本文转自:https://blog.csdn.net/ka_ka314/article/details/79513991
Spring Security — 权限控制安全框架入门简介
一、Spring Security简介
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
二、入门案例
1、引入Jar
org.springframework.security
spring-security-web
4.1.0.RELEASE
org.springframework.security
spring-security-config
4.1.0.RELEASE
2、web.xml配置
contextConfigLocation
classpath:spring/spring-security.xml
org.springframework.web.context.ContextLoaderListener
springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /* 1 2 3 4 5 6 7 8 3、spring-security.xml配置 <?xml version="1.0" encoding="UTF-8"?><beans:beans xmlns=“http://www.springframework.org/schema/security”
xmlns:beans=“http://www.springframework.org/schema/beans”
xmlns:dubbo=“http://code.alibabatech.com/schema/dubbo”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=“http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd”>
<!-- 开启表达登录功能 -->
<!--
参数说明:
login-processing-url : 配置登录提交的action,默认/login
login-page : 配置登录的页面
default-target-url : 登录成功后的访问页
authentication-failure-url : 登录失败的跳转页
username-parameter : 指定用户名<input>的name属性值,默认username
password-parameter : 指定密码<input>的name属性值,默认password
注意:页面上的form表单的method必须是post
-->
<form-login login-page="/shoplogin.html" default-target-url="/admin/index.html"
authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>
<!-- 关闭csrf验证 -->
<csrf disabled="true"/>
<!--spring security默认拦截内置框架页,如iframe,需要如下配置取消拦截 -->
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
<!-- 退出
参数说明;
logout-url退出地址,默认/logout
logout-success-url退出成功的访问地址
-->
<logout/>
<beans:bean id=“userDetailService” class=“com.xxx.shop.service.UserDetailsServiceImpl”>
<beans:property name=“sellerService” ref=“sellerService”></beans:property>
</beans:bean>
<dubbo:application name=“xxx-shop-web” />
<dubbo:registry address=“zookeeper://192.168.25.128:2181”/>
<dubbo:reference id=“sellerService” interface=“com.xxx.sellergoods.service.SellerService”></dubbo:reference>
<beans:bean id=“bCryptPasswordEncoder” class=“org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder”></beans:bean>
</beans:beans>
4、UserDetailsServiceImpl实现类
package com.xxx.shop.service;
import com.xxx.pojo.TbSeller;
import com.xxx.sellergoods.service.SellerService;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.ArrayList;
import java.util.List;
public class UserDetailsServiceImpl implements UserDetailsService{
private SellerService sellerService;
public void setSellerService(SellerService sellerService) {
this.sellerService = sellerService;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println(“UserDetailsServiceImpl”);
// 构建角色列表
List<GrantedAuthority> grantAuths = new ArrayList<>();
grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));
TbSeller seller = sellerService.findOne(username);
if (seller != null)
if (seller.getStatus().equals("1"))
return new User(username,seller.getPassword(),grantAuths);
return null;
}