一:mapper包下建立UserMapper接口並建立對應的sql映射文件UserMapper.xml
package com.xhc.mapper;
import com.xhc.domain.Permission;
import com.xhc.domain.User;
import java.util.List;
public interface UserMapper {
/**
* 查詢當前用戶對象
*/
public User findByUsername(String username);
/**
* 查詢當前用戶擁有的權限
*/
public List<Permission> findPermissionByUsername(String username);
}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.xhc.mapper.UserMapper">
<!-- 查詢用戶 -->
<select id="findByUsername" parameterType="string" resultType="user">
select * from sys_user where username = #{value}
</select>
<!-- 查詢用戶的權限 -->
<select id="findPermissionByUsername" parameterType="string" resultType="permission">
select permission.*
from
sys_user user
inner join sys_user_role user_role on user.id = user_role.user_id
inner join sys_role_permission role_permission on user_role.role_id = role_permission.role_id
inner join sys_permission permission on role_permission.perm_id = permission.id
where user.username = #{value};
</select>
</mapper>
二:建立MyUserDetailService,從數據庫中動態讀取權限信息
新建一個包在com.xhc.security,在該包下創建一個類,MyUserDetailService,實現UserDetailsService。
package com.xhc.security;
import com.xhc.domain.Permission;
import com.xhc.domain.User;
import com.xhc.mapper.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.ArrayList;
import java.util.List;
/**
* 自定義UserDetailService,實現UserDetailsService接口
*/
public class MyUserDetailService implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userMapper.findByUsername(username);
if (user != null) {
// 根據用戶名查詢用戶的信息
List<Permission> list = userMapper.findPermissionByUsername(username);
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (Permission permission : list) {
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(permission.getPermTag());
authorities.add(grantedAuthority);
}
user.setAuthorities(authorities);
}
return user;
}
}
修改spring-security.xml文件
<security:intercept-url pattern="/goods/add" access="hasRole('ROLE_ADD_GOODS')"/> <security:intercept-url pattern="/goods/list" access="hasRole('ROLE_LIST_GOODS')"/> <security:intercept-url pattern="/goods/delete" access="hasRole('ROLE_DELETE_GOODS')"/> <security:intercept-url pattern="/goods/update" access="hasRole('ROLE_UPDATE_GOODS')"/>
啓動項目,分別使用兩個賬戶進行登錄,會發現有權限的才能訪問,沒有權限的無法訪問。