Spring Security的快速入门

什么是Spring Security:

Spring Security 基于 Spring 框架;
Spring Security 提供了基于角色的访问控制和访问控制列表（Access Control List，ACL），可以对应用中的领域对象进行细粒度的控制。

要想使用Spring Security首先需要导入jar包 :

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>4.1.0.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>4.1.0.RELEASE</version>
		</dependency>

在web.xml里配置Spring Security过滤器链 :

	<!-- contextConfigLocation 配置上下文加载 : 服务器一启动就加载<param-value>中的文件 >
	<context-param>
   		<param-name>contextConfigLocation</param-name>
   		<param-value>classpath*:spring/spring-security.xml</param-value>
   	</context-param>
   
   <!-- <listener> 配置上下文监听器 : 监听上下文的加载 (服务器一启动就自动加载)-->
   <listener>
   	<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>
   
   <!-- springSecurityFilterChain 是 DelegatingFilterProxy的代理对象 -->
   <filter>
	   	<filter-name>springSecurityFilterChain</filter-name>
	   	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   
   <!-- 配置拦截路径 -->
   <filter-mapping>
   		<filter-name>springSecurityFilterChain</filter-name>
   		<url-pattern>/*</url-pattern>
   </filter-mapping>

在resources资源目录下创建spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://code.alibabatech.com/schema/dubbo 
          http://code.alibabatech.com/schema/dubbo/dubbo.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security.xsd">
          
	<!-- 配置不拦截资源 -->
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/img/**" security="none"/>
    <security:http pattern="/js/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>
    
    
    
    <!--
        form-login是spring security命名空间配置登录相关信息的标签,它包含如下属性：
        1. login-page 自定义登录页url,默认为/login
        2. login-processing-url 登录请求拦截的url,也就是form表单提交时指定的action
        3. default-target-url 默认登录成功后跳转的url
        4. always-use-default-target 是否总是使用默认的登录成功后跳转url
        5. authentication-failure-url 登录失败后跳转的url
        6. username-parameter 用户名的请求字段 默认为userName
        7. password-parameter 密码的请求字段 默认为password
        8. authentication-success-handler-ref 指向一个AuthenticationSuccessHandler用于处理认证成功的请求,不能和default-target-url还有always-use-default-target同时使用
        9. authentication-success-forward-url 用于authentication-failure-handler-ref
        10. authentication-failure-handler-ref 指向一个AuthenticationFailureHandler用于处理失败的认证请求
        11. authentication-failure-forward-url 用于authentication-failure-handler-ref
        12. authentication-details-source-ref 指向一个AuthenticationDetailsSource,在认证过滤器中使用
        -->
    
    <!-- 配置拦截规则 :
	    	auto-config="true"	不用自己编写登录的页面，框架提供默认登录页面
	    	use-expressions="false"	是否使用SPEL表达式
     -->
     
    <!-- 页面拦截规则 --> 
 	<security:http use-expressions="false"> 
 	 	<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN" /> 
  		<security:form-login login-page="/shoplogin.html"  
  							 login-processing-url="/login" 
  							 default-target-url="/admin/index.html" 
  							 authentication-failure-url="/shoplogin.html" 
  							 always-use-default-target="true"/>  
  							 
 	 	<security:csrf disabled="true"/> 
 	 	
 	 	<!-- 退出路径 -->
 	 	<security:logout logout-url="/logout" logout-success-url="/shoplogin.html"/> 
 	 	
 	 	<!-- 配置之后可以在页面中嵌套页面 -->
 	 	<security:headers> 
 	 	 	<security:frame-options policy="SAMEORIGIN"/> 
 	 	</security:headers> 
 	 	
 	</security:http> 
 	
 	<!-- 加密类(密码加密器) -->
	<bean id="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></bean>
 	
 
 	<!-- 认证管理器 --> 
 	<security:authentication-manager> 
 		<!-- 从数据库中配置权限 -->
 	 	<security:authentication-provider user-service-ref="userDetillServiceImpl">   
 	 		<security:password-encoder ref="bcryptEncoder"></security:password-encoder>	 
 		</security:authentication-provider>  
 	</security:authentication-manager> 
 	
 	<!-- 引用dubbo 服务 (dubbo:annotation) 可以扫描com.pinyougou.service下包及其子包-->
	<dubbo:application name="pinyougou-shop-web" />
	<dubbo:registry address="zookeeper://192.168.25.128:2181"/>
	<dubbo:annotation package="com.pinyougou.service" /> 
	
</beans>

从数据库中查找进行权限认证:

import java.util.ArrayList;
import java.util.List;

import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import com.alibaba.dubbo.config.annotation.Reference;
import com.pinyougou.pojo.TbSeller;
import com.pinyougou.pojo.TbSpecification;
import com.pinyougou.sellergoods.service.SellerService;

@Service("userDetillServiceImpl")
public class UserDetillServiceImpl implements UserDetailsService{
	
	@Reference
	private SellerService sellerService;

	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
		// TODO Auto-generated method stub
		TbSeller seller = sellerService.findOne(username);
		List<SimpleGrantedAuthority> authorities = new ArrayList<>();
		authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
		if(seller != null) {
			//User是UserDetailsService的实现类
			return new User(seller.getSellerId(), seller.getPassword(), !seller.getStatus().equals("0"),true,true,true, authorities);
		}else {
			return null;
		}
	}
}