Spring Security入门三
程序员文章站
2024-03-19 15:37:10
...
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
">
<!--配置spring security注解-->
<security:global-method-security pre-post-annotations="enabled"/>
<!--1.配置不需要授权访问的资源-->
<security:http auto-config="true" pattern="/favicon.ioc"/>
<security:http auto-config="true" pattern="/login.jsp"/>
<security:http auto-config="true" pattern="/login-fail.jsp"/>
<security:http auto-config="true" pattern="/auth-fail.jsp"/>
<!--2.配置需要授权访问的资源和访问角色权限-->
<security:http auto-config="true" use-expressions="true">
<!--配置三种角色,都可以访问的资源-->
<security:intercept-url pattern="/main.jsp" access="hasAnyRole('ROLE_ADMIN', 'ROLE_READER','ROLE_OMS')"/>
<!--配置拥有ROLE_READER角色 ,可以访问的资源-->
<security:intercept-url pattern="/pages/checkitem.html" access="hasRole('ROLE_READER')"/>
<!--配置用于ROLE_OMS角色,可以访问的资源-->
<security:intercept-url pattern="/pages/checkgroup.html" access="hasRole('ROLE_OMS')"/>
<!--配置拥有对应权限, 可以访问的资源-->
<security:intercept-url pattern="/test/addData.do" access="hasAuthority('add')"/>
<security:intercept-url pattern="/test/updateData.do" access="hasAuthority('update')"/>
<security:intercept-url pattern="/test/delData.do" access="hasAuthority('delete')"/>
<security:intercept-url pattern="/test/findData.do" access="hasAuthority('find')"/>
<!--自定义登陆配置-->
<security:form-login
login-page="/login.jsp"
default-target-url="/main.jsp"
login-processing-url="/login.do"
authentication-failure-url="/login-fail.jsp"/>
<!--授权失败跳转-->
<security:access-denied-handler error-page="/auth-fail.jsp"/>
<!--csrf:对应CsrfFilter过滤器 disabled:如果使用自定义登录页面需要关闭此项,否则登录操作会被禁用(403) -->
<security:csrf disabled="true"/>
<!--配置退出-->
<security:logout
logout-url="/logout.do"
logout-success-url="/login.jsp"
invalidate-session="true"/>
</security:http>
<!--3.配置认证授权管理器(认证管理者、认证提供者、认证对象-->
<security:authentication-manager>
<!--authentication-provider:认证提供者,执行具体的认证逻辑-->
<security:authentication-provider user-service-ref="securityUserDetailsService">
<!--配置秘密-->
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!--配置自定义授权服务对象-->
<bean id="securityUserDetailsService" class="com.hgd.spring.security.SecurityUserDetailsService"/>
<!--配置BCrypt密码加密对象-->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</beans>
spring-mvc.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!--扫描包-->
<context:component-scan base-package="com.hgd.spring.security"/>
<context:component-scan base-package="com.hgd.spring.controller"/>
<!--开启springmvc注解-->
<mvc:annotation-driven/>
</beans>
TestSecurityController.java
package com.hgd.spring.controller;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/test")
public class TestSecurityController {
@PreAuthorize("hasAuthority('add')")
@RequestMapping("/addData")
public String addData(){
return "add ok";
}
@PreAuthorize("hasAuthority('update')")
@RequestMapping("/updateData")
public String updateData(){
return "update ok";
}
@PreAuthorize("hasAuthority('delete')")
@RequestMapping("/delData")
public String deleteData(){
return "delete ok";
}
@PreAuthorize("hasAuthority('find')")
@RequestMapping("/findData")
public String findAll(){
return "find ok";
}
}
SecurityUserDetailsService.java
package com.hgd.spring.security;
import com.hgd.health.pojo.Permission;
import com.hgd.health.pojo.Role;
import com.hgd.health.pojo.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @auther 黄国栋
* @data 2020-07-09 16:13
* @since
*/
public class SecurityUserDetailsService implements UserDetailsService {
//注入加密对象
@Autowired
private BCryptPasswordEncoder passwordEncoder;
private static Map<String, User> userDb=new HashMap<String, User>();
static{
//admin
User userAdmin=new User();
userAdmin.setUsername("admin");
userAdmin.setPassword("123456");
//用户权限和角色
Role roleAdmin=new Role("系统管理员","ROLE_ADMIN");
roleAdmin.getPermissions().add(new Permission("添加权限", "add"));
roleAdmin.getPermissions().add(new Permission("删除权限", "delete"));
roleAdmin.getPermissions().add(new Permission("修改权限", "update"));
roleAdmin.getPermissions().add(new Permission("查询权限", "find"));
userAdmin.getRoles().add(roleAdmin);
userDb.put(userAdmin.getUsername(), userAdmin);
//zhangsan
User userZhangSan=new User();
userZhangSan.setUsername("zhangsan");
userZhangSan.setPassword("123456");
//用户权限和角色
Role roleZhangSan=new Role("数据分析员","ROLE_READER");
roleZhangSan.getPermissions().add(new Permission("查询权限", "find"));
userZhangSan.getRoles().add(roleZhangSan);
userDb.put(userZhangSan.getUsername(), userZhangSan);
//lisi
User userLisi=new User();
userLisi.setUsername("lisi");
userLisi.setPassword("123456");
//用户权限和角色
Role roleLisi=new Role("运营管理员", "ROLE_OMS");
roleLisi.getPermissions().add(new Permission("添加权限", "add"));
roleLisi.getPermissions().add(new Permission("删除权限", "delete"));
roleLisi.getPermissions().add(new Permission("更新权限", "update"));
userLisi.getRoles().add(roleLisi);
userDb.put(userLisi.getUsername(), userLisi);
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//根据用户名,从数据库读取数据
User user = userDb.get(username);
if (user == null) {
return null;
}
//提取用户信息的角色与权限关键词信息
//把用户角色与权限关键词为List<GrantedAuthority>列表
List<GrantedAuthority> authorityList=new ArrayList<>();
//通过当前用户,得到用户关联的每一个角色
for (Role role:user.getRoles()) {
//获取当前角色中的角色关键字存入到授权集合中
authorityList.add(new SimpleGrantedAuthority(role.getKeyword()));
//通过当前角色,得到角色关联的每一个权限
for (Permission permission:role.getPermissions()) {
//获取当前权限中的权限关键字存入到授权集合中
authorityList.add(new SimpleGrantedAuthority(permission.getKeyword()));
}
}
//构建UserDetails对象(使用Security框架自动的User类封装),封装用户名、密码(必须是加密 过的)及权限角色关键词列表
String password = user.getPassword();
String passwordByAuth=passwordEncoder.encode(password);
UserDetails userDetails=new org.springframework.security.core.userdetails.User(user.getUsername(),passwordByAuth,authorityList);
System.out.println("userDetails = " + userDetails);
System.out.println("passwordByAuth = " + passwordByAuth);
return userDetails;
}
}
web.xml
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<!--配置编码器-->
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--springmvc前端控制器-->
<servlet>
<servlet-name>SpringMVC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:*.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SpringMVC</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
</web-app>
推荐阅读
-
解决centos7 下 spring boot security 登陆接口请求 pending很久才返回结果
-
Spring Security入门三
-
Spring Security在用户授权中自定义403页面
-
spring security默认访问权限判定源码
-
10、spring security拦截器之UsernamePasswordAuthenticationFilter
-
9、spring security拦截器之LogoutFilter
-
Java Spring Security 安全框架:(八)访问控制 url 匹配
-
Spring Security的使用
-
spring security中 BCrypt密码加密算法
-
spring4.1.8扩展实战之三 博客分类: spring