springSecurity初学 安全登录验证

一.快速入门:

    1).导入依赖

     

<!--版本信息-->
<spring.security.version>5.0.1.RELEASE</spring.security.version>

 <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>${spring.security.version}</version>
        </dependency>

   2).web.xml配置

      

 <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <!--增加加载spring-security.xml-->
    <param-value>classpath:applicationContext.xml,classpath:spring-security2.xml</param-value>
  </context-param>

 <!--securityFilter-->
  <filter>
    <!--此处name值必须为springSecurityFilterChain!!!-->
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  3).spring-security.xml文件配置

  

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans          
    http://www.springframework.org/schema/beans/spring-beans.xsd          
    http://www.springframework.org/schema/security          
    http://www.springframework.org/schema/security/spring-security.xsd">
    
    <!-- 配置不拦截的资源 -->
    <security:http pattern="/login.jsp" security="none"/>
    <security:http pattern="/failer.jsp" security="none"/>
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/img/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>
    
    <!-- 
        配置具体的规则 
        auto-config="true"    不用自己编写登录的页面，框架提供默认登录页面
        use-expressions="false"    是否使用SPEL表达式（没学习过）
    -->
    <security:http auto-config="true" use-expressions="false">
        <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人，必须有ROLE_USER的角色" -->
        <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
        
        <!-- 定义跳转的具体的页面 -->
        <security:form-login  
            login-page="/login.jsp"
            login-processing-url="/login"  
            default-target-url="/pages/main.jsp"
            authentication-failure-url="/failer.jsp"
        />
        
        <!-- 关闭跨域请求 -->
        <security:csrf disabled="true"/>
        
        <!-- 退出 -->
        <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" />
        
    </security:http>
    
    <!-- 切换成数据库中的用户名和密码 -->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="userService">
            <!-- 配置加密的方式 -->
            <security:password-encoder ref="passwordEncoder"/>
        </security:authentication-provider>
    </security:authentication-manager>
    <!-- 配置加密类 -->
    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
    
     <!--提供了入门的方式，在内存中存入用户名和密码-->
   <!-- <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="admin" password="{noop}admin" authorities="ROLE_USER"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>-->

 </beans>   
 
 
 

 4)登录的controller层交给springsecurity框架,需要编写service层,需要实现UserDetailsService接口

   service层接口:

  

public interface IUserService extends UserDetailsService {
    
    

 service层实现类:

@Service("userService")  //名字和spring-security.xml配置对应
public class UserServiceImpl implements IUserService {
    @Autowired
    private IUserDao userDao;
    
    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder; //加密类

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        UserInfo userInfo = userDao.findByUsername(username);
         //没有带状态的user
//        User user = new User(userInfo.getUsername(),"{noop}"+userInfo.getPassword(),getAuthorities());
         //给密码加密
       /* String encode = bCryptPasswordEncoder.encode(userInfo.getPassword());
        userInfo.setPassword(encode);*/
       
        /*携带状态信息的user*/
        User user = new User(userInfo.getUsername(),userInfo.getPassword(),
                userInfo.getStatus()==0?false:true,true,true,true,
                getAuthorities(userInfo.getRoles()));
        return user;
    }
    //为了通过验证,获取角色信息
    public List<SimpleGrantedAuthority> getAuthorities(List<Role> roleList){
        List<SimpleGrantedAuthority> list =new ArrayList<>();
        for (Role role : roleList) {
            list.add(new SimpleGrantedAuthority(role.getRoleName()));
        }
        return list;
    }