1.导入相关maven依懒
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
</dependency>
2.在web.xml中配置权限过滤器
<!--配置权限管理过滤器-->
<filter>
<filter-name>springSecurityFilterChain</filter-name> //注意这里的name必须为springSecurityFilterChain否则运行后会找不到bean
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.配置spring-security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd">
<security:http auto-config="true" use-expressions="true">
<!--配置拦截路径-->
<security:intercept-url pattern="/pages/**" access="isAuthenticated()"></security:intercept-url>
<!--配置登录页面-->
<security:form-login login-page="/login.html"
username-parameter="username"
password-parameter="password"
login-processing-url="/login.do"
default-target-url="/pages/main.html"
authentication-failure-url="/login.html"
></security:form-login>
<!--如果自定义登录页面 需要禁用此项,否则页面会被禁用-->
<security:csrf disabled="true"></security:csrf>
<!--处理页面中的iframe无法访问-->
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
<!--退出登录-->
<security:logout logout-url="/logout.do" logout-success-url="/login.html" invalidate-session="true"></security:logout>
</security:http>
<!--配置认证管理器-->
<security:authentication-manager>
<!--配置认证提供者-->
<security:authentication-provider user-service-ref="securityUserService">
<security:password-encoder ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean class="com.itheima.encoder.MyPasswordEncoder" id="passwordEncoder"></bean>
<!--开启包扫描,如果将改配置文件引入spring-mvc配置文件中可不写-->
<context:component-scan base-package="com.itheima.service"></context:component-scan>
<!--开启注解配置-->
<context:annotation-config></context:annotation-config>
<!--开启权限注解配置, 开启这项配置后必须要在bean中使用注解配置 否则会报错-->
<security:global-method-security pre-post-annotations="enabled"></security:global-method-security>
</beans>
4.配置认证提供者
@Component("securityUserService")
public class SpringSecurityUserService implements UserDetailsService {
@Autowired
private JedisPool jedisPool;
@Reference
private UserService userService;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
com.itheima.pojo.User user = userService.findByUserName(s);
System.out.println(user);
List<GrantedAuthority> list = new ArrayList<>();
//给用户添加对应的权限
for (Role role : user.getRoles()) {
list.add(new SimpleGrantedAuthority(role.getKeyword()));
Set<Permission> permissions = role.getPermissions();
for (Permission permission : permissions) {
list.add(new SimpleGrantedAuthority(permission.getKeyword()));
}
}
System.out.println(list);
return new User(s,user.getPassword(),list);
}
}
5.自定义加密方式,本案例中使用的是MD5
//需要实现 PasswordEncoder接口
public class MyPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence charSequence) {
return MD5Utils.md5(charSequence.toString());
}
@Override
public boolean matches(CharSequence charSequence, String s) {
System.out.println(charSequence.toString());
System.out.println(s);
return MD5Utils.md5(charSequence.toString()).equals(s);
}
}
6.在对应的方法上添加访问权限注解
@PreAuthorize("hasAuthority('ADD')") //用户必须有ADD权限
@PreAuthorize("hasRole('ROLE_ADMIN')") //用户必须有ROLE_ADMIN身份