1. 引入springMvc权限框架security
1-1 配置web.xml
1. 在监听器上引入权限局框架的配置文件security.xml
<!--监听器-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml,classpath:security.xml</param-value>
</context-param>
注意 :<param-value>标签可以配置多个配置文件,一般用逗号隔开
2. 配置过滤器
<!--filter权限框架过滤器执行链-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
注意:filter权限框架执行链要放在解决乱码的CharacterEncodingFilter过滤器下面,否则会出现中文乱码
1-2 配置security框架的xml文件security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--放行页面不被权限框架拦截验证-->
<security:http pattern="/login.jsp" security="none"></security:http>
<security:http pattern="/failer.jsp" security="none"></security:http>
<security:http pattern="/css/**" security="none"></security:http>
<security:http pattern="/img/**" security="none"></security:http>
<security:http pattern="/plugins/**" security="none"></security:http>
<security:http pattern="/pages/**" security="none"></security:http>
<!--配置拦截的规则
auto-config="true" 开启框架的默认配置支持
use-expressions="false" 关闭表达式的支持
intercept-url pattern="/**" 拦截所有的请求
access="ROLE_USER" 拥有ROLE_USER角色的用户可以访问资源
-->
<security:http auto-config="true" use-expressions="true">
<!--使用springmvc提供的记住登录功能,
user-service-ref映射到权限实现类userService
key 浏览器访问存的cookie名称,随便起个名字,不用管
login.jsp里面记住我复选框checkbox的name属性必须是“remember-me”,其他无效
-->
<security:remember-me user-service-ref="userService" key="rememberUser"></security:remember-me>
<!--给角色赋予权限-->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ORDER','ROLE_ADMIN','ROLE_PRODUCT')"></security:intercept-url>
<!--配置权限框架自定义面登录节点
login-page 自定义登录页
login-processing-url 登录页面表单发起登录请求的url路径
default-target-url 登录成功跳转的页面
authentication-failure-url 验证失败跳转的页面
-->
<security:form-login login-page="/login.jsp"
login-processing-url="/login"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"></security:form-login>
<!--注销按钮的处理节点-->
<security:logout logout-url="/logout" logout-success-url="/login.jsp" invalidate-session="true"></security:logout>
<!--访问资源无权限拒绝的处理-->
<security:access-denied-handler error-page="/403.jsp"></security:access-denied-handler>
<!--csrf攻击拦截的关闭-->
<security:csrf disabled="true"></security:csrf>
</security:http>
<!--权限验证使用自定义的实现类,这里配置的是userService作为权限实现类-->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<!-- 提供加密方式 -->
<security:password-encoder ref="pwdEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security secured-annotations="enabled"></security:global-method-security>
<!--通过xml文件初始化加密的工具类交给容器管理-->
<bean id="pwdEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></bean>
</beans>
2. 权限验证类UserService的编写
@Service("userService")
@Transactional
public class userServiceImpl implements UserService ,UserDetailsService {
@Autowired
private UserDao userDao;
@Autowired
BCryptPasswordEncoder pwdEncoder;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 通过用户名得到数据库用户对象
SysUser sysUser = userDao.findUserByName(username);
// 创建用户的权限集合
List<GrantedAuthority> authorities = new ArrayList<>();
// 查询到用户的角色验证登录
List<Role> userRoles = sysUser.getRoles();
// 循环添加用户的角色信息
if (userRoles.size()>0 && userRoles != null) {
for (Role userRole : userRoles) {
// 初始化赋值给用户角色
authorities.add(new SimpleGrantedAuthority(userRole.getRoleName()));
}
}
// 使用数据库用户组装框架需要的user对象用于验证
User user = new User(sysUser.getUsername(), sysUser.getPassword(), authorities);
return user; // 返回值user带有用户名username,密码password和角色即权限authorties,返回的user是UserDetails 对象,由框架获取操纵
}
/**
添加一个用户,密码使用BCryptPasswordEncoder 加密,由于在security.xml配置了加密方式,所以登录框架帮你解密,不用管
login.jsp登录的form表单提交到在security.xml已经配置好了的"${pageContext.request.contextPath}/login"
*/
@Override
public void addUser(SysUser user) {
//将原始密码获取
String pwd = user.getPassword();
//将明文加密
user.setPassword( pwdEncoder.encode(pwd));
userDao.addUser(user);
}
3.权限的控制
3-1.页面权限的控制
1.引入标签库
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
2.表达式验证
<security:authorize access="hasRole('ROLE_ADMIN')">
// 要被权限框架控制的代码
</security:authorize>
例如:
<security:authorize access="hasAnyRole('ROLE_ADMIN')">
<!-- 只有拥有ROLE_ADMIN角色的用户才能显示-->
<li id="system-setting4">
<a href="${pageContext.request.contextPath}/pages/syslog-list.jsp"> <i class="fa fa-circle-o"></i> 访问日志
</a></li>
</security:authorize>
3.security.xml文件中开启表达式支持
// use-expressions="true" 就是开启表达式支持,完整的上面的security有
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ORDER','ROLE_ADMIN','ROLE_PRODUCT')"> </security:intercept-url>
3-2 .后台代码权限控制
在页面配置的权限管理后虽然对没有权限的访问者予以限制,但是仍然可以通过在浏览器地址栏上访问路径,所以使用后台权限控制尤为主要
通过三种注解实现权限的拦截:
1.jsr250的方式实现拦截 jsr是java的一个规范 jsr250是对规范的实现 目的是拦截验证权限
引入依赖
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
在配置文件中开启注解支持 为了拦截controller方法配置springMvc中
约束文件和命名空间
xmlns:security="http://www.springframework.org/schema/security"
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
<security:global-method-security jsr250-annotations="enabled"/>
在需要拦截的类或者方法上通过表达式拦截认证
@RolesAllowed("ROLE_ADMIN")
2.secured 注解拦截
<security:global-method-security secured-annotations="enabled"/>
@Secured("ROLE_ADMIN")
3.表达式的注解拦截
<security:global-method-security pre-post-annotations="enabled"/>
@PreAuthorize("hasRole('ROLE_ADMIN')")
注意:
1、三种方式都必须在springMvc.xml配置文件中开启注解支持
<!-- 开启AOP的支持 -->
<aop:aspectj-autoproxy proxy-target-class="true"/>
2、推荐使用第二种,次之第三种,不推荐第一种方式,太麻烦了