springsecurity入门案例

springsecurity入门案例

1、导包

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>5.1.5.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>5.1.5.RELEASE</version>
</dependency>

2、配置文件（spring-security.xml)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:aop="http://www.springframework.org/schema/aop"
        xmlns:tx="http://www.springframework.org/schema/tx"
        xmlns:mvc="http://www.springframework.org/schema/mvc"
        xmlns:security="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
			    http://www.springframework.org/schema/beans/spring-beans.xsd
			    http://www.springframework.org/schema/context
			    http://www.springframework.org/schema/context/spring-context.xsd
			    http://www.springframework.org/schema/aop
			    http://www.springframework.org/schema/aop/spring-aop.xsd
			    http://www.springframework.org/schema/tx
			    http://www.springframework.org/schema/tx/spring-tx.xsd
			    http://www.springframework.org/schema/mvc
			    http://www.springframework.org/schema/mvc/spring-mvc.xsd
                http://www.springframework.org/schema/security
			    http://www.springframework.org/schema/security/spring-security.xsd">

    <!--释放静态资源-->
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/img/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>
    <security:http pattern="/failer.jsp" security="none"/>
    
    <!--配置springSecurity，auto-config="true"  表示自动加载springsecurity的配置文件，use-expressions="true" 表示使用spring的el表达式来配置springsecurity-->
    <security:http auto-config="true" use-expressions="true">
        <!--让认证页面可以匿名访问-->
        <security:intercept-url pattern="/login.jsp" access="permitAll()"/>
        <!--拦截资源，pattern="/**" 表示拦截所有资源，access="hasAnyRole('ROLE_USER')" 表示只有ROLE_USER角色才能访问资源
        -->
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')"/>
        <!--配置认证页面，login-page:自定义登录页面;login-processing-url:认证处理器地址，默认/login不需要修改;default-target-url:认证成功页面;authentication-failure-url:认证失败页面-->
        <security:form-login login-page="/login.jsp"
                             login-processing-url="/login"
                             default-target-url="/index.jsp"
                             authentication-failure-url="/failer.jsp"/>
        <!--配置退出登录信息，logout-url：注销地址，不需要修改；logout-success-url:注销成功跳转的地址-->
        <security:logout logout-url="/logout" logout-success-url="/login.jsp"/>
        <!--去掉csrf拦截的过滤器--> 
        <!--<security:csrf disabled="true"/>-->
    </security:http>

    <!--把加密对象放入的IOC容器中-->
    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <!--设置Spring Security认证用户信息的来源-->
    <!--springsecurity默认的认证必须是加密的，加上{noop}表示不加密认证-->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="userServiceImpl">
            <security:password-encoder ref="passwordEncoder"/>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

3、配置web.xml文件

<!--SpringSecurity核心过滤器链-->
<!--springSecurityFilterChain名词不能修改-->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

4、在spring配置文件中引入springsecurity配置文件

<!--引入springsecurity的配置文件-->
<import resource="classpath:spring-security.xml"/>

5、实现认证

通过实现UserDetailsService接口的loadUserByUsername方法进行认证

/**
  * 认证业务
  * @param username 用户在浏览器输入的用户名
  * @return UserDetails 是springsecurity自己的用户对象
  * @throws UsernameNotFoundException
  */
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    try {
        //根据用户名做查询
        SysUser sysUser = userDao.findByName(username);
        
        if(sysUser==null){
            return null;
        }
        
        List<SimpleGrantedAuthority> authorities = new ArrayList<>();
        List<SysRole> roles = sysUser.getRoles();
        
        for (SysRole role : roles) {
            authorities.add(new SimpleGrantedAuthority(role.getRoleName()));
        }
        
        //{noop}后面的密码，springsecurity会认为是原文。
        UserDetails userDetails = new User(sysUser.getUsername(), sysUser.getPassword(), authorities);
        return userDetails;
    }catch (Exception e){
        e.printStackTrace();
        //认证失败！
        return null;
    }

}