spring security使用jdbc进行权限验证

引用博文

1.配置环境

(1)引入依赖

		<dependency>
			<groupId>org.thymeleaf.extrasgroupId>
			<artifactId>thymeleaf-extras-springsecurity4artifactId>
		dependency>
		<dependency>
			<groupId>org.springframework.bootgroupId>
			<artifactId>spring-boot-starter-thymeleafartifactId>
		dependency>
		<dependency>
			<groupId>org.springframework.bootgroupId>
			<artifactId>spring-boot-starter-securityartifactId>
		dependency>

		<dependency>
			<groupId>org.springframework.bootgroupId>
			<artifactId>spring-boot-starter-jdbcartifactId>
		dependency>
(2)写配置文件
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&serverTimezone=GMT
spring.datasource.username=用户名
spring.datasource.password=密码

2.实体类

package com.atguigu.security.entity;

public class User {
    private int id;
    private String name;
    private String role;
    private String password;

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public User(){

    }

    public String getRole() {
        return role;
    }

    public void setRole(String role) {
        this.role = role;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }
}

3.登录页面和主页


<html xmlns:th="http://www.thymeleaf.org"
	  xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title heretitle>
head>
<body>
<h1 align="center">欢迎光临武林秘籍管理系统h1>
<div sec:authorize="!isAuthenticated()">
	<h2 align="center">游客您好,如果想查看武林秘籍 <a th:href="@{/userlogin}">请登录a>h2>
div>
<div sec:authorize="isAuthenticated()">
	<h2><span sec:authentication="name">span>,您好,您的角色有:
		<span sec:authentication="principal.authorities">span>,
	h2>
	<form th:action="@{/logout}" method="post">
		<input type="submit" value="注销"/>
	form>
div>

<hr>

<div sec:authorize="hasRole('VIP1')">
	<h3>普通武功秘籍h3>
	<ul>
		<li><a th:href="@{/level1/1}">罗汉拳a>li>
		<li><a th:href="@{/level1/2}">武当长拳a>li>
		<li><a th:href="@{/level1/3}">全真剑法a>li>
	ul>

div>

<div sec:authorize="hasRole('VIP2')">
	<h3>高级武功秘籍h3>
	<ul>
		<li><a th:href="@{/level2/1}">太极拳a>li>
		<li><a th:href="@{/level2/2}">七伤拳a>li>
		<li><a th:href="@{/level2/3}">梯云纵a>li>
	ul>

div>

<div sec:authorize="hasRole('VIP3')">
	<h3>绝世武功秘籍h3>
	<ul>
		<li><a th:href="@{/level3/1}">葵花宝典a>li>
		<li><a th:href="@{/level3/2}">龟派气功a>li>
		<li><a th:href="@{/level3/3}">独孤九剑a>li>
	ul>
div>


body>
html>
--------------------------------------------------------------------------------------



<html xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Insert title heretitle>
head>
<body>
	<h1 align="center">欢迎登陆武林秘籍管理系统h1>
	<hr>
	<div align="center">
		<form th:action="@{/userlogin}" method="post">
			用户名:<input name="user"/><br>
			密码:<input name="pwd"><br/>
			<input type="checkbox" name="remeber"> 记住我<br/>
			<input type="submit" value="登陆">
		form>
	div>
body>
html>

4.创建数据库

create database test;
use test;
CREATE TABLE `user` (
  `id` int(11) NOT NULL,
  `name` varchar(11) DEFAULT NULL,
  `role` varchar(20) NOT NULL,
  `password` varchar(20) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8
insert into user(name, password, role, id) values ("fuz","123456", "VIP1 VIP2 VIP3", 1);

5.自定义UserService进行权限的验证

package com.atguigu.security.service;

import com.atguigu.security.entity.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.BeanPropertyRowMapper;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.SqlOutParameter;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import javax.jws.WebService;
import java.util.ArrayList;
import java.util.List;

@Service
public class UserService implements UserDetailsService {

    @Autowired
    private JdbcTemplate jdbcTemplate;
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        System.out.println("进入service,用户名为 : "  + username);
        if(username == null || username == ""){
            throw new UsernameNotFoundException("请输入用户名!");
        }
        List<SimpleGrantedAuthority>list = new ArrayList<>();
        User user = jdbcTemplate.queryForObject("select * from user where name = " + "\"" + username + "\"", new BeanPropertyRowMapper<>(User.class));
        for(String s : user.getRole().split(" ")){
            s = "ROLE_" + s;
            list.add(new SimpleGrantedAuthority(s));        //由于不可能是空的(数据库中必须字段)
            System.out.println(s);
        }
        return new org.springframework.security.core.userdetails.User(user.getName(), user.getPassword(), list);
    }



}

由于sercurity默认的role格式是ROLE_ + role,所以此处扩展,而不用保存在数据库中

6.进行Security的配置

package com.atguigu.security.config;

import com.atguigu.security.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.jms.JmsProperties;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.stereotype.Service;

import javax.annotation.Resource;

@EnableWebSecurity//不用使用@Configration了已经继承了
public class MySecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private JdbcTemplate jdbcTemplate;

    @Resource
    private UserService userService;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                    .antMatchers("/").permitAll()
                    .antMatchers("/level1/**").hasRole("VIP1")
                    .antMatchers("/level2/**").hasRole("VIP2")
                    .antMatchers("level3/**").hasRole("VIP3")
                    .and()
                .formLogin()
                    .usernameParameter("user").passwordParameter("pwd")
                    .loginPage("/userlogin")
                    .and()
                .logout().logoutSuccessUrl("/")
                    .and()
                .rememberMe()
                    .rememberMeParameter("remeber")
        ;
    }

    //定义认证规则
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth.userDetailsService(userService);
    }
}

loginPage("").应该放在userParameter等之后,否则有可能重定向太多次。
http定制login,使用get请求自动跳转到定制登录页面,post请求自动进行验证(爽歪歪)

7.控制层

package com.atguigu.security.controller;

import com.sun.org.glassfish.gmbal.ParameterNames;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;

@Controller
public class KungfuController {
	private final String PREFIX = "pages/";
	/**
	 * 欢迎页
	 * @return
	 */
	@GetMapping("/")
	public String index() {
		return "welcome";
	}
	
	/**
	 * 登陆页
	 * @return
	 */
	@GetMapping("/userlogin")
	public String loginPage(){
		return PREFIX+"login";
	}
	
	
	/**
	 * level1页面映射
	 * @param path
	 * @return
	 */
	@GetMapping("/level1/{path}")
	public String level1(@PathVariable("path")String path) {
		return PREFIX+"level1/"+path;
	}
	
	/**
	 * level2页面映射
	 * @param path
	 * @return
	 */
	@GetMapping("/level2/{path}")
	public String level2(@PathVariable("path")String path) {
		return PREFIX+"level2/"+path;
	}
	
	/**
	 * level3页面映射
	 * @param path
	 * @return
	 */
	@GetMapping("/level3/{path}")
	public String level3(@PathVariable("path")String path) {
		return PREFIX+"level3/"+path;
	}


}

你可能感兴趣的:(后台)