• 数据后台管理(四)权限控制


    当我们在管理后台数据的时候需要对管理者的身份进行认证和授权,在该项目中用到的安全认证服务框架是Spring Security。

    1.Spring Security的简单入门

    通过一个spring security的入门案例来了解使用该框架的基本步骤。

    1.1使用IDEA新建一个webapp的maven工程,在pom.xml文件中引入spring security框架的相关坐标。

     1 <?xml version="1.0" encoding="UTF-8"?>
     2 
     3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     5   <modelVersion>4.0.0</modelVersion>
     6 
     7   <groupId>club.nipengfei</groupId>
     8   <artifactId>spring_security_rumeng</artifactId>
     9   <version>1.0-SNAPSHOT</version>
    10   <packaging>war</packaging>
    11 
    12   <name>spring_security_rumeng Maven Webapp</name>
    13   <!-- FIXME change it to the project's website -->
    14   <url>http://www.example.com</url>
    15 
    16   <properties>
    17     <spring.version>5.0.2.RELEASE</spring.version>
    18     <spring.security.version>5.0.1.RELEASE</spring.security.version>
    19   </properties>
    20 
    21   <dependencies>
    22     <dependency>
    23       <groupId>org.springframework</groupId>
    24       <artifactId>spring-core</artifactId>
    25       <version>${spring.version}</version>
    26     </dependency>
    27     <dependency>
    28       <groupId>org.springframework</groupId>
    29       <artifactId>spring-web</artifactId>
    30       <version>${spring.version}</version>
    31     </dependency>
    32     <dependency>
    33       <groupId>org.springframework</groupId>
    34       <artifactId>spring-webmvc</artifactId>
    35       <version>${spring.version}</version>
    36     </dependency>
    37     <dependency>
    38       <groupId>org.springframework</groupId>
    39       <artifactId>spring-context-support</artifactId>
    40       <version>${spring.version}</version>
    41     </dependency>
    42     <dependency>
    43       <groupId>org.springframework</groupId>
    44       <artifactId>spring-test</artifactId>
    45       <version>${spring.version}</version>
    46     </dependency>
    47     <dependency>
    48       <groupId>org.springframework</groupId>
    49       <artifactId>spring-jdbc</artifactId>
    50       <version>${spring.version}</version>
    51     </dependency>
    52 
    53     <dependency>
    54       <groupId>org.springframework.security</groupId>
    55       <artifactId>spring-security-web</artifactId>
    56       <version>${spring.security.version}</version>
    57     </dependency>
    58     <dependency>
    59       <groupId>org.springframework.security</groupId>
    60       <artifactId>spring-security-config</artifactId>
    61       <version>${spring.security.version}</version>
    62     </dependency>
    63     <dependency>
    64       <groupId>javax.servlet</groupId>
    65       <artifactId>javax.servlet-api</artifactId>
    66       <version>3.1.0</version>
    67       <scope>provided</scope>
    68     </dependency>
    69   </dependencies>
    70   <build>
    71     <plugins>
    72       <!-- java编译插件 -->
    73       <plugin>
    74         <groupId>org.apache.maven.plugins</groupId>
    75         <artifactId>maven-compiler-plugin</artifactId>
    76         <version>3.2</version>
    77         <configuration>
    78           <source>1.8</source>
    79           <target>1.8</target>
    80           <encoding>UTF-8</encoding>
    81         </configuration>
    82       </plugin>
    83       <plugin>
    84         <groupId>org.apache.tomcat.maven</groupId>
    85         <artifactId>tomcat7-maven-plugin</artifactId>
    86         <configuration>
    87           <!-- 指定端口 -->
    88           <port>8090</port>
    89           <!-- 请求路径 -->
    90           <path>/</path>
    91         </configuration>
    92       </plugin>
    93     </plugins>
    94   </build>
    95 </project>

    1.2在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。

     1 <?xml version="1.0" encoding="UTF-8"?>
     2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     3          xmlns="http://java.sun.com/xml/ns/javaee"
     4          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
     5          version="2.5">
     6   <display-name>SpringSecurity314</display-name>
     7 
     8   <context-param>
     9     <param-name>contextConfigLocation</param-name>
    10     <param-value>classpath:spring-security.xml</param-value>
    11   </context-param>
    12   <listener>
    13     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    14   </listener>
    15   <filter>
    16     <filter-name>springSecurityFilterChain</filter-name>
    17     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    18   </filter>
    19   <filter-mapping>
    20     <filter-name>springSecurityFilterChain</filter-name>
    21     <url-pattern>/*</url-pattern>
    22   </filter-mapping>
    23   <welcome-file-list>
    24     <welcome-file>index.html</welcome-file>
    25     <welcome-file>index.htm</welcome-file>
    26     <welcome-file>index.jsp</welcome-file>
    27     <welcome-file>default.html</welcome-file>
    28     <welcome-file>default.htm</welcome-file>
    29     <welcome-file>default.jsp</welcome-file>
    30   </welcome-file-list>
    31 </web-app>

    1.3在resource资源路径下新建一个该框架的核心配置文件spring-security.xml

     1 <?xml version="1.0" encoding="UTF-8"?>
     2 <beans xmlns="http://www.springframework.org/schema/beans"
     3        xmlns:security="http://www.springframework.org/schema/security"
     4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     5        xsi:schemaLocation="http://www.springframework.org/schema/beans
     6 http://www.springframework.org/schema/beans/spring-beans.xsd
     7 http://www.springframework.org/schema/security
     8 http://www.springframework.org/schema/security/spring-security.xsd">
     9     <security:http auto-config="true" use-expressions="false">
    10         <!-- intercept-url定义一个过滤规则 pattern表示对哪些url进行权限控制,ccess属性表示在请求对应
    11         的URL时需要什么权限,
    12         默认配置时它应该是一个以逗号分隔的角色列表,请求的用户只需拥有其中的一个角色就能成功访问对应
    13         的URL -->
    14         <security:intercept-url pattern="/**" access="ROLE_USER" />
    15         <!-- auto-config配置后,不需要在配置下面信息 <security:form-login /> 定义登录表单信息
    16         <security:http-basic
    17         /> <security:logout /> -->
    18     </security:http>
    19     <security:authentication-manager>
    20         <security:authentication-provider>
    21             <security:user-service>
    22                 <security:user name="user" password="{noop}user"
    23                                authorities="ROLE_USER" />
    24                 <security:user name="admin" password="{noop}admin"
    25                                authorities="ROLE_ADMIN" />
    26             </security:user-service>
    27         </security:authentication-provider>
    28     </security:authentication-manager>
    29 </beans>

    1.4入门案例总结

    启动该入门案例发现直接跳转到了登录页面,但是我们并没有写有关登录的页面,这个页面是该框架本身自己的。

    因为在核心配置文件中有<security:http auto-config="true" use-expressions="false">开启spring security的默认的配置,当然也可以自定义登录页面。

    当我们随意输入一个用户名"npf"和密码"1233"(配置文件中没有该用户名密码)时会出现如下提示

    当我们输入用户名"admin"密码"admin"(配置文件中有该用户名密码但该角色不符合要求)时会出现如下提示,该提示表示权限不足。

    当我们输入用户名"user"密码"user"时能够正常访问到index.jsp页面

    上述简单入门案例存在明显不足之处,需要改进。

    1. 登录页面太简陋需要自定义
    2. 登录的账号一般在数据库中而不是在配置文件中

    2.spring security在数据后台管理中的使用

    为了确保数据的安全,在管理数据过程中需要对管理者的身份进行验证,并且让不同的管理者有不同的操作权限。

    2.1与入门案例相似,在pom.xml文件中引入相应坐标,并在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。

      1 <?xml version="1.0" encoding="UTF-8"?>
      2 
      3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
      5   <modelVersion>4.0.0</modelVersion>
      6 
      7   <groupId>club.nipengfei</groupId>
      8   <artifactId>ssm5</artifactId>
      9   <version>1.0-SNAPSHOT</version>
     10   <packaging>war</packaging>
     11 
     12   <name>ssm5 Maven Webapp</name>
     13   <!-- FIXME change it to the project's website -->
     14   <url>http://www.example.com</url>
     15 
     16   <properties>
     17     <spring.version>5.0.2.RELEASE</spring.version>
     18     <slf4j.version>1.6.6</slf4j.version>
     19     <log4j.version>1.2.12</log4j.version>
     20     <mysql.version>5.1.6</mysql.version>
     21     <mybatis.version>3.4.5</mybatis.version>
     22     <spring.security.version>5.0.1.RELEASE</spring.security.version>
     23   </properties>
     24   <dependencies>
     25     <!-- spring -->
     26     <dependency>
     27       <groupId>org.aspectj</groupId>
     28       <artifactId>aspectjweaver</artifactId>
     29       <version>1.6.8</version>
     30     </dependency>
     31     <dependency>
     32       <groupId>org.springframework</groupId>
     33       <artifactId>spring-aop</artifactId>
     34       <version>${spring.version}</version>
     35     </dependency>
     36     <dependency>
     37       <groupId>org.springframework</groupId>
     38       <artifactId>spring-context</artifactId>
     39       <version>${spring.version}</version>
     40     </dependency>
     41     <dependency>
     42       <groupId>org.springframework</groupId>
     43       <artifactId>spring-web</artifactId>
     44       <version>${spring.version}</version>
     45     </dependency>
     46     <dependency>
     47       <groupId>org.springframework</groupId>
     48       <artifactId>spring-webmvc</artifactId>
     49       <version>${spring.version}</version>
     50     </dependency>
     51     <dependency>
     52       <groupId>org.springframework</groupId>
     53       <artifactId>spring-test</artifactId>
     54       <version>${spring.version}</version>
     55     </dependency>
     56     <dependency>
     57       <groupId>org.springframework</groupId>
     58       <artifactId>spring-tx</artifactId>
     59       <version>${spring.version}</version>
     60     </dependency>
     61     <dependency>
     62       <groupId>org.springframework</groupId>
     63       <artifactId>spring-jdbc</artifactId>
     64       <version>${spring.version}</version>
     65     </dependency>
     66     <dependency>
     67       <groupId>junit</groupId>
     68       <artifactId>junit</artifactId>
     69       <version>4.12</version>
     70       <scope>compile</scope>
     71     </dependency>
     72     <dependency>
     73       <groupId>mysql</groupId>
     74       <artifactId>mysql-connector-java</artifactId>
     75       <version>${mysql.version}</version>
     76     </dependency>
     77     <dependency>
     78       <groupId>javax.servlet</groupId>
     79       <artifactId>servlet-api</artifactId>
     80       <version>2.5</version>
     81       <scope>provided</scope>
     82     </dependency>
     83     <dependency>
     84       <groupId>javax.servlet.jsp</groupId>
     85       <artifactId>jsp-api</artifactId>
     86       <version>2.0</version>
     87       <scope>provided</scope>
     88     </dependency>
     89     <dependency>
     90       <groupId>jstl</groupId>
     91       <artifactId>jstl</artifactId>
     92       <version>1.2</version>
     93     </dependency>
     94     <!-- log start -->
     95     <dependency>
     96       <groupId>log4j</groupId>
     97       <artifactId>log4j</artifactId>
     98       <version>${log4j.version}</version>
     99     </dependency>
    100     <dependency>
    101       <groupId>org.slf4j</groupId>
    102       <artifactId>slf4j-api</artifactId>
    103       <version>${slf4j.version}</version>
    104     </dependency>
    105     <dependency>
    106       <groupId>org.slf4j</groupId>
    107       <artifactId>slf4j-log4j12</artifactId>
    108       <version>${slf4j.version}</version>
    109     </dependency>
    110     <!-- log end -->
    111     <dependency>
    112       <groupId>org.mybatis</groupId>
    113       <artifactId>mybatis</artifactId>
    114       <version>${mybatis.version}</version>
    115     </dependency>
    116     <dependency>
    117       <groupId>org.mybatis</groupId>
    118       <artifactId>mybatis-spring</artifactId>
    119       <version>1.3.0</version>
    120     </dependency>
    121     <dependency>
    122       <groupId>c3p0</groupId>
    123       <artifactId>c3p0</artifactId>
    124       <version>0.9.1.2</version>
    125       <type>jar</type>
    126       <scope>compile</scope>
    127     </dependency>
    128     <dependency>
    129       <groupId>com.github.pagehelper</groupId>
    130       <artifactId>pagehelper</artifactId>
    131       <version>5.1.2</version>
    132     </dependency>
    133     <dependency>
    134       <groupId>org.springframework.security</groupId>
    135       <artifactId>spring-security-web</artifactId>
    136       <version>${spring.security.version}</version>
    137     </dependency>
    138     <dependency>
    139       <groupId>org.springframework.security</groupId>
    140       <artifactId>spring-security-config</artifactId>
    141       <version>${spring.security.version}</version>
    142     </dependency>
    143     <dependency>
    144       <groupId>org.springframework.security</groupId>
    145       <artifactId>spring-security-core</artifactId>
    146       <version>${spring.security.version}</version>
    147     </dependency>
    148     <dependency>
    149       <groupId>org.springframework.security</groupId>
    150       <artifactId>spring-security-taglibs</artifactId>
    151       <version>${spring.security.version}</version>
    152     </dependency>
    153 
    154     <dependency>
    155       <groupId>mysql</groupId>
    156       <artifactId>mysql-connector-java</artifactId>
    157       <version>${mysql.version}</version>
    158     </dependency>
    159 
    160     <dependency>
    161       <groupId>javax.annotation</groupId>
    162       <artifactId>jsr250-api</artifactId>
    163       <version>1.0</version>
    164     </dependency>
    165 
    166   </dependencies>
    167 
    168   <build>
    169     <finalName>ssm5</finalName>
    170     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
    171       <plugins>
    172         <plugin>
    173           <artifactId>maven-clean-plugin</artifactId>
    174           <version>3.1.0</version>
    175         </plugin>
    176         <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
    177         <plugin>
    178           <artifactId>maven-resources-plugin</artifactId>
    179           <version>3.0.2</version>
    180         </plugin>
    181         <plugin>
    182           <artifactId>maven-compiler-plugin</artifactId>
    183           <version>3.8.0</version>
    184         </plugin>
    185         <plugin>
    186           <artifactId>maven-surefire-plugin</artifactId>
    187           <version>2.22.1</version>
    188         </plugin>
    189         <plugin>
    190           <artifactId>maven-war-plugin</artifactId>
    191           <version>3.2.2</version>
    192         </plugin>
    193         <plugin>
    194           <artifactId>maven-install-plugin</artifactId>
    195           <version>2.5.2</version>
    196         </plugin>
    197         <plugin>
    198           <artifactId>maven-deploy-plugin</artifactId>
    199           <version>2.8.2</version>
    200         </plugin>
    201       </plugins>
    202     </pluginManagement>
    203   </build>
    204 </project>
    pom.xml
     1 <?xml version="1.0" encoding="UTF-8"?>
     2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     3          xmlns="http://xmlns.jcp.org/xml/ns/javaee"
     4          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
     5          version="3.1">
     6 
     7     <display-name>Archetype Created web Application</display-name>
     8     <!--配置监听器,默认只加载WEB-INF目录下的applicationContext.xml配置文件-->
     9     <listener>
    10         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    11     </listener>
    12     <!--设置配置文件路径-->
    13     <context-param>
    14         <param-name>contextConfigLocation</param-name>
    15         <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value>
    16     </context-param>
    17     <!--配置前端控制器-->
    18     <servlet>
    19         <servlet-name>dispatcherServlet</servlet-name>
    20         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    21         <!--加载springmvc.xml配置文件-->
    22         <init-param>
    23             <param-name>contextConfigLocation</param-name>
    24             <param-value>classpath:springmvc.xml</param-value>
    25         </init-param>
    26         <!--启动服务器,创建servlet-->
    27         <load-on-startup>1</load-on-startup>
    28     </servlet>
    29     <servlet-mapping>
    30         <servlet-name>dispatcherServlet</servlet-name>
    31         <url-pattern>*.do</url-pattern>
    32     </servlet-mapping>
    33 
    34     <!--解决中文乱码过滤器-->
    35     <filter>
    36         <filter-name>characterEncodingFilter</filter-name>
    37         <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    38         <init-param>
    39             <param-name>encoding</param-name>
    40             <param-value>UTF-8</param-value>
    41         </init-param>
    42     </filter>
    43     <filter-mapping>
    44         <filter-name>characterEncodingFilter</filter-name>
    45         <url-pattern>/*</url-pattern>
    46     </filter-mapping>
    47 
    48     <!--spring security的过滤器-->
    49     <filter>
    50         <filter-name>springSecurityFilterChain</filter-name>
    51         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    52     </filter>
    53     <filter-mapping>
    54         <filter-name>springSecurityFilterChain</filter-name>
    55         <url-pattern>/*</url-pattern>
    56     </filter-mapping>
    57 
    58     <welcome-file-list>
    59         <welcome-file>index.html</welcome-file>
    60         <welcome-file>index.htm</welcome-file>
    61         <welcome-file>index.jsp</welcome-file>
    62         <welcome-file>default.html</welcome-file>
    63         <welcome-file>default.htm</welcome-file>
    64         <welcome-file>default.jsp</welcome-file>
    65     </welcome-file-list>
    66 </web-app>
    web.xml

    2.2配置spring security的核心配置文件

    与入门案例相比,这里配置了不拦截的资源,自定义了登录页面,实现了退出操作,将原先定义在配置页面中的登录用户名和密码切换成在数据库中。

     1 <?xml version="1.0" encoding="UTF-8"?>
     2 <beans xmlns="http://www.springframework.org/schema/beans"
     3        xmlns:security="http://www.springframework.org/schema/security"
     4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     5        xsi:schemaLocation="http://www.springframework.org/schema/beans
     6     http://www.springframework.org/schema/beans/spring-beans.xsd
     7     http://www.springframework.org/schema/security
     8     http://www.springframework.org/schema/security/spring-security.xsd">
     9 
    10     <!-- 配置不拦截的资源 -->
    11     <security:http pattern="/login.jsp" security="none"/>
    12     <security:http pattern="/failer.jsp" security="none"/>
    13     <security:http pattern="/css/**" security="none"/>
    14     <security:http pattern="/img/**" security="none"/>
    15     <security:http pattern="/plugins/**" security="none"/>
    16 
    17     <!--
    18         配置具体的规则
    19         auto-config="true"    不用自己编写登录的页面,框架提供默认登录页面
    20         use-expressions="false"    是否使用SPEL表达式(没学习过)
    21     -->
    22     <security:http auto-config="true" use-expressions="true">
    23         <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" -->
    24         <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
    25 
    26         <!-- 定义跳转的具体的页面 -->
    27         <security:form-login
    28                 login-page="/login.jsp"
    29                 login-processing-url="/login.do"
    30                 default-target-url="/index.jsp"
    31                 authentication-failure-url="/failer.jsp"
    32                 authentication-success-forward-url="/pages/main.jsp"
    33         />
    34 
    35         <!-- 关闭跨域请求 -->
    36         <security:csrf disabled="true"/>
    37 
    38         <!-- 退出 -->
    39         <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" />
    40 
    41     </security:http>
    42 
    43     <!-- 切换成数据库中的用户名和密码 -->
    44     <security:authentication-manager>
    45         <security:authentication-provider user-service-ref="userService">
    46             <!-- 配置加密的方式 -->
    47             <security:password-encoder ref="passwordEncoder"/>
    48         </security:authentication-provider>
    49     </security:authentication-manager>
    50 
    51     <!-- 配置加密类 -->
    52     <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
    53 
    54 </beans>

    2.3使用数据库完成用户登录流程

    下面是使用数据库完成认证操作的流程图

     

    在Spring Security中如果想要使用数据进行认证操作,有很多种操作方式,这里我们介绍使用UserDetails、UserDetailsService来完成操作。

    IUserService接口继承了UserDetailsService类,UserServiceImpl类实现了IUserService接口。

    UserDetailsService 接口内有一个loadUserByUsername方法,返回的是UserDetails。

     1 public interface UserDetailsService {
     2     // ~ Methods
     3     // ========================================================================================================
     4 
     5     /**
     6      * Locates the user based on the username. In the actual implementation, the search
     7      * may possibly be case sensitive, or case insensitive depending on how the
     8      * implementation instance is configured. In this case, the <code>UserDetails</code>
     9      * object that comes back may have a username that is of a different case than what
    10      * was actually requested..
    11      *
    12      * @param username the username identifying the user whose data is required.
    13      *
    14      * @return a fully populated user record (never <code>null</code>)
    15      *
    16      * @throws UsernameNotFoundException if the user could not be found or the user has no
    17      * GrantedAuthority
    18      */
    19     UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
    20 }

     根据spring-security的核心配置文件,需要将UserServiceImpl类命名为"userService",并实现loadUserByUsername方法。

     loadUserByUsername方法根据用户名从数据库中查询用户信息UserInfo,并将UserInfo的用户名,密码和角色信息作为User的构造参数。

     1 package club.nipengfei.service.impl;
     2 
     3 import club.nipengfei.dao.IUserDao;
     4 import club.nipengfei.domain.Role;
     5 import club.nipengfei.domain.UserInfo;
     6 import club.nipengfei.service.IUserService;
     7 import org.springframework.beans.factory.annotation.Autowired;
     8 import org.springframework.security.core.authority.SimpleGrantedAuthority;
     9 import org.springframework.security.core.userdetails.User;
    10 import org.springframework.security.core.userdetails.UserDetails;
    11 import org.springframework.security.core.userdetails.UsernameNotFoundException;
    12 import org.springframework.stereotype.Service;
    13 import org.springframework.transaction.annotation.Transactional;
    14 
    15 import java.util.ArrayList;
    16 import java.util.Collection;
    17 import java.util.List;
    18 
    19 @Service("userService")
    20 @Transactional
    21 public class UserServiceImpl implements IUserService {
    22 
    23     @Autowired
    24     private IUserDao userDao;
    25 
    26     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    27         UserInfo userInfo = null;
    28         try {
    29             userInfo = userDao.findByUsername(username);31         } catch (Exception e) {
    32             e.printStackTrace();
    33         }
    34         // 处理自己的用户对象分装成UserDetails
    35         // 该spring security的User实现了UserDetails
    36         User user = new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority(userInfo.getRoles()));38         return user;
    39     }
    40 
    41     public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) {
    42         List<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>();
    43         for (Role role:roles){
    44             list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));
    45         }
    46         return list;
    47     }
    48 }

     接口UserDetails,封装了当前认证用户的信息,但由于是一个接口,我们可以对其实现,也可以使用spring security提供的UserDetails实现类User完成操作

    1 public interface UserDetails extends Serializable {
    2     Collection<? extends GrantedAuthority> getAuthorities();
    3     String getPassword();
    4     String getUsername();
    5     boolean isAccountNonExpired();
    6     boolean isAccountNonLocked();
    7     boolean isCredentialsNonExpired();
    8     boolean isEnabled();
    9 }
    1 public class User implements UserDetails, CredentialsContainer {
    2     private String password;
    3     private final String username;
    4     private final Set<GrantedAuthority> authorities;
    5     private final boolean accountNonExpired; //帐户是否过期
    6     private final boolean accountNonLocked; //帐户是否锁定
    7     private final boolean credentialsNonExpired; //认证是否过期
    8     private final boolean enabled; //帐户是否可用
    9

     下面是根据用户名查询用户信息的IUserDao接口

     1 package club.nipengfei.dao;
     2 
     3 import club.nipengfei.domain.UserInfo;
     4 import org.apache.ibatis.annotations.Many;
     5 import org.apache.ibatis.annotations.Result;
     6 import org.apache.ibatis.annotations.Results;
     7 import org.apache.ibatis.annotations.Select;
     8 
     9 public interface IUserDao {
    10 
    11     @Select("select * from users where username=#{username}")
    12     @Results({
    13             @Result(id = true,property = "id",column = "id"),
    14             @Result(property = "username",column = "username"),
    15             @Result(property = "email",column = "email"),
    16             @Result(property = "password",column = "password"),
    17             @Result(property = "phoneNum",column = "phoneNum"),
    18             @Result(property = "status",column = "status"),
    19             @Result(property = "roles",column = "id",javaType = java.util.List.class,many = @Many(select = "club.nipengfei.dao.IRoleDao.findRoleByUserId"))
    20     })
    21     public UserInfo findByUsername(String username) throws Exception;
    22 }

     2.4使用spring security完成权限控制(JSR-250注解)

    不同的用户有不同的角色,根据角色使用户有不同的权限。在服务器端我们可以通过Spring security提供的注解对方法来进行权限控制。Spring Security在方法的权限控制上支持三种类型的注解,JSR-250注解、@Secured注解和支持表达式的注解,这三种注解默认都是没有启用的,需要单独通过global-method-security元素的对应属性进行启用

    下面使用JSR-250注解完成权限控制:

    需要在security-security.xml中开启权限,并且在pom.xml引入坐标

    <security:global-method-security jsr250-annotations="enabled"></security:global-method-security>
    <dependency>
            <groupId>javax.annotation</groupId>
            <artifactId>jsr250-api</artifactId>
            <version>1.0</version>
     </dependency>
    1. @RolesAllowed表示访问对应方法时所应该具有的角色
    2. @PermitAll表示允许所有的角色进行访问,也就是说不进行权限控制
    3. @DenyAll是和PermitAll相反的,表示无论什么角色都不能访问

     示例:

    @RolesAllowed({"USER", "ADMIN"}) 该方法只要具有"USER", "ADMIN"任意一种权限就可以访问。这里可以省略前缀ROLE_,实际的权限可能是ROLE_ADMIN

     2.5使用spring security完成权限控制(@Secured注解)

     与上面的类似,少一步pom.xml坐标引入,因为该注解是spring security本身提供的。

  • 相关阅读:
    E: 未发现软件包 install_flash_player_11_linux.x86_64.tar.gz
    E: 无法获得锁 /var/lib/apt/lists/lock
    axis1.4与myeclipse开发webservice
    WSDLToJava Error: Rpc/encoded wsdls are not supported with CXF
    org.hibernate.MappingException
    JavaScript控制输入框只能输入非负正整数
    JavaScript控制输入框中只能输入中文、数字和英文
    java.lang.ClassCastException:java.math.BigDecimal cannot be cast to java.lang.String
    更改现有索引的表空间
    Ping 1000个包看丢跑率
  • 原文地址:https://www.cnblogs.com/qzwl/p/11641497.html
Copyright © 2020-2023  润新知