簡(jiǎn)介
SpringSecurity是專門針對(duì)基于Spring項(xiàng)目的安全框架贪婉,充分利用了依賴注入和AOP來(lái)實(shí)現(xiàn)安全管控洪橘。
SpringSecurity框架有兩個(gè)概念認(rèn)證和授權(quán)凫乖,認(rèn)證可以訪問(wèn)系統(tǒng)的用戶鹿鳖,而授權(quán)則是用戶可以訪問(wèn)的資源粱锐。
構(gòu)建項(xiàng)目
- 訪問(wèn)地址:http://start.spring.io
- 添加Web樱蛤、MySQL钮呀、JPA、Druid刹悴、Security行楞、JSP依賴
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.gala</groupId>
<artifactId>security</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>security</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<!--Web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--SpringSecurity -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
</dependency>
<!--SpringDataJPA -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<!--MySQL -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<!--druid -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.9</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
新增配置文件application.yml
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driver-class-name: com.mysql.jdbc.Driver
url: jdbc:mysql://127.0.0.1:3306/test?characterEncoding=utf8
username: root
password: 123456
#配置監(jiān)控統(tǒng)計(jì)攔截的filters
filters: stat,wall,log4j
#最大活躍數(shù)
maxActive: 20
#初始化數(shù)量
initialSize: 1
#最大連接等待超時(shí)時(shí)間
maxWait: 60000
#打開PSCache,并指定每個(gè)連接PSCache的大小
poolPreparedStatements: true
maxPoolPreparedStatementPerConnectionSize: 20
#通過(guò)connectionProperties屬性打開mergeSql功能
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=5000
minldle: 1
timeBetweenEvictionRunsMillis: 60000
minEvictableldleTimeMillis: 300000
validationQuery: select 1 from dual
testWhiledle: true
testOnBorrow: false
testOnReturn: false
jpa:
properties:
hibernate:
show_sql: true
format_sql: true
mvc:
view:
prefix: /WEB-INF/views/
suffix: .jsp
建表及初始化數(shù)據(jù)
-- ----------------------------
-- Table structure for ss_user 用戶
-- ----------------------------
DROP TABLE IF EXISTS `ss_user`;
CREATE TABLE `ss_user` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主鍵',
`username` varchar(10) DEFAULT NULL COMMENT '用戶名稱',
`password` varchar(10) DEFAULT NULL COMMENT '用戶密碼',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
insert into `ss_user`(`id`,`username`,`password`) values (1,'admin','123456'),(2,'user','123456');
-- ----------------------------
-- Table structure for ss_user 角色
-- ----------------------------
DROP TABLE IF EXISTS `ss_role`;
CREATE TABLE `ss_role` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主鍵',
`role_name` varchar(10) DEFAULT NULL COMMENT '角色名稱',
`role_description` varchar(20) DEFAULT NULL COMMENT '角色描述',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
insert into `ss_role`(`id`,`role_name`,`role_description`) values (1,'ROLE_USER','普通用戶'),(2,'ROLE_ADMIN','管理員');
-- ----------------------------
-- Table structure for ss_user_role 用戶角色關(guān)系
-- ----------------------------
DROP TABLE IF EXISTS `ss_user_role`;
CREATE TABLE `ss_user_role` (
`user_id` int(11) DEFAULT NULL COMMENT '用戶ID',
`role_id` int(11) DEFAULT NULL COMMENT '角色I(xiàn)D'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
insert into `ss_user_role`(`user_id`,`role_id`) values (1,1),(1,2),(2,1);
創(chuàng)建實(shí)體類
- User.java
package com.gala.security.entity;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.Table;
import javax.persistence.Transient;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
/**
* UserDetails是SpringSecurity驗(yàn)證框架內(nèi)部提供的用戶驗(yàn)證接口
*/
@Entity
@Table(name = "ss_user")
public class User implements Serializable, UserDetails {
private static final long serialVersionUID = -5445460877560833224L;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
private String username;
private String password;
@Transient
Collection<GrantedAuthority> authorities;
@ManyToMany(fetch = FetchType.EAGER)
@JoinTable(name = "ss_user_role", joinColumns = { @JoinColumn(name = "user_id") }, inverseJoinColumns = { @JoinColumn(name = "role_id") })
private List<Role> roles;
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public void setAuthorities(Collection<GrantedAuthority> authorities) {
this.authorities = authorities;
}
public List<Role> getRoles() {
return roles;
}
public void setRoles(List<Role> roles) {
this.roles = roles;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
/**
* 將我們定義的角色列表添加到授權(quán)的列表內(nèi)
*/
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
List<Role> roles = getRoles();
for (Role role : roles) {
System.out.println("獲取用戶角色-->" + role.getRoleName());
auths.add(new SimpleGrantedAuthority(role.getRoleName()));
}
return auths;
}
}
- Role.java
package com.gala.security.entity;
import java.io.Serializable;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
@Entity
@Table(name = "ss_role")
public class Role implements Serializable {
private static final long serialVersionUID = -2550502360099906919L;
private Long id;
private String roleName;
private String roleDescription;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getRoleName() {
return roleName;
}
public void setRoleName(String roleName) {
this.roleName = roleName;
}
public String getRoleDescription() {
return roleDescription;
}
public void setRoleDescription(String roleDescription) {
this.roleDescription = roleDescription;
}
}
創(chuàng)建接口
package com.gala.security.jpa;
import org.springframework.data.jpa.repository.JpaRepository;
import com.gala.security.entity.User;
public interface UserDao extends JpaRepository<User, Long> {
public User findByUsername(String username);
}
SpringSecurity用戶認(rèn)證
密碼加密
package com.gala.security;
import org.springframework.security.crypto.password.PasswordEncoder;
public class MyPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return encodedPassword.equals(rawPassword.toString());
}
}
認(rèn)證配置
package com.gala.security.service;
import java.util.Collection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.gala.security.entity.User;
import com.gala.security.jpa.UserDao;
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserDao userDao;
/**
* 自定義用戶登錄
*/
@SuppressWarnings("unchecked")
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userDao.findByUsername(username);
if (user == null) {
System.out.println("獲取用戶信息" + username + "失敗");
throw new UsernameNotFoundException("用戶名:" + username + "不存在");
}
Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) user.getAuthorities();
user.setAuthorities(authorities);
System.out.println("獲取用戶" + username + "信息成功土匀!");
return user;
}
}
配置SpringBoot內(nèi)的MVC控制器跳轉(zhuǎn)
package com.gala.security.conf;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
/**
* 配置SpringBoot內(nèi)的MVC控制器跳轉(zhuǎn)
*/
@Configuration
public class MVCConfig implements WebMvcConfigurer {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
}
新增控制器
package com.gala.security.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class LoginController {
@RequestMapping("/index")
public String index() {
return "index";
}
}
新增JSP
- 登錄頁(yè)面
<%@ page contentType="text/html;charset=UTF-8" language="java"%>
<html>
<head>
<title>登錄界面</title>
</head>
<body>
<form action="/login" method="post">
用戶名:<input type="text" name="username" /><br />
密碼:<input type="text" name="password" /><br />
<input type="submit" value="登錄" />
</form>
</body>
</html>
2.登錄成功頁(yè)面
<%@ page contentType="text/html;charset=UTF-8" language="java"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html>
<head>
<title>首頁(yè)</title>
</head>
<body>
登錄成功!
<sec:authorize access="hasRole('ROLE_ADMIN')">
您擁有管理員權(quán)限子房。
</sec:authorize>
<br />
<sec:authorize access="hasRole('ROLE_USER')">
您擁有用戶權(quán)限。
</sec:authorize>
</body>
</html>
測(cè)試
啟動(dòng)項(xiàng)目就轧,訪問(wèn):http://127.0.0.1:8080/index
輸入用戶名密碼admin/123456
項(xiàng)目結(jié)構(gòu)
