRoleDao {
List<Role> findRoleByUserId(int id);
}
mapper部分代码
<mapper namespace="com.zhongruan.dao.IRoleDao" >
<select id="findRoleByUserId" parameterType="int" resultType="com.zhongruan.bean.Role">
select * from role where id in (select roleId from users_role where userId = #{id})
</select>
</mapper>
(7)在服务层增加具体的实现,使得能够根据用户姓名获取用户身份
// {noop}是为了加密。
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserInfo userInfo = userInfoDao.searchUserByName(username);
List<Role> roles = roleDao.findRoleByUserId(userInfo.getId());
User user = new User(userInfo.getUsername(), "{noop}"+userInfo.getPassword(), getAuthority(roles));
return user;
}
private Collection<? extends GrantedAuthority> getAuthority(List<Role> roles){
List<SimpleGrantedAuthority> list = new ArrayList<>();
for(Role role:roles) {
list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));
}
return list;
}