使用SpringSecurity进行权限访问控制的步骤(查询数据库的用户表)

1、导入依赖

<dependencies>
<dependency>
<groupId>org.springframework.securitygroupId>
<artifactId>spring-security-webartifactId>
<version>5.0.1.RELEASEversion>
dependency>
<dependency>
<groupId>org.springframework.securitygroupId>
<artifactId>spring-security-configartifactId>
<version>5.0.1.RELEASEversion>
dependency>
dependencies>

2、创建Spring-security配置文件,并在web.xml中设置读取配置文件

Spring-security配置文件约束


<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
beans>

web.xml配置启动时读取Springsecurity配置文件:

	
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListenerlistener-class>
  listener>

  
  <context-param>
    <param-name>contextConfigLocationparam-name>
    <param-value>classpath:applicationContext.xmlparam-value>
  context-param>

3、用户认证类的编写

首先,我们需要创建一个继承了org.springframework.security.core.userdetails.UserDetailsService;的认证类,并实现public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException方法,该方法的返回值为UserDetails类(封装当前认证用户信息)。Springsecurity在进行认证时会传入用户名,如果找不到用户名(抛出异常)、或者密码错误,则跳转到失败页面
springsecurity的用户密码需要加密
package com.ZepngLin.service.imp;

import com.ZepngLin.dao.UserDao;
import com.ZepngLin.domain.Role;
import com.ZepngLin.domain.UserInfo;
import com.ZepngLin.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;

import java.util.ArrayList;
import java.util.List;

@Service("userService")
public class UserServiceImp implements UserService{
    @Autowired
    UserDao dao;
    @Autowired
    private BCryptPasswordEncoder passwordEncoder;      //用于加密密码

    /**
     *
     * @param s 用户名
     * @return 认证对象的信息
     * @throws UsernameNotFoundException 未找到该用户
     */
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        List<SimpleGrantedAuthority> authorities = new ArrayList<>();   //存储权限列表
        UserInfo userInfo = dao.findByUsername(s);                  //获取用户信息
        for(Role role : userInfo.getRoles()){
            authorities.add(new SimpleGrantedAuthority(role.getRoleName()));    //取出用户拥有的角色
        }
        return new User(userInfo.getUsername(),userInfo.getPassword(),authorities);     //实现了UserDetails接口的实现类
    }

    @Override
    public List<UserInfo> findAll() {
        return dao.findAll();
    }

    @Override
    public void save(UserInfo user) {
        user.setPassword(passwordEncoder.encode(user.getPassword()));  //密码加密
        dao.save(user);
    }

    @Override
    public UserInfo findById(int id) {
        return dao.findById(id);
    }
    @Override
    public List<Role> findOtherRoles(int id) {

        return dao.findOtherRoles(id);
    }

    //添加角色
    @Override
    public void addRoleToUser(int id, Integer[] roleIds) {
        for (int roleId : roleIds) {
            dao.addRoleToUser(id,roleId);
        }
    }
}	

4、Spring-security配置文件的编写

权限名需要加上ROLE前缀、配置完成后将只有拥有ROLE_GUEST角色的用户可以浏览页面


<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
    
    
    
    <security:global-method-security secured-annotations="enabled"/>


    
    <security:http security="none" pattern="/pages/login.jsp" />
    <security:http security="none" pattern="/pages/failer.jsp" />
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/img/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>
    <security:http auto-config="true" use-expressions="false">

        
        <security:intercept-url pattern="/**" access="ROLE_GUEST" />

        

        
        <security:form-login login-page="/pages/login.jsp"
                             login-processing-url="/login.do"
                             username-parameter="username"
                             password-parameter="password"
                             
        <security:logout invalidate-session="true" logout-url="/logout.do"
                         logout-success-url="/login.jsp" />
        
        <security:csrf disabled="true" />
    security:http>

    
    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <security:authentication-manager>
        
        <security:authentication-provider user-service-ref="userService">
            
                <security:password-encoder ref="passwordEncoder"/>
        security:authentication-provider>
    security:authentication-manager>

 
    <bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
beans>

5、几种权限控制方法的总结:

(1)通过xml配置各个访问路径所需要的角色:
所有路径都需要ROLE_GUEST权限:
(2)通过security 标签库对JSP组件进行可见控制
导入标签库:<%@ taglib prefix=“security” uri=“http://www.springframework.org/security/tags” %>
使用标签包含需要进行权限控制的代码块:

	
<security:authorize access="hasRole('ROLE_ROOT')">
	<div>
		代码块
	div>
security:authorize>

(3)通过注解的方式

你可能感兴趣的:(Java学习,java,spring)