1.相关的依赖:
权限验证相关的依赖(spring-security-config,spring-security-taglibs)
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.spring.springsecurity</groupId>
<artifactId>spring_springsecurity</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>spring_springsecurity Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<!--
spring 相关依赖
-->
<!-- 持久层依赖 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>5.2.9.RELEASE</version>
</dependency>
<!-- spring的基础依赖 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>5.2.9.RELEASE</version>
</dependency>
<!-- 数据库连接驱动包 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.38</version>
</dependency>
<!-- AOP-->
<!-- https://mvnrepository.com/artifact/org.aspectj/aspectjweaver -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.9.5</version>
<scope>runtime</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.annotation/jsr250-api -->
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
<!-- MyBaties相关依赖 -->
<!-- https://mvnrepository.com/artifact/org.mybatis/mybatis -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.5.3</version>
</dependency>
<!-- spring整合MyBaties相关依赖 -->
<!-- https://mvnrepository.com/artifact/org.mybatis/mybatis-spring -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.3.2</version>
</dependency>
<!-- 数据连接池-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.21</version>
</dependency>
<!--
springmvc 相关依赖
-->
<!-- https://mvnrepository.com/artifact/org.springframework/spring-webmvc -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.2.9.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework/spring-web -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.2.9.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<!-- jstl支持依赖 -->
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
<artifactId>jstl-api</artifactId>
<version>1.2</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.glassfish.web</groupId>
<artifactId>jstl-impl</artifactId>
<version>1.2</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet.jsp.jstl</groupId>
<artifactId>jstl-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- https://mvnrepository.com/artifact/junit/junit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<!-- 文件上传依赖 -->
<!-- https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/commons-io/commons-io -->
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.6</version>
</dependency>
<!-- 服务端数据验证依赖 -->
<!-- https://mvnrepository.com/artifact/org.hibernate.validator/hibernate-validator -->
<dependency>
<groupId>org.hibernate.validator</groupId>
<artifactId>hibernate-validator</artifactId>
<version>6.1.5.Final</version>
</dependency>
<!--json依赖 -->
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.12.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.12.0</version>
</dependency>
<!-- 权限管理框架依赖security -->
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.3.3.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-taglibs -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>5.3.3.RELEASE</version>
</dependency>
<!--
日志相關依賴
-->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.0.0-alpha1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>2.0.0-alpha1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/log4j/log4j -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
</dependencies>
<build>
<!-- 配置定义版本插件 -->
<plugins>
<!-- tomcat插件控制 -->
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<!--端口控制-->
<port>8080</port>
<!--项目路径控制意味着http://localhost:8080/abc-->
<path>/</path>
<!--编码-->
<uriEncoding>UTF-8</uriEncoding>
</configuration>
</plugin>
<!-- 定义jdk版本插件 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.5.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
<!-- mapper扫描插件 -->
<resources>
<resource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</resource>
</resources>
</build>
</project>
2.相关的配置文件:
-
db.properties
jdbc_driver=com.mysql.jdbc.Driver jdbc_url=jdbc:mysql://localhost:3306/test jdbc_username=root jdbc_password=root
-
log4j.properties
# \u65E5\u5FD7\u5F00\u5173 log4j.rootLogger=debug, Console, info,error,debug #Console log4j.appender.Console=org.apache.log4j.ConsoleAppender log4j.appender.Console.layout=org.apache.log4j.PatternLayout log4j.appender.Console.layout.ConversionPattern=%d [%t] %-5p [%c] - %m%n ### \u4FDD\u5B58debug\u4FE1\u606F\u5230\u5355\u72EC\u6587\u4EF6 ### log4j.appender.debug=org.apache.log4j.DailyRollingFileAppender #log4j.appender.debug.File=${catalina.home}/logs/debug.log log4j.appender.debug.File=D:/logs/debug.log log4j.appender.debug.Append = true log4j.appender.debug.Threshold = DEBUG log4j.appender.debug.layout=org.apache.log4j.PatternLayout log4j.appender.debug.layout.ConversionPattern=%d [%t] %-5p [%c] - %m%n ### \u4FDD\u5B58info\u4FE1\u606F\u5230\u5355\u72EC\u6587\u4EF6 ### log4j.appender.info=org.apache.log4j.DailyRollingFileAppender log4j.appender.info.File=${catalina.home}/logs/info.log log4j.appender.info.Append = true log4j.appender.info.Threshold = INFO log4j.appender.info.layout=org.apache.log4j.PatternLayout log4j.appender.info.layout.ConversionPattern=%d [%t] %-5p [%c] - %m%n ### \u4FDD\u5B58\u5F02\u5E38\u4FE1\u606F\u5230\u5355\u72EC\u6587\u4EF6 ### log4j.appender.error = org.apache.log4j.DailyRollingFileAppender log4j.appender.error.File = ${catalina.home}/logs/error.log log4j.appender.error.Append = true log4j.appender.error.Threshold = ERROR log4j.appender.error.layout = org.apache.log4j.PatternLayout log4j.appender.error.layout.ConversionPattern = %d [%t] %-5p [%c] - %m%n #Project default level log4j.logger.com.as.resource = INFO log4j.logger.org.springframework.web = INFO #DEBUG log4j.logger.java.sql.Connection = DEBUG log4j.logger.java.sql.Statement = DEBUG log4j.logger.java.sql.PreparedStatement = DEBUG log4j.logger.java.sql.ResultSet =DEBUG #mybatis log4j.logger.com.ibatis=DEBUG log4j.logger.com.ibatis.common.jdbc.SimpleDataSource=DEBUG log4j.logger.com.ibatis.common.jdbc.ScriptRunner=DEBUG log4j.logger.com.ibatis.sqlmap.engine.impl.SqlMapClientDelegate=DEBUG
-
mybatis-config.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE configuration PUBLIC "-//mybatis.org//DTD Config 3.0//EN" "http://mybatis.org/dtd/mybatis-3-config.dtd"> <configuration> </configuration>
-
spring_applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop https://www.springframework.org/schema/aop/spring-aop.xsd"> <!-- 配置扫描类 --> <context:component-scan base-package="com.self.spring.service.*"/> <!-- <context:component-scan base-package="com.self.spring.service.*" use-default-filters="true"> 除了controller类外的包被扫描到,@service,@component,@repository 标识的类 <context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller" /> </context:component-scan> --> <!-- 关联属性文件 --> <context:property-placeholder location="classpath:db.properties" /> <!-- 配置数据源 --> <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close"> <property name="url" value="${jdbc_url}" /> <property name="driverClassName" value="${jdbc_driver}" /> <property name="password" value="${jdbc_password}" /> <property name="username" value="${jdbc_username}" /> </bean> <!--整合mybatis,将mybatis相关的对象交给springIOC容器 --> <bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean"> <!-- 关联mybatis的配置文件; 在整合spring、springmvc和mybatis的时候必须用classpath:加载配置文件,要是不会找不到文件 --> <property name="configLocation" value="classpath:mybatis-config.xml" /> <!-- 关联数据源 --> <property name="dataSource" ref="dataSource" /> <!-- 映射文件和接口文件不再同一个目录下的时候,他的spring是不会去扫描jar中的相应目录的, 智慧去他当前目录下获取。如果要改变这种情况也很简单, 在classpath后面加一个*号,*号的作用是让spring的扫描涉及全个目录包括jar --> <property name="mapperLocations" value="classpath*:mapper/*.xml"></property> </bean> <!-- 配置数据映射扫描路径 --> <bean class="org.mybatis.spring.mapper.MapperScannerConfigurer"> <property name="basePackage" value="com.self.spring.mapper" /> </bean> <!-- 导入springsecurity.xml文件 --> <import resource="classpath:spring_security.xml"/> </beans>
-
spring_mvc.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd "> <!-- 静态资源加载 --> <mvc:resources location="/img/" mapping="/img/**"></mvc:resources> <!-- 配置扫描类 --> <context:component-scan base-package="com.self.spring.controller"/> <!-- <context:component-scan base-package="com.self.spring.controller" use-default-filters="false"> 只扫描controller包下 <context:include-filter type="annotation" expression="org.springfraework.stereotype.Controller" /> </context:component-scan> --> <!-- 开启注解支持 --> <mvc:annotation-driven/> <!-- 配置试图解析器 Internal:内部--> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="suffix" value=".jsp"/> <property name="prefix" value="/"/> </bean> <!-- 开启AOP支持(在使用security权限-注解的时候必须开启才有用,因为security原理是面向切面编程) --> <aop:aspectj-autoproxy proxy-target-class="true"/> </beans>
-
spring_security.xml:使用先后顺序123
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd "> <!-- 开启权限注解 --> <!--3. jsr250-annotations="enabled":表示支持jsr250-api注解 pre-post-annotations="enabled":表示支持spring表达式 secured-annotations="enabled":支持springsecurity自身提供的注解 --> <security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled" secured-annotations="enabled"/> <!-- 静态资源释放 --> <security:http pattern="/img/**" security="none"></security:http> <!-- 1. auto-config="true" :表示自动加载springsecurity配置文件 ; use-expressions="true":表示使用spring的EL表达式 --> <security:http auto-config="true" use-expressions="true"> <!-- 讓認證頁面可以匿名访问 --> <security:intercept-url pattern="/login.jsp" access="permitAll()"/> <!--pattern="/**" :拦截所有资源; access="hasAnyRole(''ROLE_USER')" :表示只有ROLE_USER这个角色可以访问 --> <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /> <!-- 自定义登录配置: login-page="/login.jsp" :自定义登录 login-processing-url="/login" :security中处理登录的请求 default-target-url="/home.jsp" :默认跳转页面 authentication-failure-url="/failure.jsp" :登录失败页面 --> <security:form-login login-page="/login.jsp" login-processing-url="/login" default-target-url="/home.jsp" authentication-failure-url="/failure.jsp"/> <!-- 访问被拒绝时的跳转 --> <security:access-denied-handler error-page="/403.jsp"/> </security:http> <!-- 关闭csrf过滤器;但是一般是不用关闭的,但是使用的时候可能回报403错误,因为默认的四种请求可以通过GET", "HEAD", "TRACE", "OPTIONS";可以通过前端页面的设置 --> <!-- <security:csrf disabled="true"/> --> <!--2. 配置认证管理器 --> <bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEcoder"/> <security:authentication-manager> <!--user-service-ref="userServiceImpl":绑定数据库验证 --> <security:authentication-provider user-service-ref="userServiceImpl"> <!-- 加密验证配置 --> <security:password-encoder ref="passwordEcoder"/> <!-- 配置用户信息 ; noop:springsecurity中默认密码验证是要加密的,noop表示不加密--> <!--写死的用户: <security:user-service> <security:user name="zhangsan" authorities="ROLE_USER" password="{noop}123456"/> <security:user name="lisi" authorities="ROLE_USER" password="{noop}123456"/> </security:user-service> --> </security:authentication-provider> </security:authentication-manager> </beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <display-name>Archetype Created Web Application</display-name> <!-- 1. 初始化spring容器,把springIOC容器交给springMVC管理 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring_applicationContext.xml</param-value> </context-param> <!-- 初始化spring容器,优先于dispatchsevlet执行,将spring容器加载完成后保存到servletcontext 容器中--> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- 配置注册前段控制器dispatchservlet 必须 注册前端控制器 --> <servlet> <servlet-name>spring_security</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <!-- 关联配置文件 --> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring_mvc.xml</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>spring_security</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <!-- springsecurity过滤器; 名字固定配置:springSecurityFilterChain --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 配置 字符过滤器 ; 需要注意的是配置的时候,每个 标签都得按照顺序来,要不是会报错无法通过 --> <filter> <filter-name>encodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>utf-8</param-value> </init-param> <init-param> <!-- 响应编码方式开启 --> <param-name>forceResponseEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
4.具体的实现层代码:
- pojo层
package com.self.spring.pojo; public class Dept { private int deptno; private String dname; private String loc; private Integer state; public int getDeptno() { return deptno; } public void setDeptno(int deptno) { this.deptno = deptno; } public String getDname() { return dname; } public void setDname(String dname) { this.dname = dname; } public String getLoc() { return loc; } public void setLoc(String loc) { this.loc = loc; } public Integer getState() { return state; } public void setState(Integer state) { this.state = state; } public Dept() { super(); // TODO Auto-generated constructor stub } public Dept(int deptno, String dname, String loc, Integer state) { super(); this.deptno = deptno; this.dname = dname; this.loc = loc; this.state = state; } @Override public String toString() { return "Dept [deptno=" + deptno + ", dname=" + dname + ", loc=" + loc + ", state=" + state + "]"; } }
- mapper层
1.映射文件: <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.self.spring.mapper.UserMapper"> <!-- 总结一下#{}和${}之间的区别: #{}:传入的内容会被作为字符串,被加上引号,以预编译的方式传入,安全性高,可以防止sql注入。 ${}:传入的内容会直接拼接,不会加上引号,可能存在sql注入的安全隐患。 所以能用#{}的地方就用#{},但是诸如传入表名,需要排序的时候order by 字段 的 “字段名”的时候可以用${}. --> <select id="queryList" resultType="com.self.spring.pojo.Dept"> select * from dept </select> <select id="queryUserName" resultType="com.self.spring.pojo.Dept"> select * from dept where dname=#{userName} </select> </mapper>
2.接口类 package com.self.spring.mapper; import java.util.List; import org.apache.ibatis.annotations.Param; import com.self.spring.pojo.Dept; public interface UserMapper { List<Dept> queryList(); List<Dept> queryUserName(@Param("userName")String userName); }
- service层
package com.self.spring.service; import java.util.List; import org.springframework.security.core.userdetails.UserDetailsService; import com.self.spring.pojo.Dept; /** 用户信息验证service,连接数据库验证数据库的数据; * 必须要继承接口UserDetilsService,该接口一定有,内部可以不用添加任何方法, * 实现该接口后重写loadUserByUsername()方法即可 * * @ClassName:IUserService * @Description:TODO * @author guanjun.zhou * @data: 2021-1-1810:08:30 */ public interface IUserService extends UserDetailsService{ String hello(); List<Dept> queryList(); }
package com.self.spring.service.impl; import java.util.ArrayList; import java.util.List; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import com.self.spring.mapper.UserMapper; import com.self.spring.pojo.Dept; import com.self.spring.service.IUserService; @Service public class UserServiceImpl implements IUserService { @Autowired private UserMapper mapper; public String hello() { System.out.println("hello word...."); return "hello service......"; } public List<Dept> queryList() { return mapper.queryList(); } /** * 定义自定义数据库用户验证方法;前提是接口要是继承UserDetailsService接口 */ @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { System.out.println("定义自定义用户验证方法....." +s); List<Dept> list = mapper.queryUserName(s); if (list !=null && list.size()==1) { Dept dept = list.get(0); if (dept !=null) { //账号存在,给当前登录的账号 授权相关的角色 ArrayList<SimpleGrantedAuthority> authr = new ArrayList<>(); authr.add(new SimpleGrantedAuthority("ROLE_USER")); //1.表示不加密:{noop} // UserDetails user = new User(s, "{noop}"+dept.getLoc(), authr); //2.加密使用 // UserDetails user = new User(s, dept.getLoc(), authr); //3.加密和用户状态的使用:dept.getState()==1,状态等于1,表示账户可用,其他的表示停用 UserDetails user = new User(s, dept.getLoc(), dept.getState()==1, true, true, true, authr); return user; } } //返回空表示账号不存在 return null; } }
- controller层:(在使用注解权限时候,必须添加依赖aspectjweaver,使用jsr250时候还要依赖jsr250-api)
package com.self.spring.controller; import java.util.List; import javax.annotation.security.RolesAllowed; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.servlet.ModelAndView; import com.self.spring.pojo.Dept; import com.self.spring.service.IUserService; @RestController public class UserController { @Autowired private IUserService dao; //@RolesAllowed使用jsr250-annotations权限注解 @RolesAllowed({"ROLE_USER"}) @RequestMapping("/hello") public String hello() { System.out.println(dao.hello()); return "index"; } @RolesAllowed({"ROLE_QUERY"}) @GetMapping("/user/findAll") public List<Dept> findListUser(Model model) { System.out.println("findListUser....."); List<Dept> list = dao.queryList(); model.addAttribute("users", list); return list; } @RolesAllowed({"ROLE_DELETE"}) @GetMapping("/user/query") public ModelAndView findList() { System.out.println("query....."); List<Dept> list = dao.queryList(); ModelAndView model=new ModelAndView(); model.setViewName("index"); model.addObject("list", list); return model; } }
package com.self.spring.controller; import java.util.List; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.annotation.Secured; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.servlet.ModelAndView; import com.self.spring.pojo.Dept; import com.self.spring.service.IUserService; @RestController @RequestMapping("/secured") public class securedController { @Autowired private IUserService dao; //@Secured使用secured-annotations权限注解 @Secured(value= {"ROLE_USER"}) @RequestMapping("/hello") public String hello() { System.out.println(dao.hello()); return "index"; } @Secured(value= {"ROLE_UPDATE"}) @GetMapping("/findAll") public List<Dept> findListUser(Model model) { System.out.println("findListUser....."); List<Dept> list = dao.queryList(); model.addAttribute("users", list); return list; } @Secured(value= {"ROLE_QUERY"}) @GetMapping("/query") public ModelAndView findList() { System.out.println("query....."); List<Dept> list = dao.queryList(); ModelAndView model=new ModelAndView(); model.setViewName("index"); model.addObject("list", list); return model; } }
package com.self.spring.controller; import java.util.List; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.servlet.ModelAndView; import com.self.spring.pojo.Dept; import com.self.spring.service.IUserService; @RestController @RequestMapping("/older") public class olderController { @Autowired private IUserService dao; //@PreAuthorize表示使用pre-post-annotations权限-注解 @PreAuthorize(value= "hasAnyRole('ROLE_UPDATE')") @RequestMapping("/hello") public String hello() { System.out.println(dao.hello()); return "index"; } @PreAuthorize(value= "hasAnyRole('ROLE_USER')") @GetMapping("/findAll") public List<Dept> findListUser(Model model) { System.out.println("findListUser....."); List<Dept> list = dao.queryList(); model.addAttribute("users", list); return list; } @PreAuthorize(value= "hasAnyRole('ROLE_DELETE')") @GetMapping("/query") public ModelAndView findList() { System.out.println("query....."); List<Dept> list = dao.queryList(); ModelAndView model=new ModelAndView(); model.setViewName("index"); model.addObject("list", list); return model; } }
3.jsp数据请求认证相关:
- 权限-标签:role.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>授权-标签</title>
</head>
<body>
<!--
对应的权限下才会显示,否则掩藏,登录时候只显示查询的角色
-->
<H1>角色管理</H1>
当前登录的用户:<security:authentication property="principal.username"/>
<security:authorize access="hasAnyRole('ROLE_QUERY')">
<a href="#" >添加角色</a>
</security:authorize>
<security:authorize access="hasAnyRole('ROLE_UPDATE')">
<a href="#" >修改角色</a>
</security:authorize>
<security:authorize access="hasAnyRole('ROLE_USER')">
<a href="#" >查询角色</a>
</security:authorize>
<security:authorize access="hasAnyRole('ROLE_DELETE')">
<a href="#" >删除角色</a>
</security:authorize>
</body>
</html>
- 403.jsp页面:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>登录失败页面!</title> </head> <body> <H1>无权访问该页面,请联系管理员。。。。。。</H1> </body> </html>
- failure.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>登录失败页面!</title> </head> <body> <H1>登录失败页面!</H1> </body> </html>
- home.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>登录成功页面</title> </head> <body> <H1>home页面</H1> <FORM method="post" ACTION="${pageContext.request.contextPath }/logout"> <security:csrfInput/> <INPUT type="submit" value="注销"/> </FORM> </body> </html>
- index.jsp
<%-- isELIgnored 开启el表达式的支持 --%> <%@ page contentType="text/html; charset=utf-8" language="java" isELIgnored="false" %> <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%> <html> <body> <h2>mybatis_spring_springmvc</h2> <TABLE> <tr> <th>部门号</th> <th>部门名称</th> <th>员工号</th> </tr> <c:forEach items="${list}" var="dept" varStatus="index"> <tr> <td>${dept.deptno}</td> <td>${dept.dname}</td> <td>${dept.loc}</td> </tr> </c:forEach> </TABLE> </body> </html>
- login.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Insert title here</title> </head> <body> <H1>登录管理</H1> <FORM ACTION="${pageContext.request.contextPath }/login" method="post"> 账号:<INPUT type="text" name="username"><BR> 密码:<INPUT type="text" name="password"><BR> <!-- 开启csrf防护识别 --> <security:csrfInput/> <input type="submit" value="登录"/><BR> <img src="${pageContext.request.contextPath}/img/01.jpg"/> </FORM> </body> </html>