Spring Security的快速入门
什么是Spring Security:
Spring Security 基于 Spring 框架;
Spring Security 提供了基于角色的访问控制和访问控制列表(Access Control List,ACL),可以对应用中的领域对象进行细粒度的控制。
要想使用Spring Security首先需要导入jar包 :
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
在web.xml里配置Spring Security过滤器链 :
<!-- contextConfigLocation 配置上下文加载 : 服务器一启动就加载<param-value>中的文件 >
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:spring/spring-security.xml</param-value>
</context-param>
<!-- <listener> 配置上下文监听器 : 监听上下文的加载 (服务器一启动就自动加载)-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- springSecurityFilterChain 是 DelegatingFilterProxy的代理对象 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- 配置拦截路径 -->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
在resources资源目录下创建spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://code.alibabatech.com/schema/dubbo
http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 配置不拦截资源 -->
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/js/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<!--
form-login是spring security命名空间配置登录相关信息的标签,它包含如下属性:
1. login-page 自定义登录页url,默认为/login
2. login-processing-url 登录请求拦截的url,也就是form表单提交时指定的action
3. default-target-url 默认登录成功后跳转的url
4. always-use-default-target 是否总是使用默认的登录成功后跳转url
5. authentication-failure-url 登录失败后跳转的url
6. username-parameter 用户名的请求字段 默认为userName
7. password-parameter 密码的请求字段 默认为password
8. authentication-success-handler-ref 指向一个AuthenticationSuccessHandler用于处理认证成功的请求,不能和default-target-url还有always-use-default-target同时使用
9. authentication-success-forward-url 用于authentication-failure-handler-ref
10. authentication-failure-handler-ref 指向一个AuthenticationFailureHandler用于处理失败的认证请求
11. authentication-failure-forward-url 用于authentication-failure-handler-ref
12. authentication-details-source-ref 指向一个AuthenticationDetailsSource,在认证过滤器中使用
-->
<!-- 配置拦截规则 :
auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面
use-expressions="false" 是否使用SPEL表达式
-->
<!-- 页面拦截规则 -->
<security:http use-expressions="false">
<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
<security:form-login login-page="/shoplogin.html"
login-processing-url="/login"
default-target-url="/admin/index.html"
authentication-failure-url="/shoplogin.html"
always-use-default-target="true"/>
<security:csrf disabled="true"/>
<!-- 退出路径 -->
<security:logout logout-url="/logout" logout-success-url="/shoplogin.html"/>
<!-- 配置之后可以在页面中嵌套页面 -->
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- 加密类(密码加密器) -->
<bean id="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></bean>
<!-- 认证管理器 -->
<security:authentication-manager>
<!-- 从数据库中配置权限 -->
<security:authentication-provider user-service-ref="userDetillServiceImpl">
<security:password-encoder ref="bcryptEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<!-- 引用dubbo 服务 (dubbo:annotation) 可以扫描com.pinyougou.service下包及其子包-->
<dubbo:application name="pinyougou-shop-web" />
<dubbo:registry address="zookeeper://192.168.25.128:2181"/>
<dubbo:annotation package="com.pinyougou.service" />
</beans>
从数据库中查找进行权限认证:
import java.util.ArrayList;
import java.util.List;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.alibaba.dubbo.config.annotation.Reference;
import com.pinyougou.pojo.TbSeller;
import com.pinyougou.pojo.TbSpecification;
import com.pinyougou.sellergoods.service.SellerService;
@Service("userDetillServiceImpl")
public class UserDetillServiceImpl implements UserDetailsService{
@Reference
private SellerService sellerService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// TODO Auto-generated method stub
TbSeller seller = sellerService.findOne(username);
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
if(seller != null) {
//User是UserDetailsService的实现类
return new User(seller.getSellerId(), seller.getPassword(), !seller.getStatus().equals("0"),true,true,true, authorities);
}else {
return null;
}
}
}