security权限控制

Posted birdofparadise

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了security权限控制相关的知识,希望对你有一定的参考价值。

目录

前言

spring自带角色权限控制框架

用户-角色

数据库和dimain

  • 数据库
-- 用户表
CREATE TABLE sys_user(
id int auto_increment PRIMARY KEY ,
username VARCHAR(50),
email VARCHAR(50) ,
PASSWORD VARCHAR(80),
phoneNum VARCHAR(20),
STATUS int(1)
);

-- 角色表
CREATE TABLE sys_role(
    id int auto_increment PRIMARY KEY,
    roleName VARCHAR(50) ,
    roleDesc VARCHAR(50)
)
-- 用户和角色中间表
CREATE TABLE sys_user_role(
    userId int,
    roleId int,
    PRIMARY KEY(userId,roleId),
    FOREIGN KEY (userId) REFERENCES sys_USER(id),
    FOREIGN KEY (roleId) REFERENCES sys_role(id)
)
  • domain
public class SysUser {
    private Long id;
    private String username;
    private String email;
    private String password;
    private String phoneNum;
    private int status;
    private List<Role> roles;
}
public class Role {
    private Long id;
    private String roleName;
    private String roleDesc;
}

静态页面

403.jsp
login.jsp
error.jsp

配置文件

springSecurity.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans          
    http://www.springframework.org/schema/beans/spring-beans.xsd          
    http://www.springframework.org/schema/security          
    http://www.springframework.org/schema/security/spring-security.xsd">

    <!--放行未登录访问的页面-->
    <security:http pattern="/login.jsp" security="none"></security:http>
    <security:http pattern="/error.jsp" security="none"></security:http>
    <security:http pattern="/css/**" security="none"></security:http>
    <security:http pattern="/img/**" security="none"></security:http>
    <security:http pattern="/pages/**" security="none"></security:http>
    <security:http pattern="/plugins/**" security="none"></security:http>
    <!--配置拦截器的路径规则
    auto-config="true" 表示使用权限框架默认的配置
    use-expressions="false" 关闭权限框架的表达式 spel
    intercept-url  拦截请求资源的路径
    access="ROLE_USER" 允许访问的条件  当前用户必须拥有ROLE_USER的角色才可以访问
    -->
    <security:http auto-config="true" use-expressions="true">
        <!--权限框架支持多种角色的登录 角色之间的关系为or 或者的关系-->
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"></security:intercept-url>
        <!--自定义页面的配置节点-->
        <security:form-login login-page="/login.jsp"
                                login-processing-url="/login"
                                default-target-url="/index.jsp"
                                authentication-failure-url="/error.jsp"></security:form-login>

        <!--登录成功权限不足的处理-->
        <security:access-denied-handler error-page="/403.jsp"></security:access-denied-handler>
        <!--csrf关闭跨域请求的攻击-->
        <security:csrf disabled="true"></security:csrf>
        <!--
        logout 退出请求的url路径 实际是页面点击按钮请求的地址
        logout-success-url 成功注销后 跳转的页面
        invalidate-session 设置session失效
        -->
        <security:logout logout-url="/logOut" logout-success-url="/login.jsp" invalidate-session="true"></security:logout>

    </security:http>

    <!--配置拦截后验证的节点-->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="userService">
            <!--自定义的加密工具类-->
            <security:password-encoder ref="pwdEncoder"></security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>
    
    <!--配置自定义的加密工具类,这里使用自带的-->
    <bean id="pwdEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></bean>
    
    <!--开启注解支持-->
    <security:global-method-security secured-annotations="enabled"/>

</beans>

web.xml引入

  • 引入filter
<!--配置框架使用的filter过滤器-->
<filter>
    <!--过滤器执行链名臣固定springSecurityFilterChain-->
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
  • 引入配置文件
<!--spring的listener-->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>classpath:applicationContext.xml,classpath:springSecurity.xml</param-value>
</context-param>

service校验方法

  • 在service中继承spring接口
public interface SysUserService extends UserDetailsService {
    @Override
    UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}
  • 实现接口
@Service("userService")
public class SysUserServiceImpl implements SysUserService {

    @Autowired
    private SysUserDao userDao;

    @Autowired
    BCryptPasswordEncoder pwdEncoder;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        //得到数据库的用户
        SysUser sysUser =  userDao.findUserByName(username);
        //框架的User对象用于验证返回 用户名 密码 用户的权限集合
        //查询得到用户真正的角色集合返回
        List<Role> roles =sysUser.getRoles();
        List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        ///如果当前用户确实拥有角色 循环添加到集合中
        if(roles!=null&&roles.size()>0){
            for (Role role : roles) {
                authorities.add(new SimpleGrantedAuthority(role.getRoleName()));
            }
        }

        User user = new User(sysUser.getUsername(),sysUser.getPassword(),authorities);
        return user;

    }
}

用户名的获取

  • 前台获取
# 方式一
${ sessionScope.SPRING_SECURITY_CONTEXT.authentication.principal.username }

# 方式二
<security:authentication property="principal.username"/>
  • 后台获取
// 先获取到SecurityContext对象
SecurityContext context = SecurityContextHolder.getContext();
// 获取到认证的对象
Authentication authentication = context.getAuthentication();
// 获取到登录的用户信息
User user = (User) authentication.getPrincipal();
System.out.println(user.getUsername());

不同角色访问控制权限

jsp页面

<security:authorize access="hasAnyRole('ROLE_USER','ROLE_ADMIN')">
  <li id="system-setting">
  <a href="${pageContext.request.contextPath}/product/findByPageHelper">
  <i class="fa fa-circle-o"></i> 产品管理
  </a>
  </li>
</security:authorize>

后台

  • springmcv.xml
<!--手打才能自动引入-->
<security:global-method-security secured-annotations="enabled"></security:global-method-security>
  • controller
@Secured("ROLE_ADMIN")
public class RoleController

以上是关于security权限控制的主要内容,如果未能解决你的问题,请参考以下文章

spring security 3.1 实现权限控制

security权限控制

Spring Security控制权限

Spring Security(17)——基于方法的权限控制

Spring Security(17)——基于方法的权限控制

Spring Security----RBAC权限控制模型,和权限相关知识点整理