初识Spring Security

Spring Security简介

Spring Security是 Spring提供的安全认证服务的框架。 使用Spring Security可以帮助我们来简化认证 和授权的过程。官网：https://spring.io/projects/spring-security

• 定义:springsecurity是一个功能强大的权限管理框架
• 认证:识别每一次请求是谁在发起
• 授权：鉴别某个功能或数据，当前用户是否有权限访问
• RBAC：Role-Based Access Control，基于角色的访问权限控制
  
• 功能
  登录
  认证
  鉴权
  登出

Maven依赖

web.xml

在web.xml中主要配置SpringMVC的DispatcherServlet和用于整合第三方框架的 DelegatingFilterProxy，用于整合Spring Security。

<filter>
    
    <filter-name>springSecurityFilterChainfilter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class>
filter>
<filter-mapping>
    <filter-name>springSecurityFilterChainfilter-name>
    <url-pattern>/*url-pattern>
filter-mapping>

spring-security.xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
						http://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/mvc
						http://www.springframework.org/schema/mvc/spring-mvc.xsd
						http://code.alibabatech.com/schema/dubbo
						http://code.alibabatech.com/schema/dubbo/dubbo.xsd
						http://www.springframework.org/schema/context
						http://www.springframework.org/schema/context/spring-context.xsd
                     http://www.springframework.org/schema/security
                     http://www.springframework.org/schema/security/spring-security.xsd">

    
    
    
    <security:http security="none" pattern="/login.html">security:http>
    <security:http security="none" pattern="/css/**">security:http>
    <security:http security="none" pattern="/img/**">security:http>
    <security:http security="none" pattern="/js/**">security:http>
    <security:http security="none" pattern="/plugins/**">security:http>
    
    <security:http auto-config="true" use-expressions="true">
        <security:headers>
            
            <security:frame-options policy="SAMEORIGIN">security:frame-options>
        security:headers>
        
        
        
        <security:intercept-url pattern="/pages/**"  access="isAuthenticated()" />
		
        
        
        
        
        

        
        
        <security:form-login
                login-page="/login.html"
                username-parameter="username"
                password-parameter="password"
                login-processing-url="/login.do"
                default-target-url="/pages/main.html"
                always-use-default-target="true"
                authentication-failure-url="/login.html"/>

        
        <security:csrf disabled="true">security:csrf>

        
        <security:logout logout-url="/logout.do"
                         logout-success-url="/login.html" invalidate-session="true"/>
    security:http>

    
    <security:authentication-manager>
        
        <security:authentication-provider user-service-ref="springSecurityUserService">
            
            
            <security:password-encoder ref="passwordEncoder"/>
        security:authentication-provider>
    security:authentication-manager>

    
    <bean id="passwordEncoder"
          class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    
    <security:global-method-security pre-post-annotations="enabled" />


beans>

SpringSecurityUserService.java

package com.itheima.service;

import com.alibaba.dubbo.config.annotation.Reference;
import com.itheima.pojo.Permission;
import com.itheima.pojo.Role;
import com.itheima.pojo.User;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;

import java.util.ArrayList;
import java.util.List;
import java.util.Set;

@Component
public class SpringSecurityUserService implements UserDetailsService {
    //使用dubbo通过网络远程调用服务提供方获取数据库中的用户信息
    @Reference
    private UserService userService;

    //根据用户名查询数据库获取用户信息
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userService.findByUsername(username);
        if(user == null){
            //用户名不存在
            return null;
        }

        List<GrantedAuthority> list = new ArrayList<>();

        //动态为当前用户授权
        Set<Role> roles = user.getRoles();
        for (Role role : roles) {
            //遍历角色集合，为用户授予角色
            list.add(new SimpleGrantedAuthority(role.getKeyword()));
            Set<Permission> permissions = role.getPermissions();
            for (Permission permission : permissions) {
                //遍历权限集合，为用户授权
                list.add(new SimpleGrantedAuthority(permission.getKeyword()));
            }
        }

        org.springframework.security.core.userdetails.User securityUser =
                new org.springframework.security.core.userdetails.User(username,user.getPassword(),list);
        return securityUser;
    }
}

注解方式权限控制

• 实现步骤

第一步：在spring-security.xml文件中配置组件扫描，用于扫描Controller
项目中运用了dubbo,包扫描在配置dubbo配置文件时进行批量包扫描

第二步：在spring-security.xml文件中开启权限注解支持

第三步：创建Controller类并在Controller的方法上加入注解进行权限控制
多个角色和权限用and连接