当我们在管理后台数据的时候需要对管理者的身份进行认证和授权,在该项目中用到的安全认证服务框架是Spring Security。
1.Spring Security的简单入门
通过一个spring security的入门案例来了解使用该框架的基本步骤。
1.1使用IDEA新建一个webapp的maven工程,在pom.xml文件中引入spring security框架的相关坐标。
1 xml version="1.0" encoding="UTF-8"?> 2 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0modelVersion> 6 7 <groupId>club.nipengfeigroupId> 8 <artifactId>spring_security_rumengartifactId> 9 <version>1.0-SNAPSHOTversion> 10 <packaging>warpackaging> 11 12 <name>spring_security_rumeng Maven Webappname> 13 14 <url>http://www.example.comurl> 15 16 <properties> 17 <spring.version>5.0.2.RELEASEspring.version> 18 <spring.security.version>5.0.1.RELEASEspring.security.version> 19 properties> 20 21 <dependencies> 22 <dependency> 23 <groupId>org.springframeworkgroupId> 24 <artifactId>spring-coreartifactId> 25 <version>${spring.version}version> 26 dependency> 27 <dependency> 28 <groupId>org.springframeworkgroupId> 29 <artifactId>spring-webartifactId> 30 <version>${spring.version}version> 31 dependency> 32 <dependency> 33 <groupId>org.springframeworkgroupId> 34 <artifactId>spring-webmvcartifactId> 35 <version>${spring.version}version> 36 dependency> 37 <dependency> 38 <groupId>org.springframeworkgroupId> 39 <artifactId>spring-context-supportartifactId> 40 <version>${spring.version}version> 41 dependency> 42 <dependency> 43 <groupId>org.springframeworkgroupId> 44 <artifactId>spring-testartifactId> 45 <version>${spring.version}version> 46 dependency> 47 <dependency> 48 <groupId>org.springframeworkgroupId> 49 <artifactId>spring-jdbcartifactId> 50 <version>${spring.version}version> 51 dependency> 52 53 <dependency> 54 <groupId>org.springframework.securitygroupId> 55 <artifactId>spring-security-webartifactId> 56 <version>${spring.security.version}version> 57 dependency> 58 <dependency> 59 <groupId>org.springframework.securitygroupId> 60 <artifactId>spring-security-configartifactId> 61 <version>${spring.security.version}version> 62 dependency> 63 <dependency> 64 <groupId>javax.servletgroupId> 65 <artifactId>javax.servlet-apiartifactId> 66 <version>3.1.0version> 67 <scope>providedscope> 68 dependency> 69 dependencies> 70 <build> 71 <plugins> 72 73 <plugin> 74 <groupId>org.apache.maven.pluginsgroupId> 75 <artifactId>maven-compiler-pluginartifactId> 76 <version>3.2version> 77 <configuration> 78 <source>1.8source> 79 <target>1.8target> 80 <encoding>UTF-8encoding> 81 configuration> 82 plugin> 83 <plugin> 84 <groupId>org.apache.tomcat.mavengroupId> 85 <artifactId>tomcat7-maven-pluginartifactId> 86 <configuration> 87 88 <port>8090port> 89 90 <path>/path> 91 configuration> 92 plugin> 93 plugins> 94 build> 95 project>
1.2在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。
1 xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://java.sun.com/xml/ns/javaee" 4 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 5 version="2.5"> 6 <display-name>SpringSecurity314display-name> 7 8 <context-param> 9 <param-name>contextConfigLocationparam-name> 10 <param-value>classpath:spring-security.xmlparam-value> 11 context-param> 12 <listener> 13 <listener-class>org.springframework.web.context.ContextLoaderListenerlistener-class> 14 listener> 15 <filter> 16 <filter-name>springSecurityFilterChainfilter-name> 17 <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class> 18 filter> 19 <filter-mapping> 20 <filter-name>springSecurityFilterChainfilter-name> 21 <url-pattern>/*url-pattern> 22 filter-mapping> 23 <welcome-file-list> 24 <welcome-file>index.htmlwelcome-file> 25 <welcome-file>index.htmwelcome-file> 26 <welcome-file>index.jspwelcome-file> 27 <welcome-file>default.htmlwelcome-file> 28 <welcome-file>default.htmwelcome-file> 29 <welcome-file>default.jspwelcome-file> 30 welcome-file-list> 31 web-app>
1.3在resource资源路径下新建一个该框架的核心配置文件spring-security.xml
1 xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:security="http://www.springframework.org/schema/security" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://www.springframework.org/schema/beans 6 http://www.springframework.org/schema/beans/spring-beans.xsd 7 http://www.springframework.org/schema/security 8 http://www.springframework.org/schema/security/spring-security.xsd"> 9 <security:http auto-config="true" use-expressions="false"> 10 14 <security:intercept-url pattern="/**" access="ROLE_USER" /> 15 18 security:http> 19 <security:authentication-manager> 20 <security:authentication-provider> 21 <security:user-service> 22 <security:user name="user" password="{noop}user" 23 authorities="ROLE_USER" /> 24 <security:user name="admin" password="{noop}admin" 25 authorities="ROLE_ADMIN" /> 26 security:user-service> 27 security:authentication-provider> 28 security:authentication-manager> 29 beans>
1.4入门案例总结
启动该入门案例发现直接跳转到了登录页面,但是我们并没有写有关登录的页面,这个页面是该框架本身自己的。
因为在核心配置文件中有
当我们随意输入一个用户名"npf"和密码"1233"(配置文件中没有该用户名密码)时会出现如下提示
当我们输入用户名"admin"密码"admin"(配置文件中有该用户名密码但该角色不符合要求)时会出现如下提示,该提示表示权限不足。
当我们输入用户名"user"密码"user"时能够正常访问到index.jsp页面
上述简单入门案例存在明显不足之处,需要改进。
- 登录页面太简陋需要自定义
- 登录的账号一般在数据库中而不是在配置文件中
2.spring security在数据后台管理中的使用
为了确保数据的安全,在管理数据过程中需要对管理者的身份进行验证,并且让不同的管理者有不同的操作权限。
2.1与入门案例相似,在pom.xml文件中引入相应坐标,并在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。
1 xml version="1.0" encoding="UTF-8"?> 2 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0modelVersion> 6 7 <groupId>club.nipengfeigroupId> 8 <artifactId>ssm5artifactId> 9 <version>1.0-SNAPSHOTversion> 10 <packaging>warpackaging> 11 12 <name>ssm5 Maven Webappname> 13 14 <url>http://www.example.comurl> 15 16 <properties> 17 <spring.version>5.0.2.RELEASEspring.version> 18 <slf4j.version>1.6.6slf4j.version> 19 <log4j.version>1.2.12log4j.version> 20 <mysql.version>5.1.6mysql.version> 21 <mybatis.version>3.4.5mybatis.version> 22 <spring.security.version>5.0.1.RELEASEspring.security.version> 23 properties> 24 <dependencies> 25 26 <dependency> 27 <groupId>org.aspectjgroupId> 28 <artifactId>aspectjweaverartifactId> 29 <version>1.6.8version> 30 dependency> 31 <dependency> 32 <groupId>org.springframeworkgroupId> 33 <artifactId>spring-aopartifactId> 34 <version>${spring.version}version> 35 dependency> 36 <dependency> 37 <groupId>org.springframeworkgroupId> 38 <artifactId>spring-contextartifactId> 39 <version>${spring.version}version> 40 dependency> 41 <dependency> 42 <groupId>org.springframeworkgroupId> 43 <artifactId>spring-webartifactId> 44 <version>${spring.version}version> 45 dependency> 46 <dependency> 47 <groupId>org.springframeworkgroupId> 48 <artifactId>spring-webmvcartifactId> 49 <version>${spring.version}version> 50 dependency> 51 <dependency> 52 <groupId>org.springframeworkgroupId> 53 <artifactId>spring-testartifactId> 54 <version>${spring.version}version> 55 dependency> 56 <dependency> 57 <groupId>org.springframeworkgroupId> 58 <artifactId>spring-txartifactId> 59 <version>${spring.version}version> 60 dependency> 61 <dependency> 62 <groupId>org.springframeworkgroupId> 63 <artifactId>spring-jdbcartifactId> 64 <version>${spring.version}version> 65 dependency> 66 <dependency> 67 <groupId>junitgroupId> 68 <artifactId>junitartifactId> 69 <version>4.12version> 70 <scope>compilescope> 71 dependency> 72 <dependency> 73 <groupId>mysqlgroupId> 74 <artifactId>mysql-connector-javaartifactId> 75 <version>${mysql.version}version> 76 dependency> 77 <dependency> 78 <groupId>javax.servletgroupId> 79 <artifactId>servlet-apiartifactId> 80 <version>2.5version> 81 <scope>providedscope> 82 dependency> 83 <dependency> 84 <groupId>javax.servlet.jspgroupId> 85 <artifactId>jsp-apiartifactId> 86 <version>2.0version> 87 <scope>providedscope> 88 dependency> 89 <dependency> 90 <groupId>jstlgroupId> 91 <artifactId>jstlartifactId> 92 <version>1.2version> 93 dependency> 94 95 <dependency> 96 <groupId>log4jgroupId> 97 <artifactId>log4jartifactId> 98 <version>${log4j.version}version> 99 dependency> 100 <dependency> 101 <groupId>org.slf4jgroupId> 102 <artifactId>slf4j-apiartifactId> 103 <version>${slf4j.version}version> 104 dependency> 105 <dependency> 106 <groupId>org.slf4jgroupId> 107 <artifactId>slf4j-log4j12artifactId> 108 <version>${slf4j.version}version> 109 dependency> 110 111 <dependency> 112 <groupId>org.mybatisgroupId> 113 <artifactId>mybatisartifactId> 114 <version>${mybatis.version}version> 115 dependency> 116 <dependency> 117 <groupId>org.mybatisgroupId> 118 <artifactId>mybatis-springartifactId> 119 <version>1.3.0version> 120 dependency> 121 <dependency> 122 <groupId>c3p0groupId> 123 <artifactId>c3p0artifactId> 124 <version>0.9.1.2version> 125 <type>jartype> 126 <scope>compilescope> 127 dependency> 128 <dependency> 129 <groupId>com.github.pagehelpergroupId> 130 <artifactId>pagehelperartifactId> 131 <version>5.1.2version> 132 dependency> 133 <dependency> 134 <groupId>org.springframework.securitygroupId> 135 <artifactId>spring-security-webartifactId> 136 <version>${spring.security.version}version> 137 dependency> 138 <dependency> 139 <groupId>org.springframework.securitygroupId> 140 <artifactId>spring-security-configartifactId> 141 <version>${spring.security.version}version> 142 dependency> 143 <dependency> 144 <groupId>org.springframework.securitygroupId> 145 <artifactId>spring-security-coreartifactId> 146 <version>${spring.security.version}version> 147 dependency> 148 <dependency> 149 <groupId>org.springframework.securitygroupId> 150 <artifactId>spring-security-taglibsartifactId> 151 <version>${spring.security.version}version> 152 dependency> 153 154 <dependency> 155 <groupId>mysqlgroupId> 156 <artifactId>mysql-connector-javaartifactId> 157 <version>${mysql.version}version> 158 dependency> 159 160 <dependency> 161 <groupId>javax.annotationgroupId> 162 <artifactId>jsr250-apiartifactId> 163 <version>1.0version> 164 dependency> 165 166 dependencies> 167 168 <build> 169 <finalName>ssm5finalName> 170 <pluginManagement> 171 <plugins> 172 <plugin> 173 <artifactId>maven-clean-pluginartifactId> 174 <version>3.1.0version> 175 plugin> 176 177 <plugin> 178 <artifactId>maven-resources-pluginartifactId> 179 <version>3.0.2version> 180 plugin> 181 <plugin> 182 <artifactId>maven-compiler-pluginartifactId> 183 <version>3.8.0version> 184 plugin> 185 <plugin> 186 <artifactId>maven-surefire-pluginartifactId> 187 <version>2.22.1version> 188 plugin> 189 <plugin> 190 <artifactId>maven-war-pluginartifactId> 191 <version>3.2.2version> 192 plugin> 193 <plugin> 194 <artifactId>maven-install-pluginartifactId> 195 <version>2.5.2version> 196 plugin> 197 <plugin> 198 <artifactId>maven-deploy-pluginartifactId> 199 <version>2.8.2version> 200 plugin> 201 plugins> 202 pluginManagement> 203 build> 204 project>
1 xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://xmlns.jcp.org/xml/ns/javaee" 4 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 5 version="3.1"> 6 7 <display-name>Archetype Created web Applicationdisplay-name> 8 9 <listener> 10 <listener-class>org.springframework.web.context.ContextLoaderListenerlistener-class> 11 listener> 12 13 <context-param> 14 <param-name>contextConfigLocationparam-name> 15 <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xmlparam-value> 16 context-param> 17 18 <servlet> 19 <servlet-name>dispatcherServletservlet-name> 20 <servlet-class>org.springframework.web.servlet.DispatcherServletservlet-class> 21 22 <init-param> 23 <param-name>contextConfigLocationparam-name> 24 <param-value>classpath:springmvc.xmlparam-value> 25 init-param> 26 27 <load-on-startup>1load-on-startup> 28 servlet> 29 <servlet-mapping> 30 <servlet-name>dispatcherServletservlet-name> 31 <url-pattern>*.dourl-pattern> 32 servlet-mapping> 33 34 35 <filter> 36 <filter-name>characterEncodingFilterfilter-name> 37 <filter-class>org.springframework.web.filter.CharacterEncodingFilterfilter-class> 38 <init-param> 39 <param-name>encodingparam-name> 40 <param-value>UTF-8param-value> 41 init-param> 42 filter> 43 <filter-mapping> 44 <filter-name>characterEncodingFilterfilter-name> 45 <url-pattern>/*url-pattern> 46 filter-mapping> 47 48 49 <filter> 50 <filter-name>springSecurityFilterChainfilter-name> 51 <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class> 52 filter> 53 <filter-mapping> 54 <filter-name>springSecurityFilterChainfilter-name> 55 <url-pattern>/*url-pattern> 56 filter-mapping> 57 58 <welcome-file-list> 59 <welcome-file>index.htmlwelcome-file> 60 <welcome-file>index.htmwelcome-file> 61 <welcome-file>index.jspwelcome-file> 62 <welcome-file>default.htmlwelcome-file> 63 <welcome-file>default.htmwelcome-file> 64 <welcome-file>default.jspwelcome-file> 65 welcome-file-list> 66 web-app>
2.2配置spring security的核心配置文件
与入门案例相比,这里配置了不拦截的资源,自定义了登录页面,实现了退出操作,将原先定义在配置页面中的登录用户名和密码切换成在数据库中。
1 xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:security="http://www.springframework.org/schema/security" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://www.springframework.org/schema/beans 6 http://www.springframework.org/schema/beans/spring-beans.xsd 7 http://www.springframework.org/schema/security 8 http://www.springframework.org/schema/security/spring-security.xsd"> 9 10 11 <security:http pattern="/login.jsp" security="none"/> 12 <security:http pattern="/failer.jsp" security="none"/> 13 <security:http pattern="/css/**" security="none"/> 14 <security:http pattern="/img/**" security="none"/> 15 <security:http pattern="/plugins/**" security="none"/> 16 17 22 <security:http auto-config="true" use-expressions="true"> 23 24 <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> 25 26 27 <security:form-login 28 login-page="/login.jsp" 29 login-processing-url="/login.do" 30 default-target-url="/index.jsp" 31 authentication-failure-url="/failer.jsp" 32 authentication-success-forward-url="/pages/main.jsp" 33 /> 34 35 36 <security:csrf disabled="true"/> 37 38 39 <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" /> 40 41 security:http> 42 43 44 <security:authentication-manager> 45 <security:authentication-provider user-service-ref="userService"> 46 47 <security:password-encoder ref="passwordEncoder"/> 48 security:authentication-provider> 49 security:authentication-manager> 50 51 52 <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> 53 54 beans>
2.3使用数据库完成用户登录流程
下面是使用数据库完成认证操作的流程图
在Spring Security中如果想要使用数据进行认证操作,有很多种操作方式,这里我们介绍使用UserDetails、UserDetailsService来完成操作。
IUserService接口继承了UserDetailsService类,UserServiceImpl类实现了IUserService接口。
UserDetailsService 接口内有一个loadUserByUsername方法,返回的是UserDetails。
1 public interface UserDetailsService { 2 // ~ Methods 3 // ======================================================================================================== 4 5 /** 6 * Locates the user based on the username. In the actual implementation, the search 7 * may possibly be case sensitive, or case insensitive depending on how the 8 * implementation instance is configured. In this case, theUserDetails9 * object that comes back may have a username that is of a different case than what 10 * was actually requested.. 11 * 12 * @param username the username identifying the user whose data is required. 13 * 14 * @return a fully populated user record (nevernull) 15 * 16 * @throws UsernameNotFoundException if the user could not be found or the user has no 17 * GrantedAuthority 18 */ 19 UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; 20 }
根据spring-security的核心配置文件,需要将UserServiceImpl类命名为"userService",并实现loadUserByUsername方法。
loadUserByUsername方法根据用户名从数据库中查询用户信息UserInfo,并将UserInfo的用户名,密码和角色信息作为User的构造参数。
1 package club.nipengfei.service.impl; 2 3 import club.nipengfei.dao.IUserDao; 4 import club.nipengfei.domain.Role; 5 import club.nipengfei.domain.UserInfo; 6 import club.nipengfei.service.IUserService; 7 import org.springframework.beans.factory.annotation.Autowired; 8 import org.springframework.security.core.authority.SimpleGrantedAuthority; 9 import org.springframework.security.core.userdetails.User; 10 import org.springframework.security.core.userdetails.UserDetails; 11 import org.springframework.security.core.userdetails.UsernameNotFoundException; 12 import org.springframework.stereotype.Service; 13 import org.springframework.transaction.annotation.Transactional; 14 15 import java.util.ArrayList; 16 import java.util.Collection; 17 import java.util.List; 18 19 @Service("userService") 20 @Transactional 21 public class UserServiceImpl implements IUserService { 22 23 @Autowired 24 private IUserDao userDao; 25 26 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 27 UserInfo userInfo = null; 28 try { 29 userInfo = userDao.findByUsername(username);31 } catch (Exception e) { 32 e.printStackTrace(); 33 } 34 // 处理自己的用户对象分装成UserDetails 35 // 该spring security的User实现了UserDetails 36 User user = new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority(userInfo.getRoles()));38 return user; 39 } 40 41 public ListgetAuthority(List roles) { 42 List list = new ArrayList (); 43 for (Role role:roles){ 44 list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName())); 45 } 46 return list; 47 } 48 }
接口UserDetails,封装了当前认证用户的信息,但由于是一个接口,我们可以对其实现,也可以使用spring security提供的UserDetails实现类User完成操作
1 public interface UserDetails extends Serializable { 2 Collectionextends GrantedAuthority> getAuthorities(); 3 String getPassword(); 4 String getUsername(); 5 boolean isAccountNonExpired(); 6 boolean isAccountNonLocked(); 7 boolean isCredentialsNonExpired(); 8 boolean isEnabled(); 9 }
1 public class User implements UserDetails, CredentialsContainer { 2 private String password; 3 private final String username; 4 private final Setauthorities; 5 private final boolean accountNonExpired; //帐户是否过期 6 private final boolean accountNonLocked; //帐户是否锁定 7 private final boolean credentialsNonExpired; //认证是否过期 8 private final boolean enabled; //帐户是否可用 9 }
下面是根据用户名查询用户信息的IUserDao接口
1 package club.nipengfei.dao; 2 3 import club.nipengfei.domain.UserInfo; 4 import org.apache.ibatis.annotations.Many; 5 import org.apache.ibatis.annotations.Result; 6 import org.apache.ibatis.annotations.Results; 7 import org.apache.ibatis.annotations.Select; 8 9 public interface IUserDao { 10 11 @Select("select * from users where username=#{username}") 12 @Results({ 13 @Result(id = true,property = "id",column = "id"), 14 @Result(property = "username",column = "username"), 15 @Result(property = "email",column = "email"), 16 @Result(property = "password",column = "password"), 17 @Result(property = "phoneNum",column = "phoneNum"), 18 @Result(property = "status",column = "status"), 19 @Result(property = "roles",column = "id",javaType = java.util.List.class,many = @Many(select = "club.nipengfei.dao.IRoleDao.findRoleByUserId")) 20 }) 21 public UserInfo findByUsername(String username) throws Exception; 22 }
2.4使用spring security完成权限控制(JSR-250注解)
不同的用户有不同的角色,根据角色使用户有不同的权限。在服务器端我们可以通过Spring security提供的注解对方法来进行权限控制。Spring Security在方法的权限控制上支持三种类型的注解,JSR-250注解、@Secured注解和支持表达式的注解,这三种注解默认都是没有启用的,需要单独通过global-method-security元素的对应属性进行启用
下面使用JSR-250注解完成权限控制:
需要在security-security.xml中开启权限,并且在pom.xml引入坐标
<security:global-method-security jsr250-annotations="enabled">security:global-method-security>
<dependency> <groupId>javax.annotationgroupId> <artifactId>jsr250-apiartifactId> <version>1.0version> dependency>
- @RolesAllowed表示访问对应方法时所应该具有的角色
- @PermitAll表示允许所有的角色进行访问,也就是说不进行权限控制
- @DenyAll是和PermitAll相反的,表示无论什么角色都不能访问
示例:
@RolesAllowed({"USER", "ADMIN"}) 该方法只要具有"USER", "ADMIN"任意一种权限就可以访问。这里可以省略前缀ROLE_,实际的权限可能是ROLE_ADMIN
2.5使用spring security完成权限控制(@Secured注解)
与上面的类似,少一步pom.xml坐标引入,因为该注解是spring security本身提供的。