spring-security配置文件记录
需要的jar包
<properties>
<spring.security.version>5.1.5.RELEASE</spring.security.version>
</properties>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
在web.xml中配置filter
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<!-- 配置不拦截的资源 -->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<!--
auto-config:是否使用SpringSecurity中自带的登录页面
use-expressions:是否支持spel表达式
-->
<security:http auto-config="true" use-expressions="true" >
<!-- 配置资料连接,表示任意路径都需要ROLE_USER权限 -->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<!-- 自定义登陆页面,login-page 自定义登陆页面 authentication-failure-url 用户权限校验失败之后才会跳转到这个页面,如果数据库中没有这个用户则不会跳转到这个页面。
default-target-url 登陆成功后跳转的页面。 注:登陆页面用户名固定 username,密码 password,action:login -->
<security:form-login login-page="/login.jsp"
login-processing-url="/login" username-parameter="username"
password-parameter="password" authentication-failure-url="/failer.jsp"
default-target-url="/index.jsp" authentication-success-forward-url="/pages/main.jsp"
/>
<!-- 关闭CSRF(跨域请求),默认是开启的 -->
<security:csrf disabled="true" />
<!-- 退出 -->
<security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp" />
</security:http>
<!--连接数据库获取用户信息及权限认证-->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<!-- 配置加密的方式-->
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!--配置加密类-->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</beans>
java程序在service层部分
public interface IUserInfoService extends UserDetailsService {
}
java程序在serviceImpl层部分
@Service("userService")
public class UserInfoServiceImpl implements IUserInfoService {
@Autowired
IUserInfoDao userInfoDao;
/**
* 该方法的主要目的是从数据库中获取用户的信息,将信息包装到security提供的User对象中
* 内部会自动对该User中的信息进行认证操作
* @param username
* @return
* @throws UsernameNotFoundException
*/
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserInfo userInfo = userInfoDao.findUserInfoByName(username);
User user = new User(userInfo.getUsername(),userInfo.getPassword(),userInfo.getStatus()==0?false:true,
true,true,true,getAuthority(userInfo.getRoles()));
return user;
}
/**
* 获取用户权限
*/
public List<SimpleGrantedAuthority> getAuthority(List<Role> roleList){
List<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>();
for(Role role : roleList){
list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));
}
return list;
}
}