spring security的简单应用
本文只包涵spring security配置部分,不是一个完整项目,不过可以任意添加到一个web项目中,不需要对原来的程序做任何修改
部分内容来源于网络,如有雷同,毫无意外
1、xml配置文件
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <global-method-security pre-post-annotations="enabled"> </global-method-security> <!-- 不拦截的路径 --> <http pattern="/registerPage" security="none" /> <http pattern="/mainPage" security="none"></http> <http pattern="/item/itemid**" security="none"></http> <http pattern="/css/**" security="none" /> <http pattern="/font/**" security="none" /> <http pattern="/images/**" security="none" /> <http pattern="/js/**" security="none" /> <http auto-config="true"> <!-- 登录配置 --> <form-login login-page="/loginPage" authentication-failure-url="/login/failure" login-processing-url="/login" authentication-success-handler-ref="mySuccessHandler" username-parameter="username" password-parameter="password" /> <!-- 用户登出 --> <logout invalidate-session="true" logout-success-url="/loginPage" logout-url="/logout" /> <!-- 拦截页面 --> <intercept-url pattern="/item/**" access="ROLE_USER" /> <intercept-url pattern="/admin/**" access="ROLE_USER" /> </http> <!-- 登录成功的处理方法 --> <beans:bean id="mySuccessHandler" class="security.LoginSuccessHandle" ></beans:bean> <!-- 获取UserDettail的bean --> <beans:bean id="UserDetailService" class="security.MyUserDetailService"></beans:bean> <!-- 在这里也是一个大坑,查询网上的文章,这里都是引用的实现了UserDetailsService的类 --> <beans:bean id="UserService" class="security.SecurityProvider"></beans:bean> <authentication-manager> <authentication-provider ref="UserService"> </authentication-provider> </authentication-manager> </beans:beans>
2、用户权限信息类
省略相关数据库代码以及dao层代码
package po; public class UserRole { private String username; private String password; private String role; public UserRole(String username, String password, String role) { super(); this.username = username; this.password = password; this.role = role; } public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } public String getRole() { return role; } public void setRole(String role) { this.role = role; } }
3、MyUserDetail类,实现UserDetail接口,包含用户信息和用户权限类型
package security; import java.util.Collection; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import po.UserRole; public class MyUserDetail implements UserDetails { /** * */ private static final long serialVersionUID = -5619502406659516775L; private UserRole myUser; private Collection<? extends GrantedAuthority> authorities; public MyUserDetail(UserRole user,Collection<? extends GrantedAuthority> authorities) { this.myUser = user; this.authorities = authorities; } public Collection<? extends GrantedAuthority> getAuthorities() { return authorities; } public UserRole getMyUser() { return myUser; } public String getPassword() { return myUser.getPassword(); } public String getUsername() { return myUser.getUsername(); } public boolean isAccountNonExpired() { return false; } public boolean isAccountNonLocked() { return false; } public boolean isCredentialsNonExpired() { return false; } public boolean isEnabled() { return false; } }
4、MyUserDetailService类,实现UserDetailsService接口,用来获取一个UserDetail对象
package security; import java.util.ArrayList; import java.util.Collection; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import mapper.UserRoleMapper; import po.UserRole; @Service public class MyUserDetailService implements UserDetailsService { @Autowired UserRoleMapper userdao; public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserRole user =userdao.getUserByName(username); if(user==null) { throw new UsernameNotFoundException("找不到该用户"); } // Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>(); // SimpleGrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role); // grantedAuthorities.add(grantedAuthority); return new MyUserDetail(user, getAuthorities(user.getRole())); } private Collection<GrantedAuthority> getAuthorities(String role) { Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>(); SimpleGrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role); grantedAuthorities.add(grantedAuthority); return grantedAuthorities; } }
5、SecurityProvider类,实现了AuthenticationProvider,返回一个UsernamePasswordAuthenticationToken
package security; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; public class SecurityProvider implements AuthenticationProvider { @Autowired private MyUserDetailService userDetailsService; public Authentication authenticate(Authentication authentication) throws AuthenticationException { UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication; UserDetails userDetails = userDetailsService.loadUserByUsername(token.getName()); if (userDetails == null) { throw new UsernameNotFoundException("找不到该用户"); } if(!userDetails.getPassword().equals(token.getCredentials().toString())) { throw new BadCredentialsException("用户密码错误"); } return new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(),userDetails.getAuthorities()); } public boolean supports(Class<?> authentication) { return UsernamePasswordAuthenticationToken.class.equals(authentication); } }
6、登录成功后自定义处理过程
spring security可以在配置文件中设置登录成功后的跳转页面,或者是直接返回认证前想要访问的页面,但是因为有时候用户是使用ajax请求登录,所以需要自定义一些操作,我是在登录成功后跳转到控制层url,
在url中携带需要跳转的参数,然后在控制层中将url参数返回到ajax,再由前端重新请求控制层跳转
package security; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.InitializingBean; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.savedrequest.SavedRequest; public class LoginSuccessHandle implements AuthenticationSuccessHandler, InitializingBean { private RequestCache requestCache = new HttpSessionRequestCache(); @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authen) throws IOException, ServletException { SavedRequest savedRequest = requestCache.getRequest(request, response); // 默认认证后跳转路径 String targetUrl = "/mainPage"; // 如果登录前有请求为拦截页面,则验证后跳转到该页面 if (savedRequest != null) { targetUrl = savedRequest.getRedirectUrl(); } // 跳转到认证成功处理控制器 response.sendRedirect("/loginSuccess?url=" + targetUrl); } @Override public void afterPropertiesSet() throws Exception { } }