当我们在管理后台数据的时候需要对管理者的身份进行认证和授权,在该项目中用到的安全认证服务框架是Spring Security。
1.Spring Security的简单入门
通过一个spring security的入门案例来了解使用该框架的基本步骤。
1.1使用IDEA新建一个webapp的maven工程,在pom.xml文件中引入spring security框架的相关坐标。
1 <?xml version="1.0" encoding="UTF-8"?> 2 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0</modelVersion> 6 7 <groupId>club.nipengfei</groupId> 8 <artifactId>spring_security_rumeng</artifactId> 9 <version>1.0-SNAPSHOT</version> 10 <packaging>war</packaging> 11 12 <name>spring_security_rumeng Maven Webapp</name> 13 <!-- FIXME change it to the project's website --> 14 <url>http://www.example.com</url> 15 16 <properties> 17 <spring.version>5.0.2.RELEASE</spring.version> 18 <spring.security.version>5.0.1.RELEASE</spring.security.version> 19 </properties> 20 21 <dependencies> 22 <dependency> 23 <groupId>org.springframework</groupId> 24 <artifactId>spring-core</artifactId> 25 <version>${spring.version}</version> 26 </dependency> 27 <dependency> 28 <groupId>org.springframework</groupId> 29 <artifactId>spring-web</artifactId> 30 <version>${spring.version}</version> 31 </dependency> 32 <dependency> 33 <groupId>org.springframework</groupId> 34 <artifactId>spring-webmvc</artifactId> 35 <version>${spring.version}</version> 36 </dependency> 37 <dependency> 38 <groupId>org.springframework</groupId> 39 <artifactId>spring-context-support</artifactId> 40 <version>${spring.version}</version> 41 </dependency> 42 <dependency> 43 <groupId>org.springframework</groupId> 44 <artifactId>spring-test</artifactId> 45 <version>${spring.version}</version> 46 </dependency> 47 <dependency> 48 <groupId>org.springframework</groupId> 49 <artifactId>spring-jdbc</artifactId> 50 <version>${spring.version}</version> 51 </dependency> 52 53 <dependency> 54 <groupId>org.springframework.security</groupId> 55 <artifactId>spring-security-web</artifactId> 56 <version>${spring.security.version}</version> 57 </dependency> 58 <dependency> 59 <groupId>org.springframework.security</groupId> 60 <artifactId>spring-security-config</artifactId> 61 <version>${spring.security.version}</version> 62 </dependency> 63 <dependency> 64 <groupId>javax.servlet</groupId> 65 <artifactId>javax.servlet-api</artifactId> 66 <version>3.1.0</version> 67 <scope>provided</scope> 68 </dependency> 69 </dependencies> 70 <build> 71 <plugins> 72 <!-- java编译插件 --> 73 <plugin> 74 <groupId>org.apache.maven.plugins</groupId> 75 <artifactId>maven-compiler-plugin</artifactId> 76 <version>3.2</version> 77 <configuration> 78 <source>1.8</source> 79 <target>1.8</target> 80 <encoding>UTF-8</encoding> 81 </configuration> 82 </plugin> 83 <plugin> 84 <groupId>org.apache.tomcat.maven</groupId> 85 <artifactId>tomcat7-maven-plugin</artifactId> 86 <configuration> 87 <!-- 指定端口 --> 88 <port>8090</port> 89 <!-- 请求路径 --> 90 <path>/</path> 91 </configuration> 92 </plugin> 93 </plugins> 94 </build> 95 </project>
1.2在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://java.sun.com/xml/ns/javaee" 4 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 5 version="2.5"> 6 <display-name>SpringSecurity314</display-name> 7 8 <context-param> 9 <param-name>contextConfigLocation</param-name> 10 <param-value>classpath:spring-security.xml</param-value> 11 </context-param> 12 <listener> 13 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 14 </listener> 15 <filter> 16 <filter-name>springSecurityFilterChain</filter-name> 17 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 18 </filter> 19 <filter-mapping> 20 <filter-name>springSecurityFilterChain</filter-name> 21 <url-pattern>/*</url-pattern> 22 </filter-mapping> 23 <welcome-file-list> 24 <welcome-file>index.html</welcome-file> 25 <welcome-file>index.htm</welcome-file> 26 <welcome-file>index.jsp</welcome-file> 27 <welcome-file>default.html</welcome-file> 28 <welcome-file>default.htm</welcome-file> 29 <welcome-file>default.jsp</welcome-file> 30 </welcome-file-list> 31 </web-app>
1.3在resource资源路径下新建一个该框架的核心配置文件spring-security.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:security="http://www.springframework.org/schema/security" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://www.springframework.org/schema/beans 6 http://www.springframework.org/schema/beans/spring-beans.xsd 7 http://www.springframework.org/schema/security 8 http://www.springframework.org/schema/security/spring-security.xsd"> 9 <security:http auto-config="true" use-expressions="false"> 10 <!-- intercept-url定义一个过滤规则 pattern表示对哪些url进行权限控制,ccess属性表示在请求对应 11 的URL时需要什么权限, 12 默认配置时它应该是一个以逗号分隔的角色列表,请求的用户只需拥有其中的一个角色就能成功访问对应 13 的URL --> 14 <security:intercept-url pattern="/**" access="ROLE_USER" /> 15 <!-- auto-config配置后,不需要在配置下面信息 <security:form-login /> 定义登录表单信息 16 <security:http-basic 17 /> <security:logout /> --> 18 </security:http> 19 <security:authentication-manager> 20 <security:authentication-provider> 21 <security:user-service> 22 <security:user name="user" password="{noop}user" 23 authorities="ROLE_USER" /> 24 <security:user name="admin" password="{noop}admin" 25 authorities="ROLE_ADMIN" /> 26 </security:user-service> 27 </security:authentication-provider> 28 </security:authentication-manager> 29 </beans>
1.4入门案例总结
启动该入门案例发现直接跳转到了登录页面,但是我们并没有写有关登录的页面,这个页面是该框架本身自己的。
因为在核心配置文件中有<security:http auto-config="true" use-expressions="false">开启spring security的默认的配置,当然也可以自定义登录页面。
当我们随意输入一个用户名"npf"和密码"1233"(配置文件中没有该用户名密码)时会出现如下提示
当我们输入用户名"admin"密码"admin"(配置文件中有该用户名密码但该角色不符合要求)时会出现如下提示,该提示表示权限不足。
当我们输入用户名"user"密码"user"时能够正常访问到index.jsp页面
上述简单入门案例存在明显不足之处,需要改进。
- 登录页面太简陋需要自定义
- 登录的账号一般在数据库中而不是在配置文件中
2.spring security在数据后台管理中的使用
为了确保数据的安全,在管理数据过程中需要对管理者的身份进行验证,并且让不同的管理者有不同的操作权限。
2.1与入门案例相似,在pom.xml文件中引入相应坐标,并在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。
1 <?xml version="1.0" encoding="UTF-8"?> 2 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0</modelVersion> 6 7 <groupId>club.nipengfei</groupId> 8 <artifactId>ssm5</artifactId> 9 <version>1.0-SNAPSHOT</version> 10 <packaging>war</packaging> 11 12 <name>ssm5 Maven Webapp</name> 13 <!-- FIXME change it to the project's website --> 14 <url>http://www.example.com</url> 15 16 <properties> 17 <spring.version>5.0.2.RELEASE</spring.version> 18 <slf4j.version>1.6.6</slf4j.version> 19 <log4j.version>1.2.12</log4j.version> 20 <mysql.version>5.1.6</mysql.version> 21 <mybatis.version>3.4.5</mybatis.version> 22 <spring.security.version>5.0.1.RELEASE</spring.security.version> 23 </properties> 24 <dependencies> 25 <!-- spring --> 26 <dependency> 27 <groupId>org.aspectj</groupId> 28 <artifactId>aspectjweaver</artifactId> 29 <version>1.6.8</version> 30 </dependency> 31 <dependency> 32 <groupId>org.springframework</groupId> 33 <artifactId>spring-aop</artifactId> 34 <version>${spring.version}</version> 35 </dependency> 36 <dependency> 37 <groupId>org.springframework</groupId> 38 <artifactId>spring-context</artifactId> 39 <version>${spring.version}</version> 40 </dependency> 41 <dependency> 42 <groupId>org.springframework</groupId> 43 <artifactId>spring-web</artifactId> 44 <version>${spring.version}</version> 45 </dependency> 46 <dependency> 47 <groupId>org.springframework</groupId> 48 <artifactId>spring-webmvc</artifactId> 49 <version>${spring.version}</version> 50 </dependency> 51 <dependency> 52 <groupId>org.springframework</groupId> 53 <artifactId>spring-test</artifactId> 54 <version>${spring.version}</version> 55 </dependency> 56 <dependency> 57 <groupId>org.springframework</groupId> 58 <artifactId>spring-tx</artifactId> 59 <version>${spring.version}</version> 60 </dependency> 61 <dependency> 62 <groupId>org.springframework</groupId> 63 <artifactId>spring-jdbc</artifactId> 64 <version>${spring.version}</version> 65 </dependency> 66 <dependency> 67 <groupId>junit</groupId> 68 <artifactId>junit</artifactId> 69 <version>4.12</version> 70 <scope>compile</scope> 71 </dependency> 72 <dependency> 73 <groupId>mysql</groupId> 74 <artifactId>mysql-connector-java</artifactId> 75 <version>${mysql.version}</version> 76 </dependency> 77 <dependency> 78 <groupId>javax.servlet</groupId> 79 <artifactId>servlet-api</artifactId> 80 <version>2.5</version> 81 <scope>provided</scope> 82 </dependency> 83 <dependency> 84 <groupId>javax.servlet.jsp</groupId> 85 <artifactId>jsp-api</artifactId> 86 <version>2.0</version> 87 <scope>provided</scope> 88 </dependency> 89 <dependency> 90 <groupId>jstl</groupId> 91 <artifactId>jstl</artifactId> 92 <version>1.2</version> 93 </dependency> 94 <!-- log start --> 95 <dependency> 96 <groupId>log4j</groupId> 97 <artifactId>log4j</artifactId> 98 <version>${log4j.version}</version> 99 </dependency> 100 <dependency> 101 <groupId>org.slf4j</groupId> 102 <artifactId>slf4j-api</artifactId> 103 <version>${slf4j.version}</version> 104 </dependency> 105 <dependency> 106 <groupId>org.slf4j</groupId> 107 <artifactId>slf4j-log4j12</artifactId> 108 <version>${slf4j.version}</version> 109 </dependency> 110 <!-- log end --> 111 <dependency> 112 <groupId>org.mybatis</groupId> 113 <artifactId>mybatis</artifactId> 114 <version>${mybatis.version}</version> 115 </dependency> 116 <dependency> 117 <groupId>org.mybatis</groupId> 118 <artifactId>mybatis-spring</artifactId> 119 <version>1.3.0</version> 120 </dependency> 121 <dependency> 122 <groupId>c3p0</groupId> 123 <artifactId>c3p0</artifactId> 124 <version>0.9.1.2</version> 125 <type>jar</type> 126 <scope>compile</scope> 127 </dependency> 128 <dependency> 129 <groupId>com.github.pagehelper</groupId> 130 <artifactId>pagehelper</artifactId> 131 <version>5.1.2</version> 132 </dependency> 133 <dependency> 134 <groupId>org.springframework.security</groupId> 135 <artifactId>spring-security-web</artifactId> 136 <version>${spring.security.version}</version> 137 </dependency> 138 <dependency> 139 <groupId>org.springframework.security</groupId> 140 <artifactId>spring-security-config</artifactId> 141 <version>${spring.security.version}</version> 142 </dependency> 143 <dependency> 144 <groupId>org.springframework.security</groupId> 145 <artifactId>spring-security-core</artifactId> 146 <version>${spring.security.version}</version> 147 </dependency> 148 <dependency> 149 <groupId>org.springframework.security</groupId> 150 <artifactId>spring-security-taglibs</artifactId> 151 <version>${spring.security.version}</version> 152 </dependency> 153 154 <dependency> 155 <groupId>mysql</groupId> 156 <artifactId>mysql-connector-java</artifactId> 157 <version>${mysql.version}</version> 158 </dependency> 159 160 <dependency> 161 <groupId>javax.annotation</groupId> 162 <artifactId>jsr250-api</artifactId> 163 <version>1.0</version> 164 </dependency> 165 166 </dependencies> 167 168 <build> 169 <finalName>ssm5</finalName> 170 <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) --> 171 <plugins> 172 <plugin> 173 <artifactId>maven-clean-plugin</artifactId> 174 <version>3.1.0</version> 175 </plugin> 176 <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging --> 177 <plugin> 178 <artifactId>maven-resources-plugin</artifactId> 179 <version>3.0.2</version> 180 </plugin> 181 <plugin> 182 <artifactId>maven-compiler-plugin</artifactId> 183 <version>3.8.0</version> 184 </plugin> 185 <plugin> 186 <artifactId>maven-surefire-plugin</artifactId> 187 <version>2.22.1</version> 188 </plugin> 189 <plugin> 190 <artifactId>maven-war-plugin</artifactId> 191 <version>3.2.2</version> 192 </plugin> 193 <plugin> 194 <artifactId>maven-install-plugin</artifactId> 195 <version>2.5.2</version> 196 </plugin> 197 <plugin> 198 <artifactId>maven-deploy-plugin</artifactId> 199 <version>2.8.2</version> 200 </plugin> 201 </plugins> 202 </pluginManagement> 203 </build> 204 </project>
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://xmlns.jcp.org/xml/ns/javaee" 4 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 5 version="3.1"> 6 7 <display-name>Archetype Created web Application</display-name> 8 <!--配置监听器,默认只加载WEB-INF目录下的applicationContext.xml配置文件--> 9 <listener> 10 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 11 </listener> 12 <!--设置配置文件路径--> 13 <context-param> 14 <param-name>contextConfigLocation</param-name> 15 <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value> 16 </context-param> 17 <!--配置前端控制器--> 18 <servlet> 19 <servlet-name>dispatcherServlet</servlet-name> 20 <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 21 <!--加载springmvc.xml配置文件--> 22 <init-param> 23 <param-name>contextConfigLocation</param-name> 24 <param-value>classpath:springmvc.xml</param-value> 25 </init-param> 26 <!--启动服务器,创建servlet--> 27 <load-on-startup>1</load-on-startup> 28 </servlet> 29 <servlet-mapping> 30 <servlet-name>dispatcherServlet</servlet-name> 31 <url-pattern>*.do</url-pattern> 32 </servlet-mapping> 33 34 <!--解决中文乱码过滤器--> 35 <filter> 36 <filter-name>characterEncodingFilter</filter-name> 37 <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> 38 <init-param> 39 <param-name>encoding</param-name> 40 <param-value>UTF-8</param-value> 41 </init-param> 42 </filter> 43 <filter-mapping> 44 <filter-name>characterEncodingFilter</filter-name> 45 <url-pattern>/*</url-pattern> 46 </filter-mapping> 47 48 <!--spring security的过滤器--> 49 <filter> 50 <filter-name>springSecurityFilterChain</filter-name> 51 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 52 </filter> 53 <filter-mapping> 54 <filter-name>springSecurityFilterChain</filter-name> 55 <url-pattern>/*</url-pattern> 56 </filter-mapping> 57 58 <welcome-file-list> 59 <welcome-file>index.html</welcome-file> 60 <welcome-file>index.htm</welcome-file> 61 <welcome-file>index.jsp</welcome-file> 62 <welcome-file>default.html</welcome-file> 63 <welcome-file>default.htm</welcome-file> 64 <welcome-file>default.jsp</welcome-file> 65 </welcome-file-list> 66 </web-app>
2.2配置spring security的核心配置文件
与入门案例相比,这里配置了不拦截的资源,自定义了登录页面,实现了退出操作,将原先定义在配置页面中的登录用户名和密码切换成在数据库中。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:security="http://www.springframework.org/schema/security" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://www.springframework.org/schema/beans 6 http://www.springframework.org/schema/beans/spring-beans.xsd 7 http://www.springframework.org/schema/security 8 http://www.springframework.org/schema/security/spring-security.xsd"> 9 10 <!-- 配置不拦截的资源 --> 11 <security:http pattern="/login.jsp" security="none"/> 12 <security:http pattern="/failer.jsp" security="none"/> 13 <security:http pattern="/css/**" security="none"/> 14 <security:http pattern="/img/**" security="none"/> 15 <security:http pattern="/plugins/**" security="none"/> 16 17 <!-- 18 配置具体的规则 19 auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面 20 use-expressions="false" 是否使用SPEL表达式(没学习过) 21 --> 22 <security:http auto-config="true" use-expressions="true"> 23 <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" --> 24 <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> 25 26 <!-- 定义跳转的具体的页面 --> 27 <security:form-login 28 login-page="/login.jsp" 29 login-processing-url="/login.do" 30 default-target-url="/index.jsp" 31 authentication-failure-url="/failer.jsp" 32 authentication-success-forward-url="/pages/main.jsp" 33 /> 34 35 <!-- 关闭跨域请求 --> 36 <security:csrf disabled="true"/> 37 38 <!-- 退出 --> 39 <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" /> 40 41 </security:http> 42 43 <!-- 切换成数据库中的用户名和密码 --> 44 <security:authentication-manager> 45 <security:authentication-provider user-service-ref="userService"> 46 <!-- 配置加密的方式 --> 47 <security:password-encoder ref="passwordEncoder"/> 48 </security:authentication-provider> 49 </security:authentication-manager> 50 51 <!-- 配置加密类 --> 52 <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> 53 54 </beans>
2.3使用数据库完成用户登录流程
下面是使用数据库完成认证操作的流程图
在Spring Security中如果想要使用数据进行认证操作,有很多种操作方式,这里我们介绍使用UserDetails、UserDetailsService来完成操作。
IUserService接口继承了UserDetailsService类,UserServiceImpl类实现了IUserService接口。
UserDetailsService 接口内有一个loadUserByUsername方法,返回的是UserDetails。
1 public interface UserDetailsService { 2 // ~ Methods 3 // ======================================================================================================== 4 5 /** 6 * Locates the user based on the username. In the actual implementation, the search 7 * may possibly be case sensitive, or case insensitive depending on how the 8 * implementation instance is configured. In this case, the <code>UserDetails</code> 9 * object that comes back may have a username that is of a different case than what 10 * was actually requested.. 11 * 12 * @param username the username identifying the user whose data is required. 13 * 14 * @return a fully populated user record (never <code>null</code>) 15 * 16 * @throws UsernameNotFoundException if the user could not be found or the user has no 17 * GrantedAuthority 18 */ 19 UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; 20 }
根据spring-security的核心配置文件,需要将UserServiceImpl类命名为"userService",并实现loadUserByUsername方法。
loadUserByUsername方法根据用户名从数据库中查询用户信息UserInfo,并将UserInfo的用户名,密码和角色信息作为User的构造参数。
1 package club.nipengfei.service.impl; 2 3 import club.nipengfei.dao.IUserDao; 4 import club.nipengfei.domain.Role; 5 import club.nipengfei.domain.UserInfo; 6 import club.nipengfei.service.IUserService; 7 import org.springframework.beans.factory.annotation.Autowired; 8 import org.springframework.security.core.authority.SimpleGrantedAuthority; 9 import org.springframework.security.core.userdetails.User; 10 import org.springframework.security.core.userdetails.UserDetails; 11 import org.springframework.security.core.userdetails.UsernameNotFoundException; 12 import org.springframework.stereotype.Service; 13 import org.springframework.transaction.annotation.Transactional; 14 15 import java.util.ArrayList; 16 import java.util.Collection; 17 import java.util.List; 18 19 @Service("userService") 20 @Transactional 21 public class UserServiceImpl implements IUserService { 22 23 @Autowired 24 private IUserDao userDao; 25 26 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 27 UserInfo userInfo = null; 28 try { 29 userInfo = userDao.findByUsername(username);31 } catch (Exception e) { 32 e.printStackTrace(); 33 } 34 // 处理自己的用户对象分装成UserDetails 35 // 该spring security的User实现了UserDetails 36 User user = new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority(userInfo.getRoles()));38 return user; 39 } 40 41 public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) { 42 List<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>(); 43 for (Role role:roles){ 44 list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName())); 45 } 46 return list; 47 } 48 }
接口UserDetails,封装了当前认证用户的信息,但由于是一个接口,我们可以对其实现,也可以使用spring security提供的UserDetails实现类User完成操作
1 public interface UserDetails extends Serializable { 2 Collection<? extends GrantedAuthority> getAuthorities(); 3 String getPassword(); 4 String getUsername(); 5 boolean isAccountNonExpired(); 6 boolean isAccountNonLocked(); 7 boolean isCredentialsNonExpired(); 8 boolean isEnabled(); 9 }
1 public class User implements UserDetails, CredentialsContainer { 2 private String password; 3 private final String username; 4 private final Set<GrantedAuthority> authorities; 5 private final boolean accountNonExpired; //帐户是否过期 6 private final boolean accountNonLocked; //帐户是否锁定 7 private final boolean credentialsNonExpired; //认证是否过期 8 private final boolean enabled; //帐户是否可用 9 }
下面是根据用户名查询用户信息的IUserDao接口
1 package club.nipengfei.dao; 2 3 import club.nipengfei.domain.UserInfo; 4 import org.apache.ibatis.annotations.Many; 5 import org.apache.ibatis.annotations.Result; 6 import org.apache.ibatis.annotations.Results; 7 import org.apache.ibatis.annotations.Select; 8 9 public interface IUserDao { 10 11 @Select("select * from users where username=#{username}") 12 @Results({ 13 @Result(id = true,property = "id",column = "id"), 14 @Result(property = "username",column = "username"), 15 @Result(property = "email",column = "email"), 16 @Result(property = "password",column = "password"), 17 @Result(property = "phoneNum",column = "phoneNum"), 18 @Result(property = "status",column = "status"), 19 @Result(property = "roles",column = "id",javaType = java.util.List.class,many = @Many(select = "club.nipengfei.dao.IRoleDao.findRoleByUserId")) 20 }) 21 public UserInfo findByUsername(String username) throws Exception; 22 }
2.4使用spring security完成权限控制(JSR-250注解)
不同的用户有不同的角色,根据角色使用户有不同的权限。在服务器端我们可以通过Spring security提供的注解对方法来进行权限控制。Spring Security在方法的权限控制上支持三种类型的注解,JSR-250注解、@Secured注解和支持表达式的注解,这三种注解默认都是没有启用的,需要单独通过global-method-security元素的对应属性进行启用
下面使用JSR-250注解完成权限控制:
需要在security-security.xml中开启权限,并且在pom.xml引入坐标
<security:global-method-security jsr250-annotations="enabled"></security:global-method-security>
<dependency> <groupId>javax.annotation</groupId> <artifactId>jsr250-api</artifactId> <version>1.0</version> </dependency>
- @RolesAllowed表示访问对应方法时所应该具有的角色
- @PermitAll表示允许所有的角色进行访问,也就是说不进行权限控制
- @DenyAll是和PermitAll相反的,表示无论什么角色都不能访问
示例:
@RolesAllowed({"USER", "ADMIN"}) 该方法只要具有"USER", "ADMIN"任意一种权限就可以访问。这里可以省略前缀ROLE_,实际的权限可能是ROLE_ADMIN
2.5使用spring security完成权限控制(@Secured注解)
与上面的类似,少一步pom.xml坐标引入,因为该注解是spring security本身提供的。