用ssm做项目的时候难免会用到安全框架,那么今天介绍SpringSecurity安全框架的使用
1.导入项目依赖jar包
- 使用springSecurity安全框架肯定要引入spring的jar包,这里就不写了,只写security的jar包
- 在pom.xml中引入如下依赖jar包
<!-- springSecurity 4.1-->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
2.在web.xml中添加过滤链
<!--springSecurity过滤器链-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--springSecurity监听器-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--springSecurity 配置文件 这里的classpath:路径要对应resource下的文件路径-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
3.在对应的spring-security.xml配置文件中添加内容
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 以下页面不被拦截 -->
<http pattern="/login.html" security="none"></http>
<http pattern="/login_error.html" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/plugins/**" security="none"></http>
<!-- 页面拦截规则
use-expressions spel表达式 如果不使用的话 access中需要填写 hasRole("ROLE_ADMIN")
intercept-url 拦截路径为所有 不包含上述不被拦截项
login-page 登录页面
default-target-url 登录成功后默认页面
authentication-failure-url 登陆失败跳转的页面
always-yse-default-target 永远使用默认路径
csrf 拦截true
-->
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<form-login
login-page="/login.html"
default-target-url="/admin/index.html"
authentication-failure-url="/login_error.html"
always-use-default-target="true" />
<!--跨站请求伪造-->
<csrf disabled="true" />
<logout logout-url="/login.html"/>
<!-- iframe策略 嵌套页面-->
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
</http>
<!-- 认证管理器 这里使用固定的账号密码 当然也可以从数据库中查询-->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="123456" authorities="ROLE_ADMIN" />
<user name="sunwukong" password="dasheng" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
4. 动态验证
- 在spring-security.xml配置文件中添加动态验证
<!-- 动态认证 -->
<beans:bean id="userdetailsService" class="com.pyg.shop.user.UserdetailsServiceImpl">
</beans:bean>
<!-- 密码解密 -->
<beans:bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></beans:bean>
<!-- 认证管理器 这里使用固定的账号密码 当然也可以从数据库中查询-->
<authentication-manager>
<authentication-provider user-service-ref="userdetailsService">
<password-encoder ref="bCryptPasswordEncoder"></password-encoder>
<!-- <user-service>-->
<!-- <user name="admin" password="123456" authorities="ROLE_ADMIN" />-->
<!-- <user name="sunwukong" password="dasheng" authorities="ROLE_ADMIN" />-->
<!-- </user-service>-->
</authentication-provider>
</authentication-manager>
- 在动态验证的类中进行动态验证
package com.pyg.shop.user;
import com.alibaba.dubbo.config.annotation.Reference;
import com.pyg.pojo.TbSeller;
import com.pyg.sellergoods.service.SellerService;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.ArrayList;
import java.util.List;
/**
* @ Description
* @ auther 宁宁小可爱
* @ create 2020-01-29 17:43
*/
public class UserdetailsServiceImpl implements UserDetailsService {
@Reference
private SellerService sellerService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
TbSeller user = sellerService.findOne(username);
/* 判断用户是否存在*/
if (user == null){
return null;
}
/* 判断状态是否通过 */
if (!user.getStatus().equals("1")){
return null;
}
List<GrantedAuthority> list = new ArrayList<>();
list.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
return new User(username,user.getPassword(),list);
}
}