Spring Security + Hibernate 身份验证

Posted 2023-02-27

【中文标题】Spring Security + Hibernate 身份验证

【英文标题】：Spring Security + Hibernate authentication

【发布时间】：2014-02-26 04:48:02

【问题描述】：

我有JSF 2.2、Primefaces 3.5、Spring、Spring Security 3.x、Hibernate 4、mysql 网络应用程序。

我已启用Spring Security 按预期工作，但我使用<user-service/> 创建了两个具有不同角色的用户（“ROLE_USER”、“ROLE_ADMIN”）。现在我想搜索数据库中的每个用户，而不是在<user-service/> 中手动创建它们。

applicationContext.xml：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">


    <!--            GLOABL SETTINGS             -->


    <context:component-scan base-package="com.infostroy.adminportal"/>
    <tx:annotation-driven transaction-manager="transactionManager" proxy-target-class="true"/>


    <!--        DATA SOURCE AND PERSISTENCE SETTINGS       -->


    <bean id="propertiesPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="locations">
            <list>
                <value>classpath:db.properties</value>
            </list>
        </property>
    </bean>

    <bean id="sessionFactory" class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
        <property name="dataSource" ref="dmDataSource"/>
        <property name="packagesToScan" value="com.infostroy.adminportal"/>
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">$db.dialect</prop>
                <prop key="hibernate.show_sql">$db.show_sql</prop>
                <prop key="hibernate.hbm2ddl.auto">$db.hbm2ddl_auto</prop>
                <prop key="connection.pool_size">$db.pool_size</prop>
                <prop key="current_session_context_class">$db.current_session_context_class</prop>
                <prop key="org.hibernate.FlushMode">$db.flush_mode</prop>
            </props>
        </property>
    </bean>


    <bean id="transactionManager"
          class="org.springframework.orm.hibernate4.HibernateTransactionManager">
        <property name="dataSource" ref="dmDataSource" />
        <property name="sessionFactory" ref="sessionFactory" />
    </bean>


    <bean id="dmDataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
        <property name="driverClassName" value="$db.driver" />
        <property name="url" value="$db.url" />
        <property name="username" value="$db.username" />
        <property name="password" value="$db.password" />
        <property name="maxWait" value="5000" />
        <property name="initialSize" value="2" />
        <property name="maxActive" value="100"/>
        <property name="maxIdle" value="50"/>
        <property name="minIdle" value="0"/>
    </bean>

</beans>

spring-security.xml：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xsi:schemaLocation="
http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security-3.1.xsd">



    <http auto-config="false" use-expressions="true">
        <intercept-url pattern="/protected/*" access="isAuthenticated()"/>
        <form-login login-page="/login.xhtml" login-processing-url="/j_spring_security_check"
                        default-target-url="/protected/home.xhtml"
                        authentication-failure-url="/loginFailed.xhtml"/>
    </http>




    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="c" password="c" authorities="ROLE_ADMIN" />
                <user name="q" password="q" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>


</beans:beans>

这是创建用户表的脚本：

CREATE TABLE users (
user_id INT AUTO_INCREMENT,
first_name VARCHAR(20),
last_name VARCHAR(20),
login VARCHAR(20) NOT NULL UNIQUE,
password VARCHAR(32) NOT NULL,
role VARCHAR(20) NOT NULL,
PRIMARY KEY(user_id)
) ENGINE=InnoDB;

有谁知道如何做到这一点？每个答案都受到高度赞赏并迅速回复！

谢谢。

【参考方案1】：

只需将身份验证管理器更改为：

        <authentication-manager>
           <authentication-provider>
            <jdbc-user-service data-source-ref="dmDataSource"

               users-by-username-query="
                  select login as username,password, 1 as enabled 
                  from users where login=?" 

               authorities-by-username-query="
                  select login as username, role as authority from users 
                  where login =?  " 

            />
           </authentication-provider>
        </authentication-manager>

我假设登录字段是用户名。我硬编码了启用标志，它是必需的。如果您以后添加 deleteflag 或 enabled 标志，您可以替换它。