Spring Security
1. 导入jar包
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.0.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>5.0.5.RELEASE</version>
</dependency>
2. 配置web.xml
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<!--委派过滤器,用于整合其他框架-->
<filter>
<!--整合spring security时,此过滤器的名称固定springSecurityFilterChain-->
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- 解决post乱码 -->
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<!-- 指定加载的配置文件 ,通过参数contextConfigLocation加载 -->
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springmvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
</web-app>
注意:委派过滤器名称必须为:springSecurityFilterChain
3. 配置spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://code.alibabatech.com/schema/dubbo
http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--配置哪些资源匿名可以访问(不登录也可以访问)-->
<!--<security:http security="none" pattern="/pages/a.html"></security:http>
<security:http security="none" pattern="/pages/b.html"></security:http>-->
<!--<security:http security="none" pattern="/pages/**"></security:http>-->
<security:http security="none" pattern="/login.html"></security:http>
<security:http security="none" pattern="/css/**"></security:http>
<security:http security="none" pattern="/img/**"></security:http>
<security:http security="none" pattern="/js/**"></security:http>
<security:http security="none" pattern="/plugins/**"></security:http>
<!--
auto-config:自动配置,如果设置为true,表示自动应用一些默认配置,比如框架会提供一个默认的登录页面
use-expressions:是否使用spring security提供的表达式来描述权限
-->
<security:http auto-config="true" use-expressions="true">
<security:headers>
<!--设置在页面可以通过iframe访问受保护的页面,默认为不允许访问-->
<security:frame-options policy="SAMEORIGIN"></security:frame-options>
</security:headers>
<!--配置拦截规则,/** 表示拦截所有请求-->
<!--
pattern:描述拦截规则
asscess:指定所需的访问角色或者访问权限
-->
<!--只要认证通过就可以访问-->
<security:intercept-url pattern="/pages/**" access="isAuthenticated()" />
<!--如果我们要使用自己指定的页面作为登录页面,必须配置登录表单.页面提交的登录表单请求是由框架负责处理-->
<!--
login-page:指定登录页面访问URL
-->
<security:form-login
login-page="/login.html"
username-parameter="username"
password-parameter="password"
login-processing-url="/login.do"
default-target-url="/pages/main.html"
authentication-failure-url="/login.html"></security:form-login>
<!--
csrf:对应CsrfFilter过滤器
disabled:是否启用CsrfFilter过滤器,如果使用自定义登录页面需要关闭此项,否则登录操作会被禁用(403)
-->
<security:csrf disabled="true"></security:csrf>
<!--
logout:退出登录
logout-url:退出登录操作对应的请求路径
logout-success-url:退出登录后的跳转页面
-->
<security:logout logout-url="/logout.do"
logout-success-url="/login.html" invalidate-session="true"/>
</security:http>
<!--配置认证管理器-->
<security:authentication-manager>
<!--配置认证提供者-->
<security:authentication-provider user-service-ref="springSecurityUserService">
<!--
配置一个具体的用户,后期需要从数据库查询用户
<security:user-service>
<security:user name="admin" password="{noop}1234" authorities="ROLE_ADMIN"/>
</security:user-service>
-->
<!--指定度密码进行加密的对象-->
<security:password-encoder ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<!--配置密码加密对象-->
<bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<!--开启注解方式权限控制-->
<security:global-method-security pre-post-annotations="enabled" />
</beans>
注意:
-
一定要配置:
<security:headers> <!--设置在页面可以通过iframe访问受保护的页面,默认为不允许访问--> <security:frame-options policy="SAMEORIGIN"></security:frame-options> </security:headers>
-
使用自定义的登录认证方式,则一定要关闭csrf过滤
-
在配置认证规则时,有三种常用写法:(对应Controller中对权限的配置写法)
- access="isAuthenticated() “:只要认证通过就可以访问
- access="hasAuthority(‘xxx’)” :有xxx权限才可以访问
- access="hasRole(‘xxx’)“ :有xxx角色才可以访问
- 一般角色前加 ROLE_ 前缀
-
要注意该配置文件是否被spring框架加载.
-
开启注解扫描
4. 编写SpringSecurityUserService.java
4.1. SpringSecurityUserService.java用途
在后台service中编写SpringSecurityUserService.java类,实现UserDetailService接口。该类用于从数据库中根据username查询对应的用户,并将用户名和密码返回给springsecurity框架。框架根据返回的数据进行登录认证。
4.2. SpringSecurityUserService.java
package com.itlearn.service;
import com.alibaba.dubbo.config.annotation.Reference;
import com.itlearn.pojo.Permission;
import com.itlearn.pojo.Role;
import com.itlearn.pojo.User;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
//注意,一定要加此注解,用于将此类交给spring框架管理
@Component
public class SpringSecurityUserService implements UserDetailsService {
//通过Dubbo远程访问userService服务
@Reference
private UserService userService;
//根据用户名前往数据库查询用户信息,loadUserByUsername是在认证的时候由框架调用的。
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userService.findUserByUsername(username);
if (user == null){
return null;
}
//动态为用户授权
//GrantedAuthority :授予的权限(角色和权限)
List<GrantedAuthority> list = new ArrayList<>();
Set<Role> roles = user.getRoles();//获得用户下的角色
for (Role role : roles) {
//为用户添加角色.role.getKeyword():角色关键字
//SimpleGrantedAuthority implements GrantedAuthority
list.add(new SimpleGrantedAuthority(role.getKeyword()));
//获得角色下的权限
Set<Permission> permissions = role.getPermissions();
for (Permission permission : permissions) {
//添加权限permission.getKeyword():权限关键字
list.add(new SimpleGrantedAuthority(permission.getKeyword()));
}
}
//返回User对象,注意,这里返回的User是框架的User,也是UserDetails的实现类
org.springframework.security.core.userdetails.User securityUser
= new org.springframework.security.core.userdetails.User(
username,
user.getPassword(),
list);
return securityUser;
}
}
主要步骤:
-
注入Dubbo远程服务
- 利用服务查询数据库,返回User对象
- 获得对象下的角色,遍历角色,将角色加入list集合。
- 获得角色下的权限,遍历权限,将权限加入list集合。
- 返回User对象(框架的User)
- 注意解决空指针异常
- 利用服务查询数据库,返回User对象
-
修改配置文件
<!-- 使用了此注解扫描,则不再需要spring的注解扫描 因为我们的SpringSecurityUserService是通过Dubbo远程调用服务的,但是在我们的backend配置文件中却没有配置其所在service包的扫描,所以要在这里修改注解扫描包--> <dubbo:annotation package="com.itlearn" />
4.3. Dubbo提供的UserService(略),其实现类如下
package com.itlearn.service.impl;
import com.alibaba.dubbo.config.annotation.Service;
import com.itlearn.dao.PermissionDao;
import com.itlearn.dao.RoleDao;
import com.itlearn.dao.UserDao;
import com.itlearn.pojo.Permission;
import com.itlearn.pojo.Role;
import com.itlearn.pojo.User;
import com.itlearn.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.transaction.annotation.Transactional;
import java.util.List;
import java.util.Set;
@Service(interfaceClass = UserService.class)
@Transactional
public class UserServiceImpl implements UserService {
@Autowired
private UserDao userDao;
@Autowired
private RoleDao roleDao;
@Autowired
private PermissionDao permissionDao;
//查询用户,及用户下的角色,及角色下的权限——三级联动
public User findUserByUsername(String username) {
//根据username查询数据库
User user = userDao.findByUsername(username);
if (user == null){
return null;
}
Integer userId = user.getId();//获取user.id,根据id查询角色
//这里使用set集合,主要是为了避免角色出现重复。如一个用户由两个角色,角色下的权限很可能有重复的,为了去重所以使用set集合。
Set<Role> roles = roleDao.findByUserId(userId);
for (Role role : roles) {
Integer roleId = role.getId();
//根据id查询角色下的权限
Set<Permission> permissions = permissionDao.findByRoleId(roleId);
role.setPermissions(permissions);
}
user.setRoles(roles);
return user;
}
}
注意:明白为什么使用Set集合,而不用List
这里主要解决的是查询user用户下的角色,以及角色下的权限。
4.4. Dao
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.itlearn.dao.UserDao">
<select id="findByUsername" parameterType="string" resultType="user">
select * from t_user where username = #{username}
</select>
</mapper>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.itlearn.dao.RoleDao">
<!--根据用户ID查询关联的角色-->
<select id="findByUserId" parameterType="int" resultType="Role">
select r.*
from t_role r,t_user_role ur
where r.id = ur.role_id and ur.user_id = #{user_id}
</select>
</mapper>
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
<mapper namespace="com.itlearn.dao.PermissionDao">
<!--根据角色ID查询关联的权限-->
<select id="findByRoleId" parameterType="int" resultType="com.itlearn.pojo.Permission">
select p.*
from t_permission p,t_role_permission rp
where p.id = rp.permission_id and rp.role_id = #{role_id}
</select>
</mapper>
5. Controller中配置方法访问权限
@RequestMapping("/delete")
@PreAuthorize("hasAuthority('CHECKITEM_DELETE')")//权限校验
public Result deleteCheckItem(Integer id){
try{
checkItemService.deleteCheckItem(id);
}catch (Exception ex){
ex.printStackTrace();
return new Result(false,MessageConstant.DELETE_CHECKITEM_FAIL);
}
return new Result(true,MessageConstant.DELETE_CHECKITEM_SUCCESS);
}
/**
这里权限校验时,可有三种选择:
1. isAuthenticated():只要认证通过就可以访问
2. hasAuthority('xxx'):有xxx权限才可以访问
3. hasRole('xxx'):有xxx角色才可以访问
- 一般角色前加 ROLE_ 前缀
*/
6. 获取Session域中的user对象
//从Session中获取用户名
org.springframework.security.core.userdetails.User user = (org.springframework.security.core.userdetails.User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
注意:**spring security框架底层是基于(上下文)HttpSession对象和Filter的。当用户认证成功后,框架会把用户名存入Session域中。**另外注意session是有过期时间的。
@GetMapping("/getUsername")
public Result getUsername(){
//从Session中获取用户名
User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
//这里判断user是否为null,是因为在tomcat中session的过期时间为三十分钟。
// 一旦过期,用户刷新页面,而session中已经没有了对应的user对象,这将获取不到username
if (user != null){
return new Result(true, MessageConstant.GET_USERNAME_SUCCESS,user.getUsername());
}
return new Result(false,MessageConstant.GET_USERNAME_FAIL);
}
7. 注意
- 一般,我们在spring security配置文件中只指定
<security:intercept-url pattern="/pages/**" access="isAuthenticated()" />
即,只要通过认证即可。而具体的权限配置是通过对Controller中的具体方法进行配置的。
- SpringSecurityUserService.java在这里主要是用于动态查询用户信息。在spring security配置文件中采用
<!--配置认证提供者-->
<security:authentication-provider user-service-ref="springSecurityUserService">
配权限模型图:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OXVLX8nc-1619088266381)(C:\Users\24016\Desktop\store\spring\img\1619010527994.png)]
后续对于spring security的理解还要靠平时的开发学习。
们在spring security配置文件中只指定
<security:intercept-url pattern="/pages/**" access="isAuthenticated()" />
即,只要通过认证即可。而具体的权限配置是通过对Controller中的具体方法进行配置的。
- SpringSecurityUserService.java在这里主要是用于动态查询用户信息。在spring security配置文件中采用
<!--配置认证提供者-->
<security:authentication-provider user-service-ref="springSecurityUserService">
配权限模型图:
后续对于spring security的理解还要靠平时的开发学习。