文章目录
前言
记录spring-security基本用法
一、spring-security介绍
spring-security是项目组中用来提供安全认证服务的框架。
包括两个主要操作。
“认证”:为用户建立一个他所声明的主体。主题一般式指用户,设备或可以在你系统中执行动作的其他系统。
“授权”指的是一个用户能否在你的应用中执行某个操作,在到达授权判断之前,身份的主题已经由身份验证过程建立了。
二、使用步骤
1.导入坐标
代码如下:
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.1.RELEASE</version>
</dependency>
</dependencies>
2.配置web.xml
代码如下:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
注释
3.配置spring-security.xml
代码如下:
<!-- 配置不拦截的资源 -->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<security:http auto-config="true" use-expressions="false">
<!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" -->
<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
<!-- 定义跳转的具体的页面 -->
<security:form-login
login-page="/login.jsp"
login-processing-url="/login.do"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"
authentication-success-forward-url="/user/login.do"
/>
<!-- 关闭跨域请求 -->
<security:csrf disabled="true"/>
<!-- 退出 -->
<security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" />
</security:http>
<!-- 切换成数据库中的用户名和密码 -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置加密类 -->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
4.userService编写
接口需要继承UserDetailsService,验证用户的操作在loadUserByUsername中实现
代码如下:
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserInfo userInfo = dao.findUserByUserName(username);
User user = new User(userInfo.getUsername(), userInfo.getPassword(),userInfo.getStatus()==1,true,true,true,getAuthority(userInfo.getRoles()));
return user;
}
public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) {
List<SimpleGrantedAuthority> arrayList = new ArrayList<SimpleGrantedAuthority>();
for (Role role : roles) {
arrayList.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));
}
return arrayList;
}
public void save(UserInfo userInfo) {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String encode = passwordEncoder.encode(userInfo.getPassword());
userInfo.setPassword(encode);
dao.save(userInfo);
}
5.用户信息前端展示
@RequestMapping("/login.do")
public String printUser(HttpSession session) {
User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String name = user.getUsername(); //get logged in username
session.setAttribute("username", name);
return "main";
}
注意点
(1) "default-target-url"为用户登录后默认跳转页面或请求,即使该用户不具有操作系统的角色信息,仍可以正常登录并跳转到该地址。
(2) 若要在系统中完成对用户信息的回显,可以在"authentication-success-forward-url"填写请求路径,利用SecurityContextHolder获取用户信息
(3)若需要用户密码加密,可以使用BCryptPasswordEncoder()的encode方法进行编码,同时需要在配置文件中配置加密类,配置后spring-security可以正常识别用户设置的密码