pom依赖
<properties>
<spring.version>5.0.2.RELEASE</spring.version>
<slf4j.version>1.6.6</slf4j.version>
<log4j.version>1.2.12</log4j.version>
<shiro.version>1.2.3</shiro.version>
<mybatis.version>3.4.5</mybatis.version>
<spring.security.version>5.0.1.RELEASE</spring.security.version>
</properties>
<dependencies>
<!-- spring -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.8</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.6</version>
</dependency>
<dependency>
<groupId>com.oracle</groupId>
<artifactId>ojdbc14</artifactId>
<version>10.2.0.4.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- log start -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j.version}</version>
</dependency>
<!-- log end -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>${mybatis.version}</version>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.3.0</version>
</dependency>
<dependency>
<groupId>com.github.pagehelper</groupId>
<artifactId>pagehelper</artifactId>
<version>5.1.2</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.0.9</version>
</dependency>
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
</plugin>
</plugins>
</build>
web.xml中配置
<!--编码过滤器-->
<filter>
<filter-name>encoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--前端控制器-->
<!--
/* 拦所有
/ 除了jsp,html都拦,也包含js,css
-->
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springmvc.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!--spring核心监听器-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<!--提供springsecurity的过滤器链-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Spring配置文件中配置(applicationContext.xml)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!--dao配置-->
<!--数据库连接池-->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/>
<property name="url" value="jdbc:oracle:thin:@192.168.253.6:1521:orcl"/>
<property name="username" value="ssm79"/>
<property name="password" value="ssm"/>
</bean>
<!--提供SqlsessionFactoryBean-->
<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="dataSource"/>
<property name="typeAliasesPackage" value="com.itheima.domain"/>
</bean>
<!--扫描dao接口包给所有接口创建代理对象,并放入到ioc容器中-->
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<property name="basePackage" value="com.itheima.dao"/>
</bean>
<!--service配置文件-->
<!--组件扫描-->
<context:component-scan base-package="com.itheima.service"/>
<!--配置事务管理器-->
<bean id="transactionManager"
class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource"/>
</bean>
<!--开启事务注解的支持-->
<tx:annotation-driven/>
<!--引入spring-security配置文件-->
<import resource="classpath:spring-security.xml"/>
SpringMVC配置文件(springMVC.xml)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!--组件扫描-->
<context:component-scan base-package="com.itheima.controller"/>
<!--mvc注解支持-->
<mvc:annotation-driven />
<!--视图解析器-->
<bean id="internalResourceViewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/pages/"/>
<property name="suffix" value=".jsp"/>
</bean>
<!--释放静态资源,所有的请求会先经过这个处理器处理静态资源,displayServlet会处理url相关请求-->
<mvc:default-servlet-handler/>
</beans>
SpringSecurity配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--释放静态资源-->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<!--springsecurity的主配置-->
<security:http auto-config="true" use-expressions="true">
<!--指定基本角色-->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<!--认证相关配置-->
<security:form-login login-page="/login.jsp"
login-processing-url="/login"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"/>
<!--退出登录相关配置-->
<security:logout logout-url="/logout"
logout-success-url="/login.jsp"
invalidate-session="true"/>
<!--放开csrf拦截-->
<security:csrf disabled="true"/>
</security:http>
<!--加盐加密对象 如果名称为encoder可以不用加-->
<bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<!--认证信息-->
<security:authentication-manager>
<!-userServiceIml是我们自定义的认证类->
<security:authentication-provider user-service-ref="userServiceImpl">
<security:password-encoder ref="encoder"/>
</security:authentication-provider>
</security:authentication-manager>
补充 BCryPasswordEncoder加盐加密
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String encode = passwordEncoder.encode(“123”);
SpringSecurity会拿着明文和数据库中的密文去匹配
认证类
@Service
@Transactional
public class UserServiceImpl implements UserService {
/**
* @param username 用户输入的用户名
* @return springsecurity自己的用户对象类型
* 该认证方法的流程:
* 先根据用户输入的用户名,去自己的数据库中查询用户对象。
* 如果没有查询到,直接返回null。springsecurity就认为认证失败。
* 如果查询到了,得到的是我们自己的SysUser对象。
* 可是springsecurity认证用的框架自己的UserDetails对象
* 所以我们要拿自己的SysUser对象封装一个UserDetails对象
* 返回即可。
* 框架自己会判断密码是否正确。
*/
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//根据用户名查询用户对象
SysUser myUser = userDao.findByUsername(username);
//如果没有查询到直接返回null表示认证失败
if(myUser==null){
return null;
}
//封装一个当前用户所具有的角色的集合对象
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
//得到当前用户下所有角色的集合
//如果没有查询到角色表示用户没有角色
List<SysRole> roles = myUser.getRoles();
if(roles=null){
return null;
}
for (SysRole role : roles) {
//其实SimpleGrantedAuthority对象的作用就是很方便让框架拿到我们给用户添加的角色
authorities.add(new SimpleGrantedAuthority(role.getRoleName()));
}
//查询到了,用自己的SysUser封装一个springsecurity框架的UserDetails。
//SpringSecurity默认是加密判断,如果没有配置上面的加密,需要在密码处加上"{noop}"
//UserDetails user = new User(myUser.getUsername(), "{noop}"+myUser.getPassword(), authorities);
UserDetails user = new User(myUser.getUsername(), myUser.getPassword(), authorities);
return user;
}
前台根据角色隐藏相关菜单配置
1.在菜单页面上导入springsecurity的标签
<%@taglib uri="http://www.springframework.org/security/tags" prefix="security"%>
2.在每个菜单上添加访问此菜单需要的叫角色 eg:
<security:authorize access="hasAnyRole('ROLE_PRODUCT','ROLE_ADMIN')">
<li id="system-setting">
<a href="${pageContext.request.contextPath}/product/findAll">
<i class="fa fa-circle-o"></i> 产品管理
</a>
</li>
</security:authorize>
!!!!!!!!!!
注意:页面拦截只是一个菜单的隐藏,其本质并没有限制该用户无法操作某个功能。
如果需要限制需要进行以下配置
1.<!--开启springsecurity权限拦截注解-->
<security:global-method-security jsr250-annotations="enabled" --jsr250规范的注解支持
pre-post-annotations="enabled" --支持Spring的el表达式注解
secured-annotations="enabled"> -- springsecurity自己的注解
</security:global-method-security>
注意:结合业务,配置一个就行了。
2.在开启注解配置支持的配置文件对应的对象中添加注解
@RolesAllowed({"ROLE_PRODUCT","ROLE_ADMIN"}) //jsr250的
@PreAuthorize("hasAnyAuthority('ROLE_PRODUCT','ROLE_ADMIN')") //el表达式的
@Secured({"ROLE_PRODUCT","ROLE_ADMIN"}) //springsecurity注解的
补充点:处理AccessDeniedException异常在<security:http></security:http>中添加
<security:access-denied-handler error-page="/403.jsp">
</security:access-denied-handler>