这一章使我们的认证可以跟数据库关联
认证类:
定义一个自定义类实现UserDetailsService,返回org.springframework.security.core.userdetails.User,User需要账号,密码,授权列表
package com.pinyougou.service; import java.util.ArrayList; import java.util.Collection; import java.util.List; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import com.pinyougou.pojo.TbSeller; import com.pinyougou.sellergoods.service.SellerService; public class UserDetailsServiceImpl implements UserDetailsService{ private SellerService sellerService; public SellerService getSellerService() { return sellerService; } public void setSellerService(SellerService sellerService) { this.sellerService = sellerService; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("ROLE_USER")); TbSeller seller = sellerService.findOne(username); if(seller!=null){ return new User(username, seller.getPassword(), authorities); }else{ return null; } } }
spring-security.xml配置
设置一个userDetailsService set注入可以查询用户的类,并将这个bean注入security的认证管理器中,密码使用BCrypt强哈希方法来加密密码(虽然每次 BCryptPasswordEncoder 的 encoder 结果都不一样,但是存贮其中一次加密结果 也能够验证成功)
<?xml version="1.0" encoding="UTF-8"?> <bean:beans xmlns="http://www.springframework.org/schema/security" xmlns:bean="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dubbo="http://code.alibabatech.com/schema/dubbo" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 不需要权限控制的资源 --> <http pattern="/*.html" security="none"></http> <http pattern="/css/**" security="none"></http> <http pattern="/img/**" security="none"></http> <http pattern="/js/**" security="none"></http> <http pattern="/plugins/**" security="none"></http> <http pattern="/seller/add.do" security="none"></http> <!-- 拦截规则 --> <http> <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/> <form-login login-page="/shoplogin.html" login-processing-url="/login" always-use-default-target="true" default-target-url="/admin/index.html" authentication-failure-url="/login_error.html"/> <csrf disabled="true"/> <logout/> <headers> <frame-options policy="SAMEORIGIN"/> </headers> </http> <!-- 加密配置 --> <bean:bean id="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> <!-- 认证管理器 --> <authentication-manager alias="authenticationManager"> <!-- 引用自定义真正类 --> <authentication-provider user-service-ref="userDetailsService"> <password-encoder ref="bcryptEncoder"></password-encoder> </authentication-provider> </authentication-manager> <!-- 引用dubbo服务 --> <dubbo:application name="pinyougou-shop-web" /> <dubbo:registry address="zookeeper://192.168.25.100:2181"/> <dubbo:reference id="sellerService" interface="com.pinyougou.sellergoods.service.SellerService"></dubbo:reference> <!-- 认证类 --> <bean:bean id="userDetailsService" class="com.pinyougou.service.UserDetailsServiceImpl"> <bean:property name="sellerService" ref="sellerService"></bean:property> </bean:bean> </bean:beans>这样Security每次验证都和数据库联系起来
注: 注册时需要使用BCrypt加密
//密码加密 BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); String password = passwordEncoder.encode(seller.getPassword()); seller.setPassword(password);