zoukankan      html  css  js  c++  java
  • spring security的简单应用

    本文只包涵spring security配置部分,不是一个完整项目,不过可以任意添加到一个web项目中,不需要对原来的程序做任何修改

    部分内容来源于网络,如有雷同,毫无意外

    1、xml配置文件

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:context="http://www.springframework.org/schema/context"
        xsi:schemaLocation="http://www.springframework.org/schema/beans   
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd    
    http://www.springframework.org/schema/security   
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
        <global-method-security pre-post-annotations="enabled">
        </global-method-security>
        
        <!-- 不拦截的路径 -->
        <http pattern="/registerPage" security="none" />
        <http pattern="/mainPage" security="none"></http>
        <http pattern="/item/itemid**" security="none"></http>
        <http pattern="/css/**" security="none" />
        <http pattern="/font/**" security="none" />
        <http pattern="/images/**" security="none" />
        <http pattern="/js/**" security="none" />
        
        <http auto-config="true">
            <!-- 登录配置 -->
            <form-login login-page="/loginPage"
                authentication-failure-url="/login/failure"
                login-processing-url="/login" 
                authentication-success-handler-ref="mySuccessHandler"  
                username-parameter="username"
                password-parameter="password" />
    
            <!-- 用户登出 -->
            <logout invalidate-session="true" logout-success-url="/loginPage"
                logout-url="/logout" />
                
            <!-- 拦截页面 -->    
            <intercept-url pattern="/item/**" access="ROLE_USER" />
            <intercept-url pattern="/admin/**" access="ROLE_USER" />
        </http>
        
        <!-- 登录成功的处理方法 -->
        <beans:bean id="mySuccessHandler" class="security.LoginSuccessHandle" ></beans:bean>
        
        <!-- 获取UserDettail的bean -->
        <beans:bean id="UserDetailService" class="security.MyUserDetailService"></beans:bean>
        
        <!-- 在这里也是一个大坑,查询网上的文章,这里都是引用的实现了UserDetailsService的类 -->
        <beans:bean id="UserService" class="security.SecurityProvider"></beans:bean>
        <authentication-manager>
            <authentication-provider ref="UserService">
            </authentication-provider>
        </authentication-manager>
    </beans:beans>

    2、用户权限信息类

    省略相关数据库代码以及dao层代码

    package po;
    
    public class UserRole {
    
        private String username;
        private String password;
        private String role;
    
        public UserRole(String username, String password, String role) {
            super();
            this.username = username;
            this.password = password;
            this.role = role;
        }
    
        public String getUsername() {
            return username;
        }
    
        public void setUsername(String username) {
            this.username = username;
        }
    
        public String getPassword() {
            return password;
        }
    
        public void setPassword(String password) {
            this.password = password;
        }
    
        public String getRole() {
            return role;
        }
    
        public void setRole(String role) {
            this.role = role;
        }
    }

    3、MyUserDetail类,实现UserDetail接口,包含用户信息和用户权限类型

    package security;
    
    import java.util.Collection;
    
    import org.springframework.security.core.GrantedAuthority;
    import org.springframework.security.core.userdetails.UserDetails;
    
    import po.UserRole;
    
    public class MyUserDetail implements UserDetails {
        /**
         * 
         */
        private static final long serialVersionUID = -5619502406659516775L;
        private UserRole myUser;
        private Collection<? extends GrantedAuthority> authorities;
    
        public MyUserDetail(UserRole user,Collection<? extends GrantedAuthority> authorities) {
            this.myUser = user;
            this.authorities = authorities;
        }
    
        public Collection<? extends GrantedAuthority> getAuthorities() {
            return authorities;
        }
        public UserRole getMyUser() {
            return myUser;
        }
        public String getPassword() {
            return myUser.getPassword();
        }
    
        public String getUsername() {
            return myUser.getUsername();
        }
    
        public boolean isAccountNonExpired() {
            return false;
        }
    
        public boolean isAccountNonLocked() {
            return false;
        }
    
        public boolean isCredentialsNonExpired() {
            return false;
        }
    
        public boolean isEnabled() {
            return false;
        }
    
    }

    4、MyUserDetailService类,实现UserDetailsService接口,用来获取一个UserDetail对象

    package security;
    
    import java.util.ArrayList;
    import java.util.Collection;
    
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.core.GrantedAuthority;
    import org.springframework.security.core.authority.SimpleGrantedAuthority;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.core.userdetails.UsernameNotFoundException;
    import org.springframework.stereotype.Service;
    
    import mapper.UserRoleMapper;
    import po.UserRole;
    
    @Service
    public class MyUserDetailService implements UserDetailsService  {
        @Autowired
        UserRoleMapper userdao;
        public UserDetails loadUserByUsername(String username)
                throws UsernameNotFoundException {
            UserRole user =userdao.getUserByName(username);
            if(user==null)
            {
                throw new  UsernameNotFoundException("找不到该用户");
            }
    //        Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();
    //        SimpleGrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role);
    //        grantedAuthorities.add(grantedAuthority);
            return new MyUserDetail(user, getAuthorities(user.getRole()));
        }
    
        private Collection<GrantedAuthority> getAuthorities(String role) {
            Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
            SimpleGrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role);
            grantedAuthorities.add(grantedAuthority);
            return grantedAuthorities;
        }
    
    }

    5、SecurityProvider类,实现了AuthenticationProvider,返回一个UsernamePasswordAuthenticationToken

    package security;
    
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.authentication.AuthenticationProvider;
    import org.springframework.security.authentication.BadCredentialsException;
    import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
    import org.springframework.security.core.Authentication;
    import org.springframework.security.core.AuthenticationException;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UsernameNotFoundException;
    
    public class SecurityProvider implements AuthenticationProvider {
        @Autowired
        private MyUserDetailService userDetailsService;
        public Authentication authenticate(Authentication authentication)
                throws AuthenticationException {
            UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
            UserDetails userDetails = userDetailsService.loadUserByUsername(token.getName());
            if (userDetails == null) {
                throw new UsernameNotFoundException("找不到该用户");
            }
            if(!userDetails.getPassword().equals(token.getCredentials().toString()))
            {
                  throw new BadCredentialsException("用户密码错误");
            }
            return new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(),userDetails.getAuthorities());
        }
    
        public boolean supports(Class<?> authentication) {
            return UsernamePasswordAuthenticationToken.class.equals(authentication);
        }
    
    }

     6、登录成功后自定义处理过程

    spring security可以在配置文件中设置登录成功后的跳转页面,或者是直接返回认证前想要访问的页面,但是因为有时候用户是使用ajax请求登录,所以需要自定义一些操作,我是在登录成功后跳转到控制层url,

    在url中携带需要跳转的参数,然后在控制层中将url参数返回到ajax,再由前端重新请求控制层跳转

    package security;
    
    import java.io.IOException;
    
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    import org.springframework.beans.factory.InitializingBean;
    import org.springframework.security.core.Authentication;
    import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
    import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
    import org.springframework.security.web.savedrequest.RequestCache;
    import org.springframework.security.web.savedrequest.SavedRequest;
    
    public class LoginSuccessHandle implements AuthenticationSuccessHandler, InitializingBean {
        private RequestCache requestCache = new HttpSessionRequestCache();
    
        @Override
        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authen)
                throws IOException, ServletException {
            SavedRequest savedRequest = requestCache.getRequest(request, response);
            // 默认认证后跳转路径
            String targetUrl = "/mainPage";
    
            // 如果登录前有请求为拦截页面,则验证后跳转到该页面
            if (savedRequest != null) {
                targetUrl = savedRequest.getRedirectUrl();
            }
    
            // 跳转到认证成功处理控制器
            response.sendRedirect("/loginSuccess?url=" + targetUrl);
    
        }
    
        @Override
        public void afterPropertiesSet() throws Exception {
        }
    
    }
  • 相关阅读:
    自己写的jQuery放大镜插件效果(一)(采用一张大图和一张小图片的思路)
    javascript 节点操作拷贝节点cloneNode()
    javascript节点操作移出节点removeChild()
    写的一个封拆包代码
    C#_socket拆包_封包_模拟乱序包
    VS2010使用DX报错 VS报错之混合模式程序集是针对“v1.1.4322”版的运行时生成的,在没有配置其他信息的情况下,无法在 4.0 运行时中加载该程序集。
    C#_C++_SDK_WM_KEYDOWN人物卡顿延迟解决方法
    MYSQL游标的使用
    MYSQL异常和错误机制
    CRM中的一个函数,保存一下,别系统被ぅ崩坏就麻烦了.
  • 原文地址:https://www.cnblogs.com/yyxxn/p/8257850.html
Copyright © 2011-2022 走看看