Java - 框架 - SpringSecurity

    
    
        junit
        junit
        4.11
    

    
    
    
        org.springframework
        spring-webmvc
        5.2.18.RELEASE
    

    
    
    
        org.springframework.security
        spring-security-web
        5.1.5.RELEASE
    
    
    
        org.springframework.security
        spring-security-config
        5.1.5.RELEASE
    
    
        org.springframework.security
        spring-security-taglibs
        5.1.5.RELEASE
    

    
    
    
        javax.servlet
        javax.servlet-api
        4.0.1
        provided
    
    



    
        org.apache.tomcat.maven
        tomcat7-maven-plugin
        2.2
        
            8080
            /
            UTF-8
            tomcat7
        
    

注意点：如果项目启动成功，成功跳出登陆页面，登录之后报错

java.lang.NoSuchMethodError: javax.servlet.http.HttpServletRequest.changeSessionId()Ljava/lang/Strin

把springsecurity的依赖包降到5.2.0以下，可以解决问题

  Archetype Created Web Application

  
  
    contextConfigLocation
    classpath:applicationContext.xml
  

  
  
    org.springframework.web.context.ContextLoaderListener
  

  
  
    springsecurity
    org.springframework.web.servlet.DispatcherServlet
    
      contextConfigLocation
      classpath:spring-mvc.xml
    
    
    1
  
  
    springsecurity
    
    /
  
  
    default
    
    *.png
  

  
  
    CharacterEncodingFilter
    org.springframework.web.filter.CharacterEncodingFilter
    
      encoding
      UTF-8
    
    
      forceRequestEncoding
      true
    
    
      forceResponseEncoding
      true
    
  
  
    CharacterEncodingFilter
    
@Service
public class UserServiceImpl implements IUserService {

    @Autowired
    private IUserDao iUserDao;

    @Override
    public User queryByUserName(String name) {
        return null;
    }

    
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        //取得mybatis查询中的sql结果
        List list = iUserDao.queryByUserName(s);
        System.out.println("自定义的认证操作....");
        if(list != null && list.size() == 1){
            User user = list.get(0);
            if(user!=null){
                //权限集合，授予什么角色
                List authc =new ArrayList<>();
                authc.add(new SimpleGrantedAuthority("ROLE_USER"));
                UserDetails userDetails =new org.springframework.security.core.userdetails.User(
                        s,//用户名
                        "{noop}"+user.getPassword(),//密码，因为需要加密，所以在密码前面加上{noop}，代表不加密
                        user.getEnabled()==1,//账号是否可用，可以在数据库中通过摸个字段实现控制
                        true,//账户未过期
                        true,//凭证未过期
                        true,//账户未锁定
                        authc);
                return userDetails;
            }
        }
        //返回空代表账号不存在
        return null;
    }
}

springsecurity默认采用SHA-256 + 随机salt的方式加密密码，如下，每次输出的结果都是不一样的

public class EncoderTest {
    public static void main(String[] args) {
        //  SHA-256 + 随机salt
        BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
        System.out.println(passwordEncoder.encode("123"));
        System.out.println(passwordEncoder.encode("123"));
        System.out.println(passwordEncoder.encode("123"));
    }
}

在认证的时候，在密码前面加上{noop}，可以避免加密

如何进行加密验证

1. 修改springsecurity配置文件

2. 自定义认证类

   去掉密码前面的{noop}

   import com.springsecurity.bean.User;
   import com.springsecurity.dao.IUserDao;
   import com.springsecurity.service.IUserService;
   import org.springframework.beans.factory.annotation.Autowired;
   import org.springframework.security.core.authority.SimpleGrantedAuthority;
   import org.springframework.security.core.userdetails.UserDetails;
   import org.springframework.security.core.userdetails.UsernameNotFoundException;
   import org.springframework.stereotype.Service;
   
   import java.util.ArrayList;
   import java.util.List;
   
   
   @Service
   public class UserServiceImpl implements IUserService {
   
       @Autowired
       private IUserDao iUserDao;
   
       @Override
       public User queryByUserName(String name) {
           return null;
       }
   
       
       @Override
       public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
           //取得mybatis查询中的sql结果
           List list = iUserDao.queryByUserName(s);
           System.out.println("自定义的认证操作....");
           if(list != null && list.size() == 1){
               User user = list.get(0);
               if(user!=null){
                   //权限集合，授予什么角色
                   List authc =new ArrayList<>();
                   authc.add(new SimpleGrantedAuthority("ROLE_USER"));
                   UserDetails userDetails =new org.springframework.security.core.userdetails.User(
                           s,//用户名
                           user.getPassword(),//密码
                           user.getEnabled()==1,//账号是否可用，可以在数据库中通过摸个字段实现控制
                           true,//账户未过期
                           true,//凭证未过期
                           true,//账户未锁定
                           authc);
                   return userDetails;
               }
           }
           //返回空代表账号不存在
           return null;
       }
   }
   

SpringSecurity具有三种授权方式，分别是

1. jsr250
2. Spring表达式
3. SpringSecurity提供的注解

需要使用的话，需要在springsecurity配置文件中加上如下配置

1. 新增依赖

   
       org.aspectj
       aspectjweaver
       1.8.13
   
   
   

2. 在mvc配置文件中放开对AOP注解的支持

3. Controller类

   import org.springframework.stereotype.Controller;
   import org.springframework.web.bind.annotation.RequestMapping;
   
   import javax.annotation.security.RolesAllowed;
   
   @Controller
   public class OrderController {
   
       @RolesAllowed({"ROLE_USER"})
       @RequestMapping("/roder/query")
       public String query(){
           return "/order.jsp";
       }
   
       @RolesAllowed({"ROLE_CREATE"})
       @RequestMapping("/roder/create")
       public String create(){
           return "/order.jsp";
       }
   }
   

自定义controller类

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;


@Controller
public class RoleController {

    @PreAuthorize(value = "hasAnyRole('ROLE_USER')")
    @RequestMapping("/role/query")
    public String query(){
        return "/role.jsp";
    }
    @PreAuthorize(value = "hasAnyRole('ROLE_CREATE')")
    @RequestMapping("/role/create")
    public String create(){
        return "/role.jsp";
    }
}

import org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;


@RestController
public class UserController {
    @Secured(value = {"ROLE_USER"})
    @RequestMapping("/user/query")
    public String query(){
        return "hello query ";
    }

    @Secured(value = {"ROLE_CREATE"})
    @RequestMapping("/user/create")
    public String create(){
        return "hello create";
    }
}

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>


    


    角色管理
    当前登录的账号:
    
        系统管理

    
    
        用户管理

    
    
        订单管理