Spring Security 4.X xml配置,草稿记录
"org.springframework.security:spring-security-web:4.1.0.RELEASE",
"org.springframework.security:spring-security-taglibs:4.1.0.RELEASE",
"org.springframework.security:spring-security-config:4.1.0.RELEASE"
配置framework-spring-security.xml
在framework-spring-mvc.xml引用其它依赖的配置文件
3.编写自定义UserDetailsService
package com.framework.security;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import javax.annotation.Resource;
import java.util.*;
/****
* @author tzz
* @功能描述
* @date 2016/5/3
* 修改人 修改时间 修改说明
****/
@Service
@Transactional(rollbackFor=Exception.class)
public class UserDetailsServiceImpl implements UserDetailsService {
@Resource
CustomUserDao customUserDao;
JdbcUserDetailsManager k;
private Map userMap = null;
protected final Log logger = LogFactory.getLog(getClass());
protected final MessageSourceAccessor messages = SpringSecurityMessageSource
.getAccessor();
private String usersByUsernameQuery = "SELECT account,pwd,stat,salt,id,company_id,name,login_stat,login_date ,login_ip FROM USER_ACCOUNT WHERE ACCOUNT = ?";
private String authoritiesByUsernameQuery ="SELECT NAME,POWER_CODE FROM VW_USER_POWER WHERE ACCOUNT_ID = ?";
public UserDetailsServiceImpl() {
userMap = new HashMap<>();
}
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
/*SecurityContextHolder.getContext()
.getAuthentication().getName();*/
List users = loadUsersByUsername(username);
if (users.size() == 0) {
logger.debug("Query returned no results for user '" + username + "'");
throw new UsernameNotFoundException(messages.getMessage(
"JdbcDaoImpl.notFound", new Object[] { username },
"Username {0} not found"));
}
UserInfo user = (UserInfo)users.get(0);
Set dbAuthsSet = new HashSet<>();
dbAuthsSet.addAll(loadUserAuthorities(user.getId()));
dbAuthsSet.add(new SimpleGrantedAuthority("ROLE_STATIC"));
List dbAuths = new ArrayList<>(dbAuthsSet);
if (dbAuths.size() == 0) {
logger.debug("User '" + username
+ "' has no authorities and will be treated as 'not found'");
throw new UsernameNotFoundException(messages.getMessage(
"JdbcDaoImpl.noAuthority", new Object[] { username },
"User {0} has no GrantedAuthority"));
}
return createUserDetails(username,user,dbAuths);
//return user;
}
protected UserDetails createUserDetails(String username,
UserInfo userFromUserQuery, List combinedAuthorities) {
String returnUsername = userFromUserQuery.getUsername();
UserInfo user = new UserInfo(returnUsername,userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(), true, true, true,
combinedAuthorities);
user.setId(userFromUserQuery.getId());
user.setCompanyId(userFromUserQuery.getCompanyId());
user.setName(userFromUserQuery.getName());
user.setLoginStat(userFromUserQuery.getLoginStat());
user.setLoginDate(userFromUserQuery.getLoginDate());
user.setLoginIP(userFromUserQuery.getLoginIP());
user.setSalt(userFromUserQuery.getSalt());
return user;
}
/**
* Loads authorities by executing the SQL from
* groupAuthoritiesByUsernameQuery.
*
* @return a list of GrantedAuthority objects for the user
*/
protected List loadUserAuthorities(int userId) {
try {
return customUserDao.queryForList(this.authoritiesByUsernameQuery,
new Object[] { userId },(rs,rowNum)-> {
String roleName = getRolePrefix() + rs.getString(2);
return new SimpleGrantedAuthority(roleName);
});
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public String getRolePrefix() {
return "ROLE_";
}
/**
* Loads authorities by executing the SQL from authoritiesByUsernameQuery.
*
* @return a list of GrantedAuthority objects for the user
*/
protected List loadUsersByUsername(String username) {
try {
return customUserDao.queryForList(this.usersByUsernameQuery, new Object[] { username},
(rs, rowNum) -> {
String username1 = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
UserInfo user = new UserInfo(username1, password, enabled, true, true, true,
AuthorityUtils.NO_AUTHORITIES);
user.setSalt(rs.getString(4));
user.setId(rs.getInt(5));
user.setCompanyId(rs.getInt(6));
user.setName(rs.getString(7));
user.setLoginStat(rs.getInt(8));
user.setLoginDate(rs.getLong(9));
user.setLoginIP(rs.getString(10));
return user;
}
);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}
spring Security 调试的时候用到UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
MessageDigestPasswordEncoder.isPasswordValid
package com.framework.security;
import com.framework.db.BaseDao;
import org.springframework.stereotype.Repository;
@Repository("customUserDao")
public class CustomUserDao extends BaseDao {
public CustomUserDao() {
super(Object.class);
}
}基于框架的BaseDao @Repository("baseDao")
public class BaseDao implements BaseDaoImp {
Logger log1 = LoggerFactory.getLogger(BaseDao.class);
@Resource(name="jdbcTemplate")
private JdbcTemplate jdbcTemplate;
public JdbcTemplate getJdbcTemplate(){
return this.jdbcTemplate;
}
private Class entityClass;
public BaseDao(){}
public BaseDao(Class entityClass) {
this.entityClass = entityClass;
}
@Override
public List queryForList(String sql, Object[] args, RowMapper rowMapper) throws DataAccessException {
return jdbcTemplate.query(sql, args,rowMapper);
}
}
自定义UserInfo对象
package com.framework.security;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import java.util.Collection;
/****
* @author tzz
* @功能描述
* @date 2016/5/3
* 修改人 修改时间 修改说明
****/
public class UserInfo extends User {
private int id;
private int companyId;//所属公司
private int loginSystemId = 0;//当前登录系统ID
private String name;//用户名称
private int loginStat;//登录状态 1:登录 2:未登陆
private String loginIP;//登录IP
private long loginDate;//登录时间
private String salt;//盐值字段
public UserInfo(String username, String password, Collection authorities) {
super(username, password, authorities);
}
public UserInfo(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection authorities) {
super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
}
public String getSalt() {
return salt;
}
public void setSalt(String salt) {
this.salt = salt;
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public int getCompanyId() {
return companyId;
}
public void setCompanyId(int companyId) {
this.companyId = companyId;
}
public int getLoginSystemId() {
return loginSystemId;
}
public void setLoginSystemId(int loginSystemId) {
this.loginSystemId = loginSystemId;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int getLoginStat() {
return loginStat;
}
public void setLoginStat(int loginStat) {
this.loginStat = loginStat;
}
public String getLoginIP() {
return loginIP;
}
public void setLoginIP(String loginIP) {
this.loginIP = loginIP;
}
public long getLoginDate() {
return loginDate;
}
public void setLoginDate(long loginDate) {
this.loginDate = loginDate;
}
}