【ssm基础】spring-security的搭建

简单搭建的Spring Security

一、导入Maven依赖

打开pom.xml
添加版本号

    <spring.security.version>5.0.1.RELEASEspring.security.version>

添加依赖

        <dependency>
            <groupId>org.springframework.securitygroupId>
            <artifactId>spring-security-webartifactId>
            <version>${spring.security.version}version>
        dependency>
        <dependency>
            <groupId>org.springframework.securitygroupId>
            <artifactId>spring-security-configartifactId>
            <version>${spring.security.version}version>
        dependency>
        <dependency>
            <groupId>org.springframework.securitygroupId>
            <artifactId>spring-security-coreartifactId>
            <version>${spring.security.version}version>
        dependency>
        <dependency>
            <groupId>org.springframework.securitygroupId>
            <artifactId>spring-security-taglibsartifactId>
            <version>${spring.security.version}version>
        dependency>

等待IDEA自动导入JAR包

二、添加spring-security.xml

在resources文件夹中新建spring-security.xml文件
向spring-security添加以下配置

    
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:security="http://www.springframework.org/schema/security"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">
    
        <security:global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled">security:global-method-security>
    
        
        <security:http pattern="/login.jsp" security="none"/>
        <security:http pattern="/failer.jsp" security="none"/>
        <security:http pattern="/css/**" security="none"/>
        <security:http pattern="/img/**" security="none"/>
        <security:http pattern="/plugins/**" security="none"/>
        
        <security:http auto-config="true" use-expressions="true">
            
            <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
    
            <security:form-login login-page="/login.jsp"
                                 login-processing-url="/login.do"
                                default-target-url="/index.jsp"
                                authentication-failure-url="/failer.jsp"
                                authentication-success-forward-url="/pages/main.jsp"/>
    
            
            <security:csrf disabled="true"/>
    
            
            <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp">security:logout>
    
        security:http>
    
        
        <security:authentication-manager>
            <security:authentication-provider user-service-ref="userService">
                
            security:authentication-provider>
        security:authentication-manager>
    
        
        <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
        
        
    beans>

可以看到，在spring-security.xml中配置了两个角色ROLE_ADMIN和ROLE_USER
可以看到，调用认证的Service名称为userSerice

三、在web.xml中配置Spring Security过滤器

打开web.xml
添加下列代码

    <filter>
        <filter-name>springSecurityFilterChainfilter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class>
    filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChainfilter-name>
        <url-pattern>/*url-pattern>
    filter-mapping>

四、在web.xml中配置spring-security.xml

打开web.xml
在节点的中添加classpath*:spring-security.xml，多个xml路径使用;连接

    <context-param>
        <param-name>contextConfigLocationparam-name>
        <param-value>classpath*:applicationContext.xml;classpath*:spring-security.xmlparam-value>
    context-param>

五、编写Service层

用IUseSerivce实现UserDetailsService接口，用UserSerivce实现IUserSerivce
使用@Service(“userService”)标注UserSerivce的名称，与spring-security.xml对应
在UserSerivce中实现public UserDetails loadUserByUsername(String s)方法，s为用户名
根据用户名调用DAO层，查询UserInfo和RoleInfo，获得用户信息和角色信息
该改写角色名称，获得List< SimpleGrantedAuthority >角色列表
将用户名、密码和角色列表填入User对象
示例代码

     @Override
        public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
            UserInfo userInfo = userDao.getByUsername(s);
            User user = null;
            if (userInfo != null) {
                List<RoleInfo> roleInfos = roleDao.getByUserId(userInfo.getId());
                user = new User(userInfo.getUsername(), "{noop}" + userInfo.getPassword(), getAuthorities(roleInfos));
            }
            return user;
        }
    
        private List<SimpleGrantedAuthority> getAuthorities(List<RoleInfo> roleInfos) {
            List<SimpleGrantedAuthority> list = new ArrayList<>();
            for (RoleInfo roleInfo : roleInfos) {
                list.add(new SimpleGrantedAuthority("ROLE_" + roleInfo.getRolename()));
            }
            return list;
        }

六、在JSP中使用Spring Securiry

使用显示用户名
使用<security:authorize access="hasRole('ROLE_ADMIN')" >判断角色类型，并进行条件显示