两大功能:
1: 认证
2: 鉴权/授权
3:去掉springsecurity框架
Activiti7会自动将SpringSecurity的jar包引入。
一:用户登录操作
1:引入官网Activiti的代码中的SecurityUtil
@Component public class SecurityUtil { private Logger logger = LoggerFactory.getLogger(SecurityUtil.class); @Autowired private UserDetailsService userDetailsService; public void logInAs(String username) { UserDetails user = userDetailsService.loadUserByUsername(username); if (user == null) { throw new IllegalStateException("User " + username + " doesn't exist, please provide a valid user"); } logger.info("> Logged in as: " + username); SecurityContextHolder.setContext(new SecurityContextImpl(new Authentication() { @Override public Collection<? extends GrantedAuthority> getAuthorities() { return user.getAuthorities(); } @Override public Object getCredentials() { return user.getPassword(); } @Override public Object getDetails() { return user; } @Override public Object getPrincipal() { return user; } @Override public boolean isAuthenticated() { return true; } @Override public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException { } @Override public String getName() { return user.getUsername(); } })); org.activiti.engine.impl.identity.Authentication.setAuthenticatedUserId(username); } }
2:创建UserInfoBean 实现 UserDetails
@Component public class UserInfoBean implements UserDetails { private Long id; public String name; private String address; private String username; private String password; private String roles; /** * 从数据库中取出roles字符串后,进行分解,构成一个GrantedAuthority的List返回 * activiti7要求用户角色必须有一个是 * @return */ @Override public Collection<? extends GrantedAuthority> getAuthorities() { return Arrays.stream(roles.split(",")).map(e->new SimpleGrantedAuthority(e)).collect(Collectors.toSet()); } @Override public String getPassword() { return password; } @Override public String getUsername() { return username; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } public String getAddress() { return address; } }
3:创建MyUserDetailsService 实现 UserDetailsService
@Component public class MyUserDetailsService implements UserDetailsService { private Logger logger = LoggerFactory.getLogger(getClass()); @Autowired UserInfoBeanMapper mapper; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserInfoBean userInfoBean = mapper.selectByUsername(username); if (userInfoBean == null) { throw new UsernameNotFoundException("数据库中无此用户!"); } return userInfoBean; } }
总结:
当用户登录,系统会调用
securityUtil.logInAs("XXXX");
这个方法里面会调用
userDetailsService.loadUserByUsername(username);
loadUserByUsername方法查询用户;将获取到的返回值返回到SpringSecurity的框架中,框架会根据用户在客户端页面输入的用户密码,以及根据用户名查询出来的用户信息进行比对鉴权,鉴权通过即可使用Activiti7新特性的API
二:SpringSecurity配置文件详解
1:ActivitiSecurityConfig配置登录方法
@Configuration public class ActivitiSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private LoginSuccessHandler loginSuccessHandler; @Autowired private LoginFailureHandler loginFailureHandler; @Override protected void configure(HttpSecurity http) throws Exception { http .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .successHandler(loginSuccessHandler) .failureHandler(loginFailureHandler) //.defaultSuccessUrl("/hello") //.successForwardUrl("success.html") //.failureForwardUrl("failure.html") .and() .authorizeRequests() .antMatchers("/login", "/demo-login.html", "/demo-login1.html", "/layuimini/page/login-1.html").permitAll() .anyRequest() .permitAll().and().logout().permitAll().and().csrf().disable().headers().frameOptions().disable();//全部页面不验证 } }
2:LoginFailureHandler 配置登录失败处理方法
@Component("loginFailureHandler") public class LoginFailureHandler implements AuthenticationFailureHandler{ private Logger logger = LoggerFactory.getLogger(getClass()); @Autowired private ObjectMapper objectMapper; @Override public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { logger.info("登录失败"); httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value()); httpServletResponse.setContentType("application/json;charset=UTF-8"); //httpServletResponse.getWriter().write("登录失败") httpServletResponse.getWriter().write(objectMapper.writeValueAsString( AjaxResponse.AjaxData(GlobalConfig.ResponseCode.ERROR.getCode(), GlobalConfig.ResponseCode.ERROR.getDesc(), "登录失败:"+e.getMessage() ))); } }
3:LoginFailureHandler 配置登录成功处理方法
@Component("loginSuccessHandler") public class LoginSuccessHandler implements AuthenticationSuccessHandler { private Logger logger = LoggerFactory.getLogger(getClass()); @Autowired private ObjectMapper objectMapper; @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException { logger.info("登录成功1"); } @Override public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException { logger.info("登录成功2"); httpServletResponse.setContentType("application/json;charset=UTF-8"); httpServletResponse.getWriter().write(objectMapper.writeValueAsString( AjaxResponse.AjaxData(GlobalConfig.ResponseCode.SUCCESS.getCode(), GlobalConfig.ResponseCode.SUCCESS.getDesc(), authentication.getName() ))); } }
三、如何去掉 springsecurity框架
1:在启动类上面加注解
@SpringBootApplication(exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class})