一、spring-security加密
-
引入security依賴
<properties> <!--安全框架版本號--> <spring.security.version>5.0.2.RELEASE</spring.security.version> </properties> <!-- 安全框架 --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.security.version}</version> </dependency>
-
引入
spring-security.xml
配置文件
注:<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
這裏ROLE_
的後綴USER
和ADMIN
要和數據庫中的角色大小寫要一致<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 登錄頁面和錯誤頁面不攔截 --> <security:http pattern="/login.jsp" security="none"></security:http> <security:http pattern="/css/**" security="none"></security:http> <security:http pattern="/img/**" security="none"></security:http> <security:http pattern="/plugins/**" security="none"></security:http> <!-- 配置攔截的規則 auto-config="使用自帶的頁面" use-expressions="是否使用spel表達式",如果使用表達式:hasRole('ROLE_USER') --> <security:http auto-config="true" use-expressions="true"> <!-- 配置攔截的請求地址,任何請求地址都必須有ROLE_USER和ROLE_ADMIN的權限--> <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> <!-- 指定安全框架使用的頁面 login-page:指定登錄頁面 login-processing-url:登錄的請求路徑:登陸時必須使用的路徑 default-target-url:登錄成功後進入的頁面 authentication-failure-url:認證失敗後要進入的頁面 --> <security:form-login login-page="/login.jsp" login-processing-url="/login" default-target-url="/index.jsp" authentication-failure-url="/login.jsp"/> <!-- 關閉跨站請求僞造 --> <security:csrf disabled="true"/> <!-- 退出 --> <security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp"/> <!--如果訪問被拒,跳轉到錯誤界面--> <security:access-denied-handler error-page="/failer.jsp"/> </security:http> <!-- 配置認證信息:認證管理器 --> <security:authentication-manager> <!-- 認證信息的提供者:關聯用戶服務對象,提供賬號和密碼--> <security:authentication-provider user-service-ref="sysUserServiceImpl"> <!--使用加密工具類--> <security:password-encoder ref="passwordEncoder"/> </security:authentication-provider> </security:authentication-manager> <!--配置加密工具類--> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> </beans>
-
服務層定義一個登錄驗證方法
–調用dao層的根據 賬戶名查詢 用戶對象的方法
–用戶對象不爲空,獲取角色表的角色信息,使用角色權限驗證
–登錄時使用加密登錄/** * 登錄驗證 * * @param userName * @return * @throws UsernameNotFoundException */ @Override public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException { SysUser sysUser = sysUserDao.findByName(userName); if (sysUser != null) { //創建角色集合對象 Collection<GrantedAuthority> authorities = new ArrayList<>(); //創建角色對象,使用角色權限驗證 for (Role role : sysUser.getRoleList()){ GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("ROLE_"+ role.getRoleName()); authorities.add(grantedAuthority); } //加密登錄 User user = new User(sysUser.getUsername(), sysUser.getPassword(), authorities); return user; } return null; }
-
添加用戶時,對密碼使用加密
--MD5加密:登錄輸入密碼後,在後臺驗證, 先把取得的用戶密碼轉換成MD5碼,然後和數據庫中的MD5碼比較。 --security加密:登錄時直接使用上面寫的登錄驗證的加密登錄
@Override public void add(SysUser sysUser) { //TODO 使用MD5 加密 //String oldPwd = sysUser.getPassword(); //String newPwd = MD5Utils.md5(oldPwd); //sysUser.setPassword(newPwd); //security加密 String pwd = sysUser.getPassword(); String securityPwd = passwordEncoder.encode(pwd); sysUser.setPassword(securityPwd); sysUserDao.add(sysUser); }
-
MD5工具類
public class MD5Utils { /** * 使用md5的算法進行加密 */ public static String md5(String plainText) { byte[] secretBytes = null; try { secretBytes = MessageDigest.getInstance("md5").digest( plainText.getBytes()); } catch (NoSuchAlgorithmException e) { throw new RuntimeException("沒有md5這個算法!"); } String md5code = new BigInteger(1, secretBytes).toString(16);// 16進制數字 // 如果生成數字未滿32位,需要前面補0 for (int i = 0; i < 32 - md5code.length(); i++) { md5code = "0" + md5code; } return md5code; } public static void main(String[] args) { System.out.println(md5("123")); } }