先来回顾下最开始我们不用框架时是怎么做认证授权的,
1.不用框架认证流程1.客户端发送请求,controller层将请求对象封装成认证对象User
2.controller层调用service层,传入参数User对象
3.service层传入User对象调用Dao层,执行认证逻辑,把Dao层返回的对象封装成一个UserContext(用户详情信息),并且存到session中.利用session.setAttribute(“一个常量”,userContext对象);
问题:不同用户的session会被覆盖吗?
答:这个取决于sessionId,服务器中会有多个session,通过sessoinId找到相对应的session。如果同一个浏览器发送请求,那么sessionId是相同的,那么session就会被覆盖。如果是不同浏览器就不会覆盖
当用户再次请求时,通过自定义拦截器(自己写个类实现HandlerInterceptor),拦截session中是否存在对象,如果没有就返回登录页面,如果有就拿出session对象,并且对比用户要访问的url与用户的权限,如果有权限就放行,如果没有权限就拦截
代码参考下面
@Component
public class SimpleAuthenticationInterceptor implements HandlerInterceptor {
//请求拦截方法
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object
handler) throws Exception {
//读取会话信息
Object object = request.getSession().getAttribute(UserDto.SESSION_USER_KEY);
if (object == null) {
writeContent(response, "请登录");
}
UserDto user = (UserDto) object;
//请求的url
String requestURI = request.getRequestURI();
if (user.getAuthorities().contains("p1")&&requestURI.contains("/r1")) {
return true;
}
if (user.getAuthorities().contains("p2")&&requestURI.contains("/r2")) {
return true;
}
writeContent(response, "权限不足,拒绝访问");
return false;
}
//响应输出
private void writeContent(HttpServletResponse response, String msg) throws IOException {
response.setContentType("text/html;charset=utf-8");
PrintWriter writer = response.getWriter();
writer.print(msg);
writer.close();
}
}
SpringSecurity简单入门案列
创建SpringBoot项目
1.pom文件导入依赖2.配置文件org.springframework.boot spring-boot-starter-parent 2.1.3.RELEASE UTF-8 1.8 1.8 org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-security
server:
port: 8080
servlet:
context-path: /security-springboot
spring:
application:
name: security-springboot
3.启动类(忽略)
4.创建SpringSecurity配置类,并交给Spring管理
// springsecurity的配置文件
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
// 配置用户信息服务(把用户信息查出来)
@Bean
@Override
protected UserDetailsService userDetailsService() {
// 基于内存查询
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());
manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());
return manager;
}
// 配置密码比对器规则
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance(); // 不进行密码加密
}
//配置安全拦截机制
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/r/r1").hasAnyAuthority("p1") //想访问路径r/r1,必须拥有权限p1
.antMatchers("/r/r2").hasAnyAuthority("p2") // 想访问路径r/r2,必须拥有权限p2
.antMatchers("/r
@GetMapping(value = "/r/r1",produces = {"text/plain;charset=UTF-8"})
public String r1(){
return " 访问资源1";
}
@GetMapping(value = "/r/r2",produces = {"text/plain;charset=UTF-8"})
public String r2(){
return " 访问资源2";
}
}
