当我们在管理后台数据的时候需要对管理者的身份进行认证和授权,在该项目中用到的安全认证服务框架是Spring Security。

1.Spring Security的简单入门

通过一个spring security的入门案例来了解使用该框架的基本步骤。

1.1使用IDEA新建一个webapp的maven工程,在pom.xml文件中引入spring security框架的相关坐标。

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 
 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5   <modelVersion>4.0.0</modelVersion>
 6 
 7   <groupId>club.nipengfei</groupId>
 8   <artifactId>spring_security_rumeng</artifactId>
 9   <version>1.0-SNAPSHOT</version>
10   <packaging>war</packaging>
11 
12   <name>spring_security_rumeng Maven Webapp</name>
13   <!-- FIXME change it to the project\'s website -->
14   <url>http://www.example.com</url>
15 
16   <properties>
17     <spring.version>5.0.2.RELEASE</spring.version>
18     <spring.security.version>5.0.1.RELEASE</spring.security.version>
19   </properties>
20 
21   <dependencies>
22     <dependency>
23       <groupId>org.springframework</groupId>
24       <artifactId>spring-core</artifactId>
25       <version>${spring.version}</version>
26     </dependency>
27     <dependency>
28       <groupId>org.springframework</groupId>
29       <artifactId>spring-web</artifactId>
30       <version>${spring.version}</version>
31     </dependency>
32     <dependency>
33       <groupId>org.springframework</groupId>
34       <artifactId>spring-webmvc</artifactId>
35       <version>${spring.version}</version>
36     </dependency>
37     <dependency>
38       <groupId>org.springframework</groupId>
39       <artifactId>spring-context-support</artifactId>
40       <version>${spring.version}</version>
41     </dependency>
42     <dependency>
43       <groupId>org.springframework</groupId>
44       <artifactId>spring-test</artifactId>
45       <version>${spring.version}</version>
46     </dependency>
47     <dependency>
48       <groupId>org.springframework</groupId>
49       <artifactId>spring-jdbc</artifactId>
50       <version>${spring.version}</version>
51     </dependency>
52 
53     <dependency>
54       <groupId>org.springframework.security</groupId>
55       <artifactId>spring-security-web</artifactId>
56       <version>${spring.security.version}</version>
57     </dependency>
58     <dependency>
59       <groupId>org.springframework.security</groupId>
60       <artifactId>spring-security-config</artifactId>
61       <version>${spring.security.version}</version>
62     </dependency>
63     <dependency>
64       <groupId>javax.servlet</groupId>
65       <artifactId>javax.servlet-api</artifactId>
66       <version>3.1.0</version>
67       <scope>provided</scope>
68     </dependency>
69   </dependencies>
70   <build>
71     <plugins>
72       <!-- java编译插件 -->
73       <plugin>
74         <groupId>org.apache.maven.plugins</groupId>
75         <artifactId>maven-compiler-plugin</artifactId>
76         <version>3.2</version>
77         <configuration>
78           <source>1.8</source>
79           <target>1.8</target>
80           <encoding>UTF-8</encoding>
81         </configuration>
82       </plugin>
83       <plugin>
84         <groupId>org.apache.tomcat.maven</groupId>
85         <artifactId>tomcat7-maven-plugin</artifactId>
86         <configuration>
87           <!-- 指定端口 -->
88           <port>8090</port>
89           <!-- 请求路径 -->
90           <path>/</path>
91         </configuration>
92       </plugin>
93     </plugins>
94   </build>
95 </project>

1.2在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3          xmlns="http://java.sun.com/xml/ns/javaee"
 4          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
 5          version="2.5">
 6   <display-name>SpringSecurity314</display-name>
 7 
 8   <context-param>
 9     <param-name>contextConfigLocation</param-name>
10     <param-value>classpath:spring-security.xml</param-value>
11   </context-param>
12   <listener>
13     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
14   </listener>
15   <filter>
16     <filter-name>springSecurityFilterChain</filter-name>
17     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
18   </filter>
19   <filter-mapping>
20     <filter-name>springSecurityFilterChain</filter-name>
21     <url-pattern>/*</url-pattern>
22   </filter-mapping>
23   <welcome-file-list>
24     <welcome-file>index.html</welcome-file>
25     <welcome-file>index.htm</welcome-file>
26     <welcome-file>index.jsp</welcome-file>
27     <welcome-file>default.html</welcome-file>
28     <welcome-file>default.htm</welcome-file>
29     <welcome-file>default.jsp</welcome-file>
30   </welcome-file-list>
31 </web-app>

1.3在resource资源路径下新建一个该框架的核心配置文件spring-security.xml

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <beans xmlns="http://www.springframework.org/schema/beans"
 3        xmlns:security="http://www.springframework.org/schema/security"
 4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 5        xsi:schemaLocation="http://www.springframework.org/schema/beans
 6 http://www.springframework.org/schema/beans/spring-beans.xsd
 7 http://www.springframework.org/schema/security
 8 http://www.springframework.org/schema/security/spring-security.xsd">
 9     <security:http auto-config="true" use-expressions="false">
10         <!-- intercept-url定义一个过滤规则 pattern表示对哪些url进行权限控制,ccess属性表示在请求对应
11         的URL时需要什么权限,
12         默认配置时它应该是一个以逗号分隔的角色列表,请求的用户只需拥有其中的一个角色就能成功访问对应
13         的URL -->
14         <security:intercept-url pattern="/**" access="ROLE_USER" />
15         <!-- auto-config配置后,不需要在配置下面信息 <security:form-login /> 定义登录表单信息
16         <security:http-basic
17         /> <security:logout /> -->
18     </security:http>
19     <security:authentication-manager>
20         <security:authentication-provider>
21             <security:user-service>
22                 <security:user name="user" password="{noop}user"
23                                authorities="ROLE_USER" />
24                 <security:user name="admin" password="{noop}admin"
25                                authorities="ROLE_ADMIN" />
26             </security:user-service>
27         </security:authentication-provider>
28     </security:authentication-manager>
29 </beans>

1.4入门案例总结

启动该入门案例发现直接跳转到了登录页面,但是我们并没有写有关登录的页面,这个页面是该框架本身自己的。

因为在核心配置文件中有<security:http auto-config=”true” use-expressions=”false”>开启spring security的默认的配置,当然也可以自定义登录页面。

 

当我们随意输入一个用户名”npf”和密码”1233″(配置文件中没有该用户名密码)时会出现如下提示

 

当我们输入用户名”admin”密码”admin”(配置文件中有该用户名密码但该角色不符合要求)时会出现如下提示,该提示表示权限不足。

当我们输入用户名”user”密码”user”时能够正常访问到index.jsp页面

 

上述简单入门案例存在明显不足之处,需要改进。

  1. 登录页面太简陋需要自定义
  2. 登录的账号一般在数据库中而不是在配置文件中

2.spring security在数据后台管理中的使用

为了确保数据的安全,在管理数据过程中需要对管理者的身份进行验证,并且让不同的管理者有不同的操作权限。

2.1与入门案例相似,在pom.xml文件中引入相应坐标,并在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。

  1 <?xml version="1.0" encoding="UTF-8"?>
  2 
  3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5   <modelVersion>4.0.0</modelVersion>
  6 
  7   <groupId>club.nipengfei</groupId>
  8   <artifactId>ssm5</artifactId>
  9   <version>1.0-SNAPSHOT</version>
 10   <packaging>war</packaging>
 11 
 12   <name>ssm5 Maven Webapp</name>
 13   <!-- FIXME change it to the project\'s website -->
 14   <url>http://www.example.com</url>
 15 
 16   <properties>
 17     <spring.version>5.0.2.RELEASE</spring.version>
 18     <slf4j.version>1.6.6</slf4j.version>
 19     <log4j.version>1.2.12</log4j.version>
 20     <mysql.version>5.1.6</mysql.version>
 21     <mybatis.version>3.4.5</mybatis.version>
 22     <spring.security.version>5.0.1.RELEASE</spring.security.version>
 23   </properties>
 24   <dependencies>
 25     <!-- spring -->
 26     <dependency>
 27       <groupId>org.aspectj</groupId>
 28       <artifactId>aspectjweaver</artifactId>
 29       <version>1.6.8</version>
 30     </dependency>
 31     <dependency>
 32       <groupId>org.springframework</groupId>
 33       <artifactId>spring-aop</artifactId>
 34       <version>${spring.version}</version>
 35     </dependency>
 36     <dependency>
 37       <groupId>org.springframework</groupId>
 38       <artifactId>spring-context</artifactId>
 39       <version>${spring.version}</version>
 40     </dependency>
 41     <dependency>
 42       <groupId>org.springframework</groupId>
 43       <artifactId>spring-web</artifactId>
 44       <version>${spring.version}</version>
 45     </dependency>
 46     <dependency>
 47       <groupId>org.springframework</groupId>
 48       <artifactId>spring-webmvc</artifactId>
 49       <version>${spring.version}</version>
 50     </dependency>
 51     <dependency>
 52       <groupId>org.springframework</groupId>
 53       <artifactId>spring-test</artifactId>
 54       <version>${spring.version}</version>
 55     </dependency>
 56     <dependency>
 57       <groupId>org.springframework</groupId>
 58       <artifactId>spring-tx</artifactId>
 59       <version>${spring.version}</version>
 60     </dependency>
 61     <dependency>
 62       <groupId>org.springframework</groupId>
 63       <artifactId>spring-jdbc</artifactId>
 64       <version>${spring.version}</version>
 65     </dependency>
 66     <dependency>
 67       <groupId>junit</groupId>
 68       <artifactId>junit</artifactId>
 69       <version>4.12</version>
 70       <scope>compile</scope>
 71     </dependency>
 72     <dependency>
 73       <groupId>mysql</groupId>
 74       <artifactId>mysql-connector-java</artifactId>
 75       <version>${mysql.version}</version>
 76     </dependency>
 77     <dependency>
 78       <groupId>javax.servlet</groupId>
 79       <artifactId>servlet-api</artifactId>
 80       <version>2.5</version>
 81       <scope>provided</scope>
 82     </dependency>
 83     <dependency>
 84       <groupId>javax.servlet.jsp</groupId>
 85       <artifactId>jsp-api</artifactId>
 86       <version>2.0</version>
 87       <scope>provided</scope>
 88     </dependency>
 89     <dependency>
 90       <groupId>jstl</groupId>
 91       <artifactId>jstl</artifactId>
 92       <version>1.2</version>
 93     </dependency>
 94     <!-- log start -->
 95     <dependency>
 96       <groupId>log4j</groupId>
 97       <artifactId>log4j</artifactId>
 98       <version>${log4j.version}</version>
 99     </dependency>
100     <dependency>
101       <groupId>org.slf4j</groupId>
102       <artifactId>slf4j-api</artifactId>
103       <version>${slf4j.version}</version>
104     </dependency>
105     <dependency>
106       <groupId>org.slf4j</groupId>
107       <artifactId>slf4j-log4j12</artifactId>
108       <version>${slf4j.version}</version>
109     </dependency>
110     <!-- log end -->
111     <dependency>
112       <groupId>org.mybatis</groupId>
113       <artifactId>mybatis</artifactId>
114       <version>${mybatis.version}</version>
115     </dependency>
116     <dependency>
117       <groupId>org.mybatis</groupId>
118       <artifactId>mybatis-spring</artifactId>
119       <version>1.3.0</version>
120     </dependency>
121     <dependency>
122       <groupId>c3p0</groupId>
123       <artifactId>c3p0</artifactId>
124       <version>0.9.1.2</version>
125       <type>jar</type>
126       <scope>compile</scope>
127     </dependency>
128     <dependency>
129       <groupId>com.github.pagehelper</groupId>
130       <artifactId>pagehelper</artifactId>
131       <version>5.1.2</version>
132     </dependency>
133     <dependency>
134       <groupId>org.springframework.security</groupId>
135       <artifactId>spring-security-web</artifactId>
136       <version>${spring.security.version}</version>
137     </dependency>
138     <dependency>
139       <groupId>org.springframework.security</groupId>
140       <artifactId>spring-security-config</artifactId>
141       <version>${spring.security.version}</version>
142     </dependency>
143     <dependency>
144       <groupId>org.springframework.security</groupId>
145       <artifactId>spring-security-core</artifactId>
146       <version>${spring.security.version}</version>
147     </dependency>
148     <dependency>
149       <groupId>org.springframework.security</groupId>
150       <artifactId>spring-security-taglibs</artifactId>
151       <version>${spring.security.version}</version>
152     </dependency>
153 
154     <dependency>
155       <groupId>mysql</groupId>
156       <artifactId>mysql-connector-java</artifactId>
157       <version>${mysql.version}</version>
158     </dependency>
159 
160     <dependency>
161       <groupId>javax.annotation</groupId>
162       <artifactId>jsr250-api</artifactId>
163       <version>1.0</version>
164     </dependency>
165 
166   </dependencies>
167 
168   <build>
169     <finalName>ssm5</finalName>
170     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
171       <plugins>
172         <plugin>
173           <artifactId>maven-clean-plugin</artifactId>
174           <version>3.1.0</version>
175         </plugin>
176         <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
177         <plugin>
178           <artifactId>maven-resources-plugin</artifactId>
179           <version>3.0.2</version>
180         </plugin>
181         <plugin>
182           <artifactId>maven-compiler-plugin</artifactId>
183           <version>3.8.0</version>
184         </plugin>
185         <plugin>
186           <artifactId>maven-surefire-plugin</artifactId>
187           <version>2.22.1</version>
188         </plugin>
189         <plugin>
190           <artifactId>maven-war-plugin</artifactId>
191           <version>3.2.2</version>
192         </plugin>
193         <plugin>
194           <artifactId>maven-install-plugin</artifactId>
195           <version>2.5.2</version>
196         </plugin>
197         <plugin>
198           <artifactId>maven-deploy-plugin</artifactId>
199           <version>2.8.2</version>
200         </plugin>
201       </plugins>
202     </pluginManagement>
203   </build>
204 </project>

pom.xml

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3          xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 4          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
 5          version="3.1">
 6 
 7     <display-name>Archetype Created web Application</display-name>
 8     <!--配置监听器,默认只加载WEB-INF目录下的applicationContext.xml配置文件-->
 9     <listener>
10         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
11     </listener>
12     <!--设置配置文件路径-->
13     <context-param>
14         <param-name>contextConfigLocation</param-name>
15         <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value>
16     </context-param>
17     <!--配置前端控制器-->
18     <servlet>
19         <servlet-name>dispatcherServlet</servlet-name>
20         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
21         <!--加载springmvc.xml配置文件-->
22         <init-param>
23             <param-name>contextConfigLocation</param-name>
24             <param-value>classpath:springmvc.xml</param-value>
25         </init-param>
26         <!--启动服务器,创建servlet-->
27         <load-on-startup>1</load-on-startup>
28     </servlet>
29     <servlet-mapping>
30         <servlet-name>dispatcherServlet</servlet-name>
31         <url-pattern>*.do</url-pattern>
32     </servlet-mapping>
33 
34     <!--解决中文乱码过滤器-->
35     <filter>
36         <filter-name>characterEncodingFilter</filter-name>
37         <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
38         <init-param>
39             <param-name>encoding</param-name>
40             <param-value>UTF-8</param-value>
41         </init-param>
42     </filter>
43     <filter-mapping>
44         <filter-name>characterEncodingFilter</filter-name>
45         <url-pattern>/*</url-pattern>
46     </filter-mapping>
47 
48     <!--spring security的过滤器-->
49     <filter>
50         <filter-name>springSecurityFilterChain</filter-name>
51         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
52     </filter>
53     <filter-mapping>
54         <filter-name>springSecurityFilterChain</filter-name>
55         <url-pattern>/*</url-pattern>
56     </filter-mapping>
57 
58     <welcome-file-list>
59         <welcome-file>index.html</welcome-file>
60         <welcome-file>index.htm</welcome-file>
61         <welcome-file>index.jsp</welcome-file>
62         <welcome-file>default.html</welcome-file>
63         <welcome-file>default.htm</welcome-file>
64         <welcome-file>default.jsp</welcome-file>
65     </welcome-file-list>
66 </web-app>

web.xml

2.2配置spring security的核心配置文件

与入门案例相比,这里配置了不拦截的资源,自定义了登录页面,实现了退出操作,将原先定义在配置页面中的登录用户名和密码切换成在数据库中。

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <beans xmlns="http://www.springframework.org/schema/beans"
 3        xmlns:security="http://www.springframework.org/schema/security"
 4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 5        xsi:schemaLocation="http://www.springframework.org/schema/beans
 6     http://www.springframework.org/schema/beans/spring-beans.xsd
 7     http://www.springframework.org/schema/security
 8     http://www.springframework.org/schema/security/spring-security.xsd">
 9 
10     <!-- 配置不拦截的资源 -->
11     <security:http pattern="/login.jsp" security="none"/>
12     <security:http pattern="/failer.jsp" security="none"/>
13     <security:http pattern="/css/**" security="none"/>
14     <security:http pattern="/img/**" security="none"/>
15     <security:http pattern="/plugins/**" security="none"/>
16 
17     <!--
18         配置具体的规则
19         auto-config="true"    不用自己编写登录的页面,框架提供默认登录页面
20         use-expressions="false"    是否使用SPEL表达式(没学习过)
21     -->
22     <security:http auto-config="true" use-expressions="true">
23         <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" -->
24         <security:intercept-url pattern="/**" access="hasAnyRole(\'ROLE_USER\',\'ROLE_ADMIN\')"/>
25 
26         <!-- 定义跳转的具体的页面 -->
27         <security:form-login
28                 login-page="/login.jsp"
29                 login-processing-url="/login.do"
30                 default-target-url="/index.jsp"
31                 authentication-failure-url="/failer.jsp"
32                 authentication-success-forward-url="/pages/main.jsp"
33         />
34 
35         <!-- 关闭跨域请求 -->
36         <security:csrf disabled="true"/>
37 
38         <!-- 退出 -->
39         <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" />
40 
41     </security:http>
42 
43     <!-- 切换成数据库中的用户名和密码 -->
44     <security:authentication-manager>
45         <security:authentication-provider user-service-ref="userService">
46             <!-- 配置加密的方式 -->
47             <security:password-encoder ref="passwordEncoder"/>
48         </security:authentication-provider>
49     </security:authentication-manager>
50 
51     <!-- 配置加密类 -->
52     <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
53 
54 </beans>

2.3使用数据库完成用户登录流程

下面是使用数据库完成认证操作的流程图

 

在Spring Security中如果想要使用数据进行认证操作,有很多种操作方式,这里我们介绍使用UserDetails、UserDetailsService来完成操作。

IUserService接口继承了UserDetailsService类,UserServiceImpl类实现了IUserService接口。

UserDetailsService 接口内有一个loadUserByUsername方法,返回的是UserDetails。

 1 public interface UserDetailsService {
 2     // ~ Methods
 3     // ========================================================================================================
 4 
 5     /**
 6      * Locates the user based on the username. In the actual implementation, the search
 7      * may possibly be case sensitive, or case insensitive depending on how the
 8      * implementation instance is configured. In this case, the <code>UserDetails</code>
 9      * object that comes back may have a username that is of a different case than what
10      * was actually requested..
11      *
12      * @param username the username identifying the user whose data is required.
13      *
14      * @return a fully populated user record (never <code>null</code>)
15      *
16      * @throws UsernameNotFoundException if the user could not be found or the user has no
17      * GrantedAuthority
18      */
19     UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
20 }

 根据spring-security的核心配置文件,需要将UserServiceImpl类命名为”userService”,并实现loadUserByUsername方法。

 loadUserByUsername方法根据用户名从数据库中查询用户信息UserInfo,并将UserInfo的用户名,密码和角色信息作为User的构造参数。

 1 package club.nipengfei.service.impl;
 2 
 3 import club.nipengfei.dao.IUserDao;
 4 import club.nipengfei.domain.Role;
 5 import club.nipengfei.domain.UserInfo;
 6 import club.nipengfei.service.IUserService;
 7 import org.springframework.beans.factory.annotation.Autowired;
 8 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 9 import org.springframework.security.core.userdetails.User;
10 import org.springframework.security.core.userdetails.UserDetails;
11 import org.springframework.security.core.userdetails.UsernameNotFoundException;
12 import org.springframework.stereotype.Service;
13 import org.springframework.transaction.annotation.Transactional;
14 
15 import java.util.ArrayList;
16 import java.util.Collection;
17 import java.util.List;
18 
19 @Service("userService")
20 @Transactional
21 public class UserServiceImpl implements IUserService {
22 
23     @Autowired
24     private IUserDao userDao;
25 
26     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
27         UserInfo userInfo = null;
28         try {
29             userInfo = userDao.findByUsername(username);31         } catch (Exception e) {
32             e.printStackTrace();
33         }
34         // 处理自己的用户对象分装成UserDetails
35         // 该spring security的User实现了UserDetails
36         User user = new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority(userInfo.getRoles()));38         return user;
39     }
40 
41     public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) {
42         List<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>();
43         for (Role role:roles){
44             list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));
45         }
46         return list;
47     }
48 }

 接口UserDetails,封装了当前认证用户的信息,但由于是一个接口,我们可以对其实现,也可以使用spring security提供的UserDetails实现类User完成操作

1 public interface UserDetails extends Serializable {
2     Collection<? extends GrantedAuthority> getAuthorities();
3     String getPassword();
4     String getUsername();
5     boolean isAccountNonExpired();
6     boolean isAccountNonLocked();
7     boolean isCredentialsNonExpired();
8     boolean isEnabled();
9 }
1 public class User implements UserDetails, CredentialsContainer {
2     private String password;
3     private final String username;
4     private final Set<GrantedAuthority> authorities;
5     private final boolean accountNonExpired; //帐户是否过期
6     private final boolean accountNonLocked; //帐户是否锁定
7     private final boolean credentialsNonExpired; //认证是否过期
8     private final boolean enabled; //帐户是否可用
9

 下面是根据用户名查询用户信息的IUserDao接口

 1 package club.nipengfei.dao;
 2 
 3 import club.nipengfei.domain.UserInfo;
 4 import org.apache.ibatis.annotations.Many;
 5 import org.apache.ibatis.annotations.Result;
 6 import org.apache.ibatis.annotations.Results;
 7 import org.apache.ibatis.annotations.Select;
 8 
 9 public interface IUserDao {
10 
11     @Select("select * from users where username=#{username}")
12     @Results({
13             @Result(id = true,property = "id",column = "id"),
14             @Result(property = "username",column = "username"),
15             @Result(property = "email",column = "email"),
16             @Result(property = "password",column = "password"),
17             @Result(property = "phoneNum",column = "phoneNum"),
18             @Result(property = "status",column = "status"),
19             @Result(property = "roles",column = "id",javaType = java.util.List.class,many = @Many(select = "club.nipengfei.dao.IRoleDao.findRoleByUserId"))
20     })
21     public UserInfo findByUsername(String username) throws Exception;
22 }

 2.4使用spring security完成权限控制(JSR-250注解)

不同的用户有不同的角色,根据角色使用户有不同的权限。在服务器端我们可以通过Spring security提供的注解对方法来进行权限控制。Spring Security在方法的权限控制上支持三种类型的注解,JSR-250注解、@Secured注解和支持表达式的注解,这三种注解默认都是没有启用的,需要单独通过global-method-security元素的对应属性进行启用

下面使用JSR-250注解完成权限控制:

需要在security-security.xml中开启权限,并且在pom.xml引入坐标

<security:global-method-security jsr250-annotations="enabled"></security:global-method-security>
<dependency>
        <groupId>javax.annotation</groupId>
        <artifactId>jsr250-api</artifactId>
        <version>1.0</version>
 </dependency>
  1. @RolesAllowed表示访问对应方法时所应该具有的角色
  2. @PermitAll表示允许所有的角色进行访问,也就是说不进行权限控制
  3. @DenyAll是和PermitAll相反的,表示无论什么角色都不能访问

 示例:

@RolesAllowed({"USER", "ADMIN"}) 该方法只要具有"USER", "ADMIN"任意一种权限就可以访问。这里可以省略前缀ROLE_,实际的权限可能是ROLE_ADMIN

 2.5使用spring security完成权限控制(@Secured注解)

 与上面的类似,少一步pom.xml坐标引入,因为该注解是spring security本身提供的。

版权声明:本文为qzwl原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/qzwl/p/11641497.html