Spring整合SpringSecurity

发布于:2024-07-12 ⋅ 阅读:(527) ⋅ 点赞:(0)

SpringSecurity基础使用

SpringSecurity是一个安全框架,主要功能是认证授权

从Spring入手SpringSecurity

1. Spring整合SpringSecurity

applicationContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc.xsd">
    <context:component-scan base-package="com.shaoby.service"></context:component-scan>
    <import resource="spring-security.xml"/>
</beans>
spring-mvc.xml
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc.xsd">
    <!-- 启用注解扫描 -->
    <context:component-scan base-package="com.shaoby.controller" />
    <!-- 配置视图解析器 -->
    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/views/" />
        <property name="suffix" value=".jsp" />
    </bean>
    <!-- 启用Spring MVC的注解 -->
    <mvc:annotation-driven />
    <!-- 定义控制器 -->
<!--    <bean name="/example" class="com.shaoby.controller.ExampleController" />-->

</beans>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security.xsd">
    <http auto-config="true">
        <intercept-url pattern="/login.jsp" access="permitAll()"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
        <form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
        <remember-me
            token-validity-seconds="60"
            remember-me-parameter="remember-me"
        />
        <access-denied-handler error-page="/error.jsp"/>
    </http>
    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user" password="{noop}123" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
  <display-name>Archetype Created Web Application</display-name>
<!--  初始化web容器-->
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>classpath:applicationContext.xml</param-value>
  </context-param>
  <!--配置Spring的监听器,默认只加载WEB-INF目录下的applicationContext.xml配置文件-->
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
<!--乱码-->
  <filter>
    <filter-name>characterEncodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
      <param-name>encoding</param-name>
      <param-value>UTF-8</param-value>
    </init-param>
    <init-param>
      <param-name>forceEncoding</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>characterEncodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
<!--security-->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
<!--前端控制器-->
  <servlet>
    <servlet-name>dispatcherServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>classpath:spring-mvc.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>dispatcherServlet</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>
</web-app>

2. 认证操作

2.1 自定义登录页面

自定义登录页面只需要在security配置文件中指定登录页面即可

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security.xsd">
    <http auto-config="true">
        <intercept-url pattern="/login.jsp" access="permitAll()"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
        <!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
        <form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
        <!-- 错误页面-->
        <access-denied-handler error-page="/error.jsp"/>
    </http>
    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user" password="{noop}123" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>
2.2 关闭CSRF认证

使用csrf标签指定disabled = 'true’即可

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security.xsd">
    <http auto-config="true">
        <intercept-url pattern="/login.jsp" access="permitAll()"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
        <!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
        <form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
        <!-- 错误页面-->
        <access-denied-handler error-page="/error.jsp"/>
        <!--关闭CSRF认证-->
        <csrf disabled="true"/>
    </http>
    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user" password="{noop}123" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

如果在JSP页面中也可以通过引入标签解决

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
-#引入
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<html>
<head>
    <title>登录</title>
</head>
<body>
<h1>登录页面</h1>
<form action="/login" method="post">
    账号:<input type="text" name="username"/> <br>
    密码:<input type="password" name="password"/> <br>
    -#使用标签
    <security:csrfInput/>
    <input type="submit" value="登录">
</form>
</body>
</html>
2.3 持久层认证
  1. 认证一般是通过持久层查询进行认证的,这里暂时没有链接数据库,将数据写死。
  2. ecurity实现持久层的认证只需要实现UserDetailsService,重写loadUserByUserName,返回一个UserDetails对象即可,这个UserDetails对象可以通过任何方式获得,一般是数据库根据登录用户名查询。
  3. 需要注意的是,如果密码没有采用加密方式,密码前必须拼接{noop}字符串。
  4. 将写好的实现类给Security指定
@Service
public class UserServiceImpl implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        List<GrantedAuthority> list = new ArrayList<>();
        list.add(new SimpleGrantedAuthority("ROLE_USER"));
        UserDetails user = new User("admin", "{noop}123456", list);
        return user;
    }
}

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security.xsd">
    <http auto-config="true">
        <intercept-url pattern="/login.jsp" access="permitAll()"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
        <!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
        <form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
        <!-- 错误页面-->
        <access-denied-handler error-page="/error.jsp"/>
        <!--关闭CSRF认证-->
        <csrf disabled="true"/>
    </http>
    <authentication-manager>
        <!--指定认证的类-->
        <authentication-provider user-service-ref="userServiceImpl">
        </authentication-provider>
    </authentication-manager>
</beans:beans>
2.4 密码加密
  1. 密码加密的方式有很多,比如MD5、MD4、BCryptPasswordEncoder等
  2. 如果使用加密的方式,一般是在持久层存储的就是加密后的数据
  3. 使用加密的方法
  4. 将加密的方式注入到spring容器中
  5. 然后给Security指定加密方式
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc.xsd">
    <context:component-scan base-package="com.shaoby.service"></context:component-scan>
<!--使用的加密方式的类-->
    <bean name="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
    <import resource="spring-security.xml"/>
</beans>

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security.xsd">
    <http auto-config="true">
        <intercept-url pattern="/login.jsp" access="permitAll()"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
        <!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
        <form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
        <!-- 错误页面-->
        <access-denied-handler error-page="/error.jsp"/>
        <!--关闭CSRF认证-->
        <csrf disabled="true"/>
    </http>
    <authentication-manager>
        <!--指定认证的类-->
        <authentication-provider user-service-ref="userServiceImpl">
            <!--给security指定加密的方式-->
            <password-encoder ref="bCryptPasswordEncoder"/>
        </authentication-provider>
    </authentication-manager>
</beans:beans>
2.5 remember me
  1. 这个功能是在页面勾选’记住我‘的勾选框后,下次再次访问页面不需要再次登录
  2. 实现的原理是,在登录成功后回返回给前端一个token,并存放在一张持久层表中或则内存中,前端存放在Cookie中,下次登录只要携带Cookie,security就直接通过存储的token比对,不需要重新认证
  3. 如果指定了数据源,就存放在持久层,如果没有指定则存放在内存中
  4. token的过期时间是可以设置的
  5. 实现步骤:
  6. 开启记住我功能
  7. 如果指定数据源则存放在数据库中,如果没有指定则存放在内存中
  8. 页面请求时候要传入一个参数
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security.xsd">
    <http auto-config="true">
        <intercept-url pattern="/login.jsp" access="permitAll()"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
        <!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
        <form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
        <!-- 错误页面-->
        <access-denied-handler error-page="/error.jsp"/>
        <!--关闭CSRF认证-->
        <csrf disabled="true"/>
        <!--开启remember功能 token-validity-seconds表示过期时间,单位秒;remember-me-parameter="remember-me"表示传入的参数名;data-source-ref="dataSource"表示指定的数据源-->
        <remember-me
                token-validity-seconds="60"
                remember-me-parameter="remember-me"
                data-source-ref="dataSource"
        />
    </http>
    <authentication-manager>
        <!--指定认证的类-->
        <authentication-provider user-service-ref="userServiceImpl">
            <!--给security指定加密的方式-->
            <password-encoder ref="bCryptPasswordEncoder"/>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布