本文介绍了如何使用SpringBoot、SpringSecurity和Mybatis结合MySQL实现用户登录验证、记住密码以及退出功能。讲解了SpringSecurity的工作原理,包括UsernamePasswordAuthenticationToken验证、AuthenticationManager、AuthenticationProvider以及UserDetailsService的角色。此外,还提到了自定义登录界面和处理记住密码、退出登录的实现细节。
springsecurity 主要的功能是 验证 和 授权。springsecurity主要的工作原理是:
当我们在登录页面中输入用户名和密码之后首先会进入到UsernamePasswordAuthenticationToken验证(Authentication),然后生成的Authentication会被交由AuthenticationManager来进行管理而AuthenticationManager管理一系列的AuthenticationProvider,而每一个Provider都会通UserDetailsService和UserDetail来返回一个以UsernamePasswordAuthenticationToken实现的带用户名和密码以及权限的Authentication
springsecurity 会为我们自动生成一个登录界面,不过这个界面有点丑,当然我们也可以自己定义登录界面。
在pom.xml中引入各种jar包就不再赘述,mybatis的配置和mapring的编写也省略,主要讲述springsecurity 的配置。
WebSecurityConfigurerAdapter
首先我们需要自定义一个类来继承WebSecurityConfigurerAdapter,并且在类上加上注解,在该类中重写configure方法来实现自定义拦截方法和请求UserDetailsService。具体代码如下:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
UserDetailsService customUserService() { // 注册UserDetailsService 的bean
return new CustomUserDetailsService();
}
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
}
@Override
//重写configure(HttpSecurity http)的方法,这里面来自定义自己的拦截方法和业务逻辑
protected void configure(HttpSecurity httpSecurity) throws Exception {
System.out.println("用到一!!");
httpSecurity.authorizeRequests()
.antMatchers("/js/**","/css/**","/images/*","/fonts/**","/**/*.png","/**/*.jpg").permitAll()
.antMatchers("/","/login","/signin").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.rememberMe().rememberMeParameter("remember-me") //其实默认就是remember-me,这里可以指定更换
.and()
.logout()
.logoutSuccessUrl("/login?logout") //退出登录
.permitAll()
.and()
.csrf().disable();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserService()).passwordEncoder(passwordEncoder());
}
}
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
}该函数的作用是实现密码的加密,在springsecurity5.0版本之后,如果不对密码进行passwordEncoder,会抛出There is no PasswordEncoder mapped for the id "null"异常。解决方法是
- 在securityConfig类下加入NoOpPasswordEncoder,不过官方已经不推荐了
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
}
- 在securityConfig类下加入密码加密,在数据库中存的密码也是要经过这个加密的才能匹配上
@Autowired
private UserDetailsService customUserService;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserService).passwordEncoder(new BCryptPasswordEncoder());
}
UserDetailsService
springsecurity在请求完WebSecurityConfigurerAdapter会请求UserDetailsService,所以我们要再自定义一个类实现UserDetailsService接口,该类主要用来进行用户名密码的验证和用户的授权。具体代码如下
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
UserService userService;
@Autowired
HttpServletRequest request;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userService.selectUser(username);
System.out.println(user.getUsername());
if (user == null){
throw new UsernameNotFoundException("用户名不存在!");
}
HttpSession session = request.getSession();
session.setAttribute("user",user);
session.setAttribute("sessusername",username);
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
// for (Role role:user.getRoles()) {
// authorities.add(new SimpleGrantedAuthority(role.getName()));
// }
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
System.out.println(user.getUsername()+authorities.toString());
return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPwd(),authorities);
}
}该类中我是直接把所有的用户赋予了ROLE_USER权限
最低0.47元/天 解锁文章
497
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
