品优购商城项目（三）安全框架SpringSecurity

品优购商城项目第三阶段

1、springSecurity的基本用法与shiro类似。

2、BCrypt加密算法比MD5更加智能和安全，能自动加盐再加密，生成的密码是60位比md5的32位更占空间（可以忽略不计），由于密码长度增加安全系数更高，且盐不是明文由算法自动生成和解析，用户不需要关心。

3、set的使用，在下面这个引用类中用注解@Resource@Autowired报错，后在类中用set方法成功

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
          xmlns:beans="http://www.springframework.org/schema/beans"
          xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                  http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
                  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

   <!-- 设置页面不登陆也可以访问 -->
   <http pattern="/*.html" security="none"></http>
   <http pattern="/css/**" security="none"></http>
   <http pattern="/img/**" security="none"></http>
   <http pattern="/js/**" security="none"></http>
   <http pattern="/plugins/**" security="none"></http>
   <http pattern="/seller/add.do" security="none"></http>

   <!-- 页面的拦截规则    use-expressions:是否启动SPEL表达式 默认是true -->
   <http use-expressions="false">
      <!-- 当前用户必须有ROLE_USER的角色 才可以访问根目录及所属子目录的资源 -->
      <intercept-url pattern="/**" access="ROLE_SELLER"/>
      <!-- 开启表单登陆功能 -->
      <form-login  login-page="/shoplogin.html" default-target-url="/admin/index.html" authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>
      <csrf disabled="true"/>
      <headers>
         <frame-options policy="SAMEORIGIN"/>
      </headers>
      <logout/>
   </http>

   <!-- 认证管理器 BCrypt加密-->
   <authentication-manager>
      <authentication-provider user-service-ref="userDetailService">
         <password-encoder ref="bcryptEncoder"></password-encoder>
      </authentication-provider>
   </authentication-manager>

   <!-- 认证类 -->
   <beans:bean id="userDetailService" class="smallshop.shop.service.UserDetailsServiceImpl">
      <beans:property name="sellerService" ref="sellerService"></beans:property>
   </beans:bean>

   <!-- 引用dubbo 服务 -->
   <dubbo:application name="smallshop_shop_web" />
   <dubbo:registry address="zookeeper://127.0.0.1:2181"/>
   <dubbo:reference id="sellerService" interface="goods.service.SellerService"></dubbo:reference>

   <!--BCrypt加密-->
   <beans:bean id="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></beans:bean>
</beans:beans>

**
 * 认证类
 * @author Administrator
 *
 */
public class UserDetailsServiceImpl implements UserDetailsService {

    private SellerService sellerService;

    //这里手动set，用注解注入会报错
    public void setSellerService(SellerService sellerService) {
        this.sellerService = sellerService;
    }

 
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        System.out.println("经过了UserDetailsServiceImpl");

        //构建角色列表
        List<GrantedAuthority> grantAuths=new ArrayList();
        grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));

        //得到商家对象
        TbSeller seller = sellerService.findOne(username);

        if(seller!=null){
            if(seller.getStatus().equals("1")){
                return new User(username,seller.getPassword(),grantAuths);
            }else{
                return null;
            }           
        }else{
            return null;
        }
    }

}