项目笔记Learn04（spring security）

Spring Security提供了一组可以在Spring应用上下文中配置的Bean,利用了spring IOC，DI，AOP的功能。

需要角色认证和资源访问授权

1.使用自定义登陆页

1.pom.xml中导入坐标

<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>4.1.0.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>4.1.0.RELEASE</version>
		</dependency>

2.web.xml文件中监听器等

 <context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath:spring-security.xml</param-value>
	 </context-param>
	 <listener>
		<listener-class>
			org.springframework.web.context.ContextLoaderListener
		</listener-class>
	 </listener>	
	 <filter>  
		<filter-name>springSecurityFilterChain</filter-name>  		
		 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
	 </filter>  
	 <filter-mapping>  
		<filter-name>springSecurityFilterChain</filter-name>  
		<url-pattern>/*</url-pattern>  
	 </filter-mapping>	

3.配置spring-security.xml

	<!-- 以下页面不被拦截 -->
	<http pattern="/*.html" security="none"></http>
	<http pattern="/css/**" security="none"></http>
	<http pattern="/img/**" security="none"></http>
	<http pattern="/js/**" security="none"></http>
	<http pattern="/plugins/**" security="none"></http>
	<http pattern="/seller/add.do" security="none"></http>
	<!-- 页面拦截规则 -->
	<--   
	 	use-expressions 为是否使用使用 Spring 表达式语言（ SpEL ），默认为true  
		如果开启应  <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />  这样配置
	 -->
	<http use-expressions="false">
		<intercept-url pattern="/**" access="ROLE_SELLER" />
		<form-login login-page="/shoplogin.html"  default-target-url="/admin/index.html" authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>	
		<csrf disabled="true"/>
		<headers>
			<frame-options policy="SAMEORIGIN"/>
		</headers>
		<logout/>
	</http>
<!-- 引用dubbo 服务  -->	
	<dubbo:application name="pinyougou-shop-web" />
	<dubbo:registry address="zookeeper://192.168.25.129:2181"/>
	<dubbo:reference id="sellerService"  interface="com.pinyougou.sellergoods.service.SellerService" >
	</dubbo:reference>

	<beans:bean id="userDetailService" class="com.pinyougou.service.UserDetailsServiceImpl">
		<beans:property name="sellerService" ref="sellerService"></bean:property>
	</beans:bean>

4.建立实现UserDetailsService接口的类，重写方法

public class UserDetailsServiceImpl implements UserDetailsService {
	private SellerService sellerService;
	public void setSellerService(SellerService sellerService) {
		this.sellerService = sellerService;
	}
	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
		List<GrantedAuthority> grantAuths=new ArrayList();
		grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));  //添加授权角色
		TbSeller seller = sellerService.findOne(username);
		if(seller!=null){
			if(seller.getStatus().equals("1")){
				return new User(username,seller.getPassword(),grantAuths);
			}else{
				return null;
			}			
		}else{
			return null;
		}
	}
}

在html页面中name值一般是固定的

			<tr>
				<td>用户名:</td>
				<td><input type='text' name='username' value=''></td>
			</tr>
			<tr>
				<td>密码:</td>
				<td><input type='password' name='password' /></td>
			</tr>

补：
String name=SecurityContextHolder.getContext()getAuthentication().getName();
security提供的获取当前登陆用户名的方法

2.密码使用BCrypt算法进行加密存储

新添用户时：

		//密码加密
		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
		String password = passwordEncoder.encode(seller.getPassword());
		seller.setPassword(password);

security认证管理器需修改

<!-- 认证管理器 -->
	<authentication-manager alias="authenticationManager">  
        <authentication-provider user-service-ref='userDetailService'>   
          	<password-encoder ref="bcryptEncoder"></password-encoder>	   		
        </authentication-provider>  
    </authentication-manager> 

以上只是最基本的使用，如错误请指出。