springSecurity
- 权限管理一般有以下几张表
- 在web.xml中配置
用户表t_user、权限表t_permission、角色表t_role、菜单表t_menu、用户角色关系表t_user_role、角
色权限关系表t_role_permission、角色菜单关系表t_role_menu。
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.0.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.5.RELEASE</version>
</dependency>
- 配置拦截规则
- 设置不过滤资源
<security:http security="none" pattern="/login.html"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/ElementUI/**"/>
<security:http security="none" pattern="/img/**"/>
<security:http security="none" pattern="/js/**"/>
<security:http security="none" pattern="/template/**"/>
- <!--配置认证管理器-->
<security:authentication-manager>
<security:authentication-provider user-service-ref="securityService">
<!-- <security:user-service>
<!– <security:user name="admin" authorities="ROLE_ADMIN" password="{noop}1234"/>–>
</security:user-service>-->
<security:password-encoder ref="passwordEncoder" />//配置密码
</security:authentication-provider>
</security:authentication-manager>
<bean id="securityService" class="com.ssw.service.SecurityService"/> - java类中
@Component
public class SecurityService implements UserDetailsService {
@Reference
UserService userService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userService.find(username);
if(user==null){
return null;
}
List list = new ArrayList();
Set<Role> roles = user.getRoles();
for (Role role : roles) {
list.add(new SimpleGrantedAuthority(role.getKeyword()));
Set<Permission> permissions = role.getPermissions();
for (Permission permission : permissions) {
list.add(new SimpleGrantedAuthority(permission.getKeyword()));
}
}
org.springframework.security.core.userdetails.User securityUser = new org.springframework.security.core.userdetails.User( ,user.getPassword(),list);
return securityUser;
}
}
<!--
auto-config默认是否用框架提供的默认的一些功能,默认登录页面等
-->
<security:http auto-config="true">
//frame页面设置不过滤
<security:headers>
<security:frame-options policy="SAMEORIGIN"></security:frame-options>
</security:headers>
<!--拥有add权限就可以访问b.html页面-->
<security:intercept-url pattern="/b.html" access="hasAuthority('add')" />
<security:intercept-url pattern="/pages/**" access="isAuthenticated()"/>
//指定自定义的登录页面
<security:form-login login-page="/login.html"
username-parameter="username"
password-parameter="password"
login-processing-url="/login.do"
default-target-url="/pages/main.html"
authentication-failure-url="/login.html"/>
//自定义页面必须关闭csrf过滤器,负责登录页面会被过滤掉。
<security:csrf disabled="true"></security:csrf>
//自定义退出
<security:logout logout-url="/logout.do" logout-success-url="/login.html" invalidate-session="true"/>
</security:http>
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
- <security:global-method-security pre-post-annotations="enabled" />
- @RequestMapping("/delete")
- @PreAuthorize("hasRole('ROLE_ADMIN')")//表示用户必须拥有ROLE_ADMIN角色才能调用当前方法
public String delete(){
System.out.println("delete...");
return "success";
}
