一、安全性框架
- Apache Shiro 比较简单易用,不依赖于Spring,应用场景:传统的SSM项目
- SpringSecurity 比较复杂,功能较强大,属于Spring框架技术,应用场景:Spring boot+SpringCloud
- JWT+SpringSecurity组合,多用于微服务分布式开发中。
- JWT+SpringSecurity+SpringCloud
- JWT+SpringSecurity+SpringCloud+前端(angular.js,vue.js)
二、了解SpringSecurity的核心组件
- SecurityContext SpringSecurity的上下文,保存重要对象的信息,比如用户信息。
- SecurityContextHolder 通过该工具获取SecurityContext
- Authentication “认证”的意思,理解成认证的主体,获取认证的信息,账号和密码。
- UserDetails 接口 表示“用户的详情信息”,规范了用户的详情信息(或者规范pojo的定义)。
- UserDetailsService 接口,仅定义了一个方法:loadUserByUsername(String username)
三、入门程序
- 扩展pojo实现UserDetails接口
public class SysUser implements UserDetails{
private String id;
private String usercode;
private String username;
private String password;
private String salt;
private String locked;
public String getId() {
return id;
}
public void setId(String id) {
this.id = id == null ? null : id.trim();
}
public String getUsercode() {
return usercode;
}
public void setUsercode(String usercode) {
this.usercode = usercode == null ? null : usercode.trim();
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username == null ? null : username.trim();
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password == null ? null : password.trim();
}
public String getSalt() {
return salt;
}
public void setSalt(String salt) {
this.salt = salt == null ? null : salt.trim();
}
public String getLocked() {
return locked;
}
public void setLocked(String locked) {
this.locked = locked == null ? null : locked.trim();
}
@Override //返回用户的权限信息
public Collection<? extends GrantedAuthority> getAuthorities() {
// TODO Auto-generated method stub
return null;
}
@Override //判断帐号是否过期
public boolean isAccountNonExpired() {
// TODO Auto-generated method stub
return true;
}
@Override//判断帐号是否被锁定
public boolean isAccountNonLocked() {
// TODO Auto-generated method stub
return this.locked.equals("0");
}
@Override
public boolean isCredentialsNonExpired() {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean isEnabled() {
// TODO Auto-generated method stub
return true;
}
}
@Service
public class SysUserService implements UserDetailsService {
@Autowired
private SysUserMapper userMapper;
//根据用户账号名查询用户
@Override
public UserDetails loadUserByUsername(String usercode) throws UsernameNotFoundException {
SysUserExample example=new SysUserExample();
SysUserExample.Criteria criteria=example.createCriteria();
criteria.andUsercodeEqualTo(usercode);
List<SysUser> userList=userMapper.selectByExample(example);
if (userList.size()==0){ //抛异常
throw new UsernameNotFoundException("账号不存在");
}
return userList.get(0);
}
}
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//注入业务类
@Autowired
private SysUserService userService;
//密码加密算法 SpringSecurity密码必须要加密,否则会报错
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();//密文:64位长度
}
//配置方法
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//主要指定业务接口
auth.userDetailsService(userService);
}
}