质量属性战术----安全战术
网站的安全性战术分为:与抵抗攻击有关的战术、与检测攻击有关的战术以及从攻击中恢复有关的战术。
抵抗攻击
1.对用户身份验证。在用户登陆方面进行限制即可。
登录时候自定义的拦截器过滤器换成了基于SpringSecurity来做
在pom.xml中加入
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
当你引入SpringSecurity之后当你再次去启动项目的时候,SpringSecurity自动会给你跳到一个对话框,让你输入账号和密码,这里的用户名是user,密码在你启动的时候它会有一个加密的密文,你只需要复制进去就可以登录。
2.或者注册登录
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
public class DAO {
public user login(Connection con,user user) throws Exception{
user resultUser=null;
String sql="select * from t_user where userName=? and password=?";
PreparedStatement pstmt=con.prepareStatement(sql);
pstmt.setString(1, user.getUserName());
pstmt.setString(2, user.getPassword());
ResultSet rs=pstmt.executeQuery();
if(rs.next()){
resultUser=new user();
resultUser.setUserName(rs.getString("userName"));
resultUser.setPassword(rs.getString("password"));
}
return resultUser;
}
//注册功能
public boolean register(Connection con,user user) throws Exception{
boolean flag=false;
PreparedStatement pstmt = null;
String sql="INSERT INTO t_user(userName,password)VALUES(?,?)";
pstmt = con.prepareStatement(sql);
pstmt.setString(1, user.getUserName());
pstmt.setString(2, user.getPassword());
if (pstmt.executeUpdate() > 0) {
flag = true;
}
return flag;
}
}
对用户进行授权。
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//配置URL权限过滤规则
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin//**").hasRole("ADMIN")
.antMatchers("/index//**").hasAnyRole("ADMIN")
.antMatchers("/index").hasAnyRole("ADMIN")
.antMatchers("/static_rbg*//**").permitAll()
.antMatchers("/ricky*//**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/ricky-login")
.defaultSuccessUrl("/index")
.successForwardUrl("/index")
.usernameParameter("username").passwordParameter("password")
.permitAll()
.and().csrf().disable();
}
@Autowired
private CustomUserService myAppUserDetailsService;//mybatis验证类
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(myAppUserDetailsService)
.passwordEncoder(passwordEncoder());
}
//密码验证规则
@Bean(name = "passwordEncoder")
public PasswordEncoder passwordEncoder(){
return new MyPasswordEncoder();
}
}