SpringSecurity

发布于 / 笔记 / 0 条评论 / 47 条浏览

Spring Security简介

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。

单机版

1.引入依赖

 <!-- 身份验证 -->
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
</dependency>

2.配置核心配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
    <!-- 以下页面不被拦截 -->
    <http pattern="/login.html" security="none"/>
    <http pattern="/css/**" security="none"/>
    <http pattern="/img/**" security="none"/>
    <http pattern="/js/**" security="none"/>
    <http pattern="/plugins/**" security="none"/>

    <!--
            页面拦截规则
                use-expressions:是否启用spel表达式, 如果为true那么access="hasRole('ROLE_USER')"
        -->
    <!-- 页面拦截规则 -->
    <http use-expressions="false">
        <!--
            pattern : 拦截的url
            access : 拥有如下权限允许访问
        -->
        <intercept-url pattern="/**" access="ROLE_ADMIN" />
        <!--
            login-page : 自定义登陆页面
            default-target-url : 登陆成功后跳转的页面,不设定默认跳转上一次访问的页面
            authentication-failure-url : 登陆失败时跳转的url
            always-use-default-target : 登陆成功后 总是跳转到 default-target-url 设定的url
        -->
        <form-login login-page="/login.html"  default-target-url="/admin/index.html" authentication-failure-url="/login.html" always-use-default-target="true"/>
        <csrf disabled="true"/>

        <!--
            logout-url : 退出的地址
            logout-success-url : 退出后跳转的地址
        -->
        <logout logout-url="/logout" logout-success-url="/login.html"/>
        <!--
            如果使用了iframe,需要指定框架页的策略为 SAMEORIGIN
        -->
        <headers>
            <frame-options policy="SAMEORIGIN"/>  <!--允许使用frameset -->
        </headers>
    </http>

    <!--认证管理器-->
    <authentication-manager>
        <authentication-provider>
            <user-service>
                <!--用户名和密码,权限-->
                <user name="root" password="root" authorities="ROLE_ADMIN"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

3.配置web.xml

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

连接数据库

1.引入依赖

2.实现UserDetailsService接口

package com.jd.shop.service.impl;

import com.jd.pojo.TbSeller;
import com.jd.sellergoods.service.TbSellerService;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import java.util.ArrayList;
import java.util.List;

/**
 * 认证类
 * @program: jd
 * @author: 潘
 * @create: 2020-04-29 22:43
 **/
public class UserDetailsServiceImpl implements UserDetailsService{

    private TbSellerService tbSellerService;

    public void setTbSellerService(TbSellerService tbSellerService) {
        this.tbSellerService = tbSellerService;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        if(username == null){
            return null;
        }

        TbSeller byId = tbSellerService.findById(username);

        if(byId == null){
            return null;
        }

        //构建角色列表
        List<GrantedAuthority> list = new ArrayList<>();

        //用户的权限集合
        list.add(new SimpleGrantedAuthority("ROLE_USER"));

        return new User(username,byId.getPassword(),list);
    }
}

3.配置核心配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd">
    <!-- 以下页面不被拦截 -->
    <http pattern="/login.html" security="none"/>
    <http pattern="/css/**" security="none"/>
    <http pattern="/img/**" security="none"/>
    <http pattern="/js/**" security="none"/>
    <http pattern="/plugins/**" security="none"/>
    <http pattern="/*.html" security="none"/>
<!--    <http pattern="/login" security="none"/>-->

    <!--
            页面拦截规则
                use-expressions:是否启用spel表达式, 如果为true那么access="hasRole('ROLE_USER')"
        -->
    <!-- 页面拦截规则 -->
    <http use-expressions="false">
        <!--
            pattern : 拦截的url
            access : 拥有如下权限允许访问
        -->
        <intercept-url pattern="/**" access="ROLE_USER" />
        <!--
            login-page : 自定义登陆页面
            default-target-url : 登陆成功后跳转的页面,不设定默认跳转上一次访问的页面
            authentication-failure-url : 登陆失败时跳转的url
            always-use-default-target : 登陆成功后 总是跳转到 default-target-url 设定的url
        -->
        <form-login login-processing-url="/login" login-page="/shoplogin.html"  default-target-url="/admin/index.html" authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>
        <csrf disabled="true"/>

        <!--
            logout-url : 退出的地址
            logout-success-url : 退出后跳转的地址
        -->
        <logout logout-url="/logout" logout-success-url="/shoplogin.html"/>
        <!--
            如果使用了iframe,需要指定框架页的策略为 SAMEORIGIN
        -->
        <headers>
            <frame-options policy="SAMEORIGIN"/>  <!--允许使用frameset -->
        </headers>
    </http>

    <!--认证管理器-->
    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsServiceImpl"/>
    </authentication-manager>

    <!-- 引用dubbo 服务 -->
    <dubbo:application name="jd-shop-web" />
    <dubbo:registry address="zookeeper://47.98.157.69:2181" timeout="30000"/>
    <dubbo:annotation package="com.jd.shop.controller" />
    
    <dubbo:reference interface="com.jd.sellergoods.service.TbSellerService" id="tbSellerService"/>

    <beans:bean id="userDetailsServiceImpl" class="com.jd.shop.service.impl.UserDetailsServiceImpl">
        <beans:property name="tbSellerService" ref="tbSellerService"/>
    </beans:bean>

</beans:beans>

4.配置web.xml文件

Brcy加密

1.编写java

BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String encode = passwordEncoder.encode(tbSeller.getPassword());

2.编写配置文件

<!--认证管理器-->
<authentication-manager>
    <authentication-provider user-service-ref="userDetailsServiceImpl">
        <!-- 这句话表示在登陆时使用bcry加密验证 -->
        <password-encoder ref="bCryptPasswordEncoder"/>
    </authentication-provider>
</authentication-manager>
<!--配置加密,在认证管理器中引用-->
<beans:bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

记住我

<input value="1" name="remember-me"/>

发表评论

电子邮件地址不会被公开。 必填项已用*标注