一.Spring Security簡介
Spring Security是一個能夠爲基於Spring的企業應用系統提供聲明式的安全訪問控制解決方案的安全框架。它提供了一組可以在Spring應用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反轉Inversion of Control ,DI:Dependency Injection 依賴注入)和AOP(面向切面編程)功能,爲應用系統提供聲明式的安全訪問控制功能,減少了爲企業系統安全控制編寫大量重複代碼的工作。
二.Spring Security的使用步驟(固定用戶名和密碼)
1.在maven中引入spring security座標
<!-- 引入springSecrity依賴 -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
2.在web.xml中配置spring security攔截器
注意事項 : 過濾器的名稱是固定的,不可改變,否則spring找不到
<!-- 配置spring Security -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.在spring配置中配置
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 配置放行路徑 -->
<http pattern="/*.html" security="none"></http><!-- login.html在根目錄下 -->
<http pattern="/css/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/plugins/**" security="none"></http>
<!-- 配置頁面攔截規則 -->
<http use-expressions="false">
<!--
/**: 攔截所有?
access : 配置角色 必須要以ROLE_開頭
-->
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
<!--
開啓表單登陸功能(默認 username password) 表單action:/login
login-page:登陸頁面
default-target-url:登陸成功頁面
authentication-failure-url:登陸失敗跳轉頁面
always-use-default-target:總是跳轉到默認的成功頁面
-->
<form-login login-page="/login.html" default-target-url="/admin/index.html" authentication-failure-url="/login.html" always-use-default-target="true"/>
<!-- 關閉跨站請求僞造檢測 -->
<csrf disabled="true"/>
<!-- 關閉對框架頁的攔截 -->
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
<!-- 配置安全管理器 -->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="root" password="root" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
三.Spring Security的使用步驟(從數據庫中查詢用戶名和密碼)
1.和上述不同點
步驟一:創建UserDetailsServiceImpl實現org.springframework.security.core.userdetails.UserDetailsService接口
import java.util.ArrayList;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import com.pinyougou.pojo.TbSeller;
import com.pinyougou.sellergoods.service.SellerService;
/**
* 商家認證類
*
* @author Administrator
*
*/
public class UserDetailsServiceImpl implements UserDetailsService {
private SellerService sellerService;
public void setSellerService(SellerService sellerService) {
this.sellerService = sellerService;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 根據用戶名查詢用戶
TbSeller tbSeller = sellerService.findOne(username);
// 查詢到,判斷狀態是否審覈通過
if (tbSeller != null) {
// 審覈通過,返會結果(0:正在審覈,1:已審覈,2:審覈未通過,3:關閉)
if ("1".equals(tbSeller.getStatus())) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_SELLER"));
return new User(username, tbSeller.getPassword(), authorities);
} else {
// 審覈未通過
return null;
}
} else {
// 沒有查詢到,返回null
return null;
}
}
}
步驟二:配置spring security的配置文件
遇到問題:因爲在UserDetailsServiceImpl類中注入了SellerService,但是SellerService是使用dubbo遠程調用的
解決: 需要注入SellerService的話需要配置
<!-- 引用dubbo 服務 -->
<dubbo:application name="pinyougou-shop-web" />
<dubbo:registry address="zookeeper://192.168.25.128:2181"/>
<dubbo:reference id="sellerService" interface="com.pinyougou.sellergoods.service.SellerService"/>
Spring Security配置文件 :
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 配置放行路徑 -->
<http pattern="/*.html" security="none"></http><!-- login.html在根目錄下 -->
<http pattern="/css/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/plugins/**" security="none"></http>
<!-- 放行商家入駐 -->
<http pattern="/seller/add.do" security="none"></http>
<!-- 配置頁面攔截規則 -->
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_SELLER"/>
<form-login login-page="/shoplogin.html" default-target-url="/admin/index.html" authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>
<!-- 關閉跨站請求僞造檢測 -->
<csrf disabled="true"/>
<!-- 關閉對框架頁的攔截 -->
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
<!-- 開啓用戶退出 默認訪問地址: /logout -->
<logout/>
</http>
<!-- 配置安全管理器 -->
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
</authentication-provider>
</authentication-manager>
<!-- 配置認證類 -->
<beans:bean id="userDetailsService" class="com.pinyougou.shop.service.UserDetailsServiceImpl">
<beans:property name="sellerService" ref="sellerService"/>
</beans:bean>
<!-- 引用dubbo 服務 -->
<dubbo:application name="pinyougou-shop-web" />
<dubbo:registry address="zookeeper://192.168.25.128:2181"/>
<dubbo:reference id="sellerService" interface="com.pinyougou.sellergoods.service.SellerService"/>
</beans:beans>
其他配置大同小異,參考Spring Security的第一種使用方式