一、spring-security加密
-
引入security依赖
<properties> <!--安全框架版本号--> <spring.security.version>5.0.2.RELEASE</spring.security.version> </properties> <!-- 安全框架 --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.security.version}</version> </dependency> -
引入
spring-security.xml配置文件
注:<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>这里ROLE_的后缀USER和ADMIN要和数据库中的角色大小写要一致<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 登录页面和错误页面不拦截 --> <security:http pattern="/login.jsp" security="none"></security:http> <security:http pattern="/css/**" security="none"></security:http> <security:http pattern="/img/**" security="none"></security:http> <security:http pattern="/plugins/**" security="none"></security:http> <!-- 配置拦截的规则 auto-config="使用自带的页面" use-expressions="是否使用spel表达式",如果使用表达式:hasRole('ROLE_USER') --> <security:http auto-config="true" use-expressions="true"> <!-- 配置拦截的请求地址,任何请求地址都必须有ROLE_USER和ROLE_ADMIN的权限--> <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> <!-- 指定安全框架使用的页面 login-page:指定登录页面 login-processing-url:登录的请求路径:登陆时必须使用的路径 default-target-url:登录成功后进入的页面 authentication-failure-url:认证失败后要进入的页面 --> <security:form-login login-page="/login.jsp" login-processing-url="/login" default-target-url="/index.jsp" authentication-failure-url="/login.jsp"/> <!-- 关闭跨站请求伪造 --> <security:csrf disabled="true"/> <!-- 退出 --> <security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp"/> <!--如果访问被拒,跳转到错误界面--> <security:access-denied-handler error-page="/failer.jsp"/> </security:http> <!-- 配置认证信息:认证管理器 --> <security:authentication-manager> <!-- 认证信息的提供者:关联用户服务对象,提供账号和密码--> <security:authentication-provider user-service-ref="sysUserServiceImpl"> <!--使用加密工具类--> <security:password-encoder ref="passwordEncoder"/> </security:authentication-provider> </security:authentication-manager> <!--配置加密工具类--> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> </beans> -
服务层定义一个登录验证方法
–调用dao层的根据 账户名查询 用户对象的方法
–用户对象不为空,获取角色表的角色信息,使用角色权限验证
–登录时使用加密登录/** * 登录验证 * * @param userName * @return * @throws UsernameNotFoundException */ @Override public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException { SysUser sysUser = sysUserDao.findByName(userName); if (sysUser != null) { //创建角色集合对象 Collection<GrantedAuthority> authorities = new ArrayList<>(); //创建角色对象,使用角色权限验证 for (Role role : sysUser.getRoleList()){ GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("ROLE_"+ role.getRoleName()); authorities.add(grantedAuthority); } //加密登录 User user = new User(sysUser.getUsername(), sysUser.getPassword(), authorities); return user; } return null; } -
添加用户时,对密码使用加密
--MD5加密:登录输入密码后,在后台验证, 先把取得的用户密码转换成MD5码,然后和数据库中的MD5码比较。 --security加密:登录时直接使用上面写的登录验证的加密登录@Override public void add(SysUser sysUser) { //TODO 使用MD5 加密 //String oldPwd = sysUser.getPassword(); //String newPwd = MD5Utils.md5(oldPwd); //sysUser.setPassword(newPwd); //security加密 String pwd = sysUser.getPassword(); String securityPwd = passwordEncoder.encode(pwd); sysUser.setPassword(securityPwd); sysUserDao.add(sysUser); } -
MD5工具类
public class MD5Utils { /** * 使用md5的算法进行加密 */ public static String md5(String plainText) { byte[] secretBytes = null; try { secretBytes = MessageDigest.getInstance("md5").digest( plainText.getBytes()); } catch (NoSuchAlgorithmException e) { throw new RuntimeException("没有md5这个算法!"); } String md5code = new BigInteger(1, secretBytes).toString(16);// 16进制数字 // 如果生成数字未满32位,需要前面补0 for (int i = 0; i < 32 - md5code.length(); i++) { md5code = "0" + md5code; } return md5code; } public static void main(String[] args) { System.out.println(md5("123")); } }