数据后台管理(四)权限控制

当我们在管理后台数据的时候需要对管理者的身份进行认证和授权,在该项目中用到的安全认证服务框架是Spring Security。

1.Spring Security的简单入门

通过一个spring security的入门案例来了解使用该框架的基本步骤。

1.1使用IDEA新建一个webapp的maven工程,在pom.xml文件中引入spring security框架的相关坐标。

 1 <?xml version="1.0" encoding="UTF-8"?>   2   3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">   5   <modelVersion>4.0.0</modelVersion>   6   7   <groupId>club.nipengfei</groupId>   8   <artifactId>spring_security_rumeng</artifactId>   9   <version>1.0-SNAPSHOT</version>  10   <packaging>war</packaging>  11  12   <name>spring_security_rumeng Maven Webapp</name>  13   <!-- FIXME change it to the project's website -->  14   <url>http://www.example.com</url>  15  16   <properties>  17     <spring.version>5.0.2.RELEASE</spring.version>  18     <spring.security.version>5.0.1.RELEASE</spring.security.version>  19   </properties>  20  21   <dependencies>  22     <dependency>  23       <groupId>org.springframework</groupId>  24       <artifactId>spring-core</artifactId>  25       <version>${spring.version}</version>  26     </dependency>  27     <dependency>  28       <groupId>org.springframework</groupId>  29       <artifactId>spring-web</artifactId>  30       <version>${spring.version}</version>  31     </dependency>  32     <dependency>  33       <groupId>org.springframework</groupId>  34       <artifactId>spring-webmvc</artifactId>  35       <version>${spring.version}</version>  36     </dependency>  37     <dependency>  38       <groupId>org.springframework</groupId>  39       <artifactId>spring-context-support</artifactId>  40       <version>${spring.version}</version>  41     </dependency>  42     <dependency>  43       <groupId>org.springframework</groupId>  44       <artifactId>spring-test</artifactId>  45       <version>${spring.version}</version>  46     </dependency>  47     <dependency>  48       <groupId>org.springframework</groupId>  49       <artifactId>spring-jdbc</artifactId>  50       <version>${spring.version}</version>  51     </dependency>  52  53     <dependency>  54       <groupId>org.springframework.security</groupId>  55       <artifactId>spring-security-web</artifactId>  56       <version>${spring.security.version}</version>  57     </dependency>  58     <dependency>  59       <groupId>org.springframework.security</groupId>  60       <artifactId>spring-security-config</artifactId>  61       <version>${spring.security.version}</version>  62     </dependency>  63     <dependency>  64       <groupId>javax.servlet</groupId>  65       <artifactId>javax.servlet-api</artifactId>  66       <version>3.1.0</version>  67       <scope>provided</scope>  68     </dependency>  69   </dependencies>  70   <build>  71     <plugins>  72       <!-- java编译插件 -->  73       <plugin>  74         <groupId>org.apache.maven.plugins</groupId>  75         <artifactId>maven-compiler-plugin</artifactId>  76         <version>3.2</version>  77         <configuration>  78           <source>1.8</source>  79           <target>1.8</target>  80           <encoding>UTF-8</encoding>  81         </configuration>  82       </plugin>  83       <plugin>  84         <groupId>org.apache.tomcat.maven</groupId>  85         <artifactId>tomcat7-maven-plugin</artifactId>  86         <configuration>  87           <!-- 指定端口 -->  88           <port>8090</port>  89           <!-- 请求路径 -->  90           <path>/</path>  91         </configuration>  92       </plugin>  93     </plugins>  94   </build>  95 </project>

1.2在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。

 1 <?xml version="1.0" encoding="UTF-8"?>   2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   3          xmlns="http://java.sun.com/xml/ns/javaee"   4          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"   5          version="2.5">   6   <display-name>SpringSecurity314</display-name>   7   8   <context-param>   9     <param-name>contextConfigLocation</param-name>  10     <param-value>classpath:spring-security.xml</param-value>  11   </context-param>  12   <listener>  13     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>  14   </listener>  15   <filter>  16     <filter-name>springSecurityFilterChain</filter-name>  17     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  18   </filter>  19   <filter-mapping>  20     <filter-name>springSecurityFilterChain</filter-name>  21     <url-pattern>/*</url-pattern>  22   </filter-mapping>  23   <welcome-file-list>  24     <welcome-file>index.html</welcome-file>  25     <welcome-file>index.htm</welcome-file>  26     <welcome-file>index.jsp</welcome-file>  27     <welcome-file>default.html</welcome-file>  28     <welcome-file>default.htm</welcome-file>  29     <welcome-file>default.jsp</welcome-file>  30   </welcome-file-list>  31 </web-app>

1.3在resource资源路径下新建一个该框架的核心配置文件spring-security.xml

 1 <?xml version="1.0" encoding="UTF-8"?>   2 <beans xmlns="http://www.springframework.org/schema/beans"   3        xmlns:security="http://www.springframework.org/schema/security"   4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   5        xsi:schemaLocation="http://www.springframework.org/schema/beans   6 http://www.springframework.org/schema/beans/spring-beans.xsd   7 http://www.springframework.org/schema/security   8 http://www.springframework.org/schema/security/spring-security.xsd">   9     <security:http auto-config="true" use-expressions="false">  10         <!-- intercept-url定义一个过滤规则 pattern表示对哪些url进行权限控制,ccess属性表示在请求对应  11         的URL时需要什么权限,  12         默认配置时它应该是一个以逗号分隔的角色列表,请求的用户只需拥有其中的一个角色就能成功访问对应  13         的URL -->  14         <security:intercept-url pattern="/**" access="ROLE_USER" />  15         <!-- auto-config配置后,不需要在配置下面信息 <security:form-login /> 定义登录表单信息  16         <security:http-basic  17         /> <security:logout /> -->  18     </security:http>  19     <security:authentication-manager>  20         <security:authentication-provider>  21             <security:user-service>  22                 <security:user name="user" password="{noop}user"  23                                authorities="ROLE_USER" />  24                 <security:user name="admin" password="{noop}admin"  25                                authorities="ROLE_ADMIN" />  26             </security:user-service>  27         </security:authentication-provider>  28     </security:authentication-manager>  29 </beans>

1.4入门案例总结

启动该入门案例发现直接跳转到了登录页面,但是我们并没有写有关登录的页面,这个页面是该框架本身自己的。

因为在核心配置文件中有<security:http auto-config=”true” use-expressions=”false”>开启spring security的默认的配置,当然也可以自定义登录页面。

 

当我们随意输入一个用户名”npf”和密码”1233″(配置文件中没有该用户名密码)时会出现如下提示

 

当我们输入用户名”admin”密码”admin”(配置文件中有该用户名密码但该角色不符合要求)时会出现如下提示,该提示表示权限不足。

当我们输入用户名”user”密码”user”时能够正常访问到index.jsp页面

 

上述简单入门案例存在明显不足之处,需要改进。

  1. 登录页面太简陋需要自定义
  2. 登录的账号一般在数据库中而不是在配置文件中

2.spring security在数据后台管理中的使用

为了确保数据的安全,在管理数据过程中需要对管理者的身份进行验证,并且让不同的管理者有不同的操作权限。

2.1与入门案例相似,在pom.xml文件中引入相应坐标,并在web.xml中配置一个spring security的过滤器和引入spring security的核心配置文件。

  1 <?xml version="1.0" encoding="UTF-8"?>    2    3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">    5   <modelVersion>4.0.0</modelVersion>    6    7   <groupId>club.nipengfei</groupId>    8   <artifactId>ssm5</artifactId>    9   <version>1.0-SNAPSHOT</version>   10   <packaging>war</packaging>   11   12   <name>ssm5 Maven Webapp</name>   13   <!-- FIXME change it to the project's website -->   14   <url>http://www.example.com</url>   15   16   <properties>   17     <spring.version>5.0.2.RELEASE</spring.version>   18     <slf4j.version>1.6.6</slf4j.version>   19     <log4j.version>1.2.12</log4j.version>   20     <mysql.version>5.1.6</mysql.version>   21     <mybatis.version>3.4.5</mybatis.version>   22     <spring.security.version>5.0.1.RELEASE</spring.security.version>   23   </properties>   24   <dependencies>   25     <!-- spring -->   26     <dependency>   27       <groupId>org.aspectj</groupId>   28       <artifactId>aspectjweaver</artifactId>   29       <version>1.6.8</version>   30     </dependency>   31     <dependency>   32       <groupId>org.springframework</groupId>   33       <artifactId>spring-aop</artifactId>   34       <version>${spring.version}</version>   35     </dependency>   36     <dependency>   37       <groupId>org.springframework</groupId>   38       <artifactId>spring-context</artifactId>   39       <version>${spring.version}</version>   40     </dependency>   41     <dependency>   42       <groupId>org.springframework</groupId>   43       <artifactId>spring-web</artifactId>   44       <version>${spring.version}</version>   45     </dependency>   46     <dependency>   47       <groupId>org.springframework</groupId>   48       <artifactId>spring-webmvc</artifactId>   49       <version>${spring.version}</version>   50     </dependency>   51     <dependency>   52       <groupId>org.springframework</groupId>   53       <artifactId>spring-test</artifactId>   54       <version>${spring.version}</version>   55     </dependency>   56     <dependency>   57       <groupId>org.springframework</groupId>   58       <artifactId>spring-tx</artifactId>   59       <version>${spring.version}</version>   60     </dependency>   61     <dependency>   62       <groupId>org.springframework</groupId>   63       <artifactId>spring-jdbc</artifactId>   64       <version>${spring.version}</version>   65     </dependency>   66     <dependency>   67       <groupId>junit</groupId>   68       <artifactId>junit</artifactId>   69       <version>4.12</version>   70       <scope>compile</scope>   71     </dependency>   72     <dependency>   73       <groupId>mysql</groupId>   74       <artifactId>mysql-connector-java</artifactId>   75       <version>${mysql.version}</version>   76     </dependency>   77     <dependency>   78       <groupId>javax.servlet</groupId>   79       <artifactId>servlet-api</artifactId>   80       <version>2.5</version>   81       <scope>provided</scope>   82     </dependency>   83     <dependency>   84       <groupId>javax.servlet.jsp</groupId>   85       <artifactId>jsp-api</artifactId>   86       <version>2.0</version>   87       <scope>provided</scope>   88     </dependency>   89     <dependency>   90       <groupId>jstl</groupId>   91       <artifactId>jstl</artifactId>   92       <version>1.2</version>   93     </dependency>   94     <!-- log start -->   95     <dependency>   96       <groupId>log4j</groupId>   97       <artifactId>log4j</artifactId>   98       <version>${log4j.version}</version>   99     </dependency>  100     <dependency>  101       <groupId>org.slf4j</groupId>  102       <artifactId>slf4j-api</artifactId>  103       <version>${slf4j.version}</version>  104     </dependency>  105     <dependency>  106       <groupId>org.slf4j</groupId>  107       <artifactId>slf4j-log4j12</artifactId>  108       <version>${slf4j.version}</version>  109     </dependency>  110     <!-- log end -->  111     <dependency>  112       <groupId>org.mybatis</groupId>  113       <artifactId>mybatis</artifactId>  114       <version>${mybatis.version}</version>  115     </dependency>  116     <dependency>  117       <groupId>org.mybatis</groupId>  118       <artifactId>mybatis-spring</artifactId>  119       <version>1.3.0</version>  120     </dependency>  121     <dependency>  122       <groupId>c3p0</groupId>  123       <artifactId>c3p0</artifactId>  124       <version>0.9.1.2</version>  125       <type>jar</type>  126       <scope>compile</scope>  127     </dependency>  128     <dependency>  129       <groupId>com.github.pagehelper</groupId>  130       <artifactId>pagehelper</artifactId>  131       <version>5.1.2</version>  132     </dependency>  133     <dependency>  134       <groupId>org.springframework.security</groupId>  135       <artifactId>spring-security-web</artifactId>  136       <version>${spring.security.version}</version>  137     </dependency>  138     <dependency>  139       <groupId>org.springframework.security</groupId>  140       <artifactId>spring-security-config</artifactId>  141       <version>${spring.security.version}</version>  142     </dependency>  143     <dependency>  144       <groupId>org.springframework.security</groupId>  145       <artifactId>spring-security-core</artifactId>  146       <version>${spring.security.version}</version>  147     </dependency>  148     <dependency>  149       <groupId>org.springframework.security</groupId>  150       <artifactId>spring-security-taglibs</artifactId>  151       <version>${spring.security.version}</version>  152     </dependency>  153  154     <dependency>  155       <groupId>mysql</groupId>  156       <artifactId>mysql-connector-java</artifactId>  157       <version>${mysql.version}</version>  158     </dependency>  159  160     <dependency>  161       <groupId>javax.annotation</groupId>  162       <artifactId>jsr250-api</artifactId>  163       <version>1.0</version>  164     </dependency>  165  166   </dependencies>  167  168   <build>  169     <finalName>ssm5</finalName>  170     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->  171       <plugins>  172         <plugin>  173           <artifactId>maven-clean-plugin</artifactId>  174           <version>3.1.0</version>  175         </plugin>  176         <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->  177         <plugin>  178           <artifactId>maven-resources-plugin</artifactId>  179           <version>3.0.2</version>  180         </plugin>  181         <plugin>  182           <artifactId>maven-compiler-plugin</artifactId>  183           <version>3.8.0</version>  184         </plugin>  185         <plugin>  186           <artifactId>maven-surefire-plugin</artifactId>  187           <version>2.22.1</version>  188         </plugin>  189         <plugin>  190           <artifactId>maven-war-plugin</artifactId>  191           <version>3.2.2</version>  192         </plugin>  193         <plugin>  194           <artifactId>maven-install-plugin</artifactId>  195           <version>2.5.2</version>  196         </plugin>  197         <plugin>  198           <artifactId>maven-deploy-plugin</artifactId>  199           <version>2.8.2</version>  200         </plugin>  201       </plugins>  202     </pluginManagement>  203   </build>  204 </project>

pom.xml

 1 <?xml version="1.0" encoding="UTF-8"?>   2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   3          xmlns="http://xmlns.jcp.org/xml/ns/javaee"   4          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"   5          version="3.1">   6   7     <display-name>Archetype Created web Application</display-name>   8     <!--配置监听器,默认只加载WEB-INF目录下的applicationContext.xml配置文件-->   9     <listener>  10         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>  11     </listener>  12     <!--设置配置文件路径-->  13     <context-param>  14         <param-name>contextConfigLocation</param-name>  15         <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value>  16     </context-param>  17     <!--配置前端控制器-->  18     <servlet>  19         <servlet-name>dispatcherServlet</servlet-name>  20         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>  21         <!--加载springmvc.xml配置文件-->  22         <init-param>  23             <param-name>contextConfigLocation</param-name>  24             <param-value>classpath:springmvc.xml</param-value>  25         </init-param>  26         <!--启动服务器,创建servlet-->  27         <load-on-startup>1</load-on-startup>  28     </servlet>  29     <servlet-mapping>  30         <servlet-name>dispatcherServlet</servlet-name>  31         <url-pattern>*.do</url-pattern>  32     </servlet-mapping>  33  34     <!--解决中文乱码过滤器-->  35     <filter>  36         <filter-name>characterEncodingFilter</filter-name>  37         <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>  38         <init-param>  39             <param-name>encoding</param-name>  40             <param-value>UTF-8</param-value>  41         </init-param>  42     </filter>  43     <filter-mapping>  44         <filter-name>characterEncodingFilter</filter-name>  45         <url-pattern>/*</url-pattern>  46     </filter-mapping>  47  48     <!--spring security的过滤器-->  49     <filter>  50         <filter-name>springSecurityFilterChain</filter-name>  51         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  52     </filter>  53     <filter-mapping>  54         <filter-name>springSecurityFilterChain</filter-name>  55         <url-pattern>/*</url-pattern>  56     </filter-mapping>  57  58     <welcome-file-list>  59         <welcome-file>index.html</welcome-file>  60         <welcome-file>index.htm</welcome-file>  61         <welcome-file>index.jsp</welcome-file>  62         <welcome-file>default.html</welcome-file>  63         <welcome-file>default.htm</welcome-file>  64         <welcome-file>default.jsp</welcome-file>  65     </welcome-file-list>  66 </web-app>

web.xml

2.2配置spring security的核心配置文件

与入门案例相比,这里配置了不拦截的资源,自定义了登录页面,实现了退出操作,将原先定义在配置页面中的登录用户名和密码切换成在数据库中。

 1 <?xml version="1.0" encoding="UTF-8"?>   2 <beans xmlns="http://www.springframework.org/schema/beans"   3        xmlns:security="http://www.springframework.org/schema/security"   4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   5        xsi:schemaLocation="http://www.springframework.org/schema/beans   6     http://www.springframework.org/schema/beans/spring-beans.xsd   7     http://www.springframework.org/schema/security   8     http://www.springframework.org/schema/security/spring-security.xsd">   9  10     <!-- 配置不拦截的资源 -->  11     <security:http pattern="/login.jsp" security="none"/>  12     <security:http pattern="/failer.jsp" security="none"/>  13     <security:http pattern="/css/**" security="none"/>  14     <security:http pattern="/img/**" security="none"/>  15     <security:http pattern="/plugins/**" security="none"/>  16  17     <!--  18         配置具体的规则  19         auto-config="true"    不用自己编写登录的页面,框架提供默认登录页面  20         use-expressions="false"    是否使用SPEL表达式(没学习过)  21     -->  22     <security:http auto-config="true" use-expressions="true">  23         <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" -->  24         <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>  25  26         <!-- 定义跳转的具体的页面 -->  27         <security:form-login  28                 login-page="/login.jsp"  29                 login-processing-url="/login.do"  30                 default-target-url="/index.jsp"  31                 authentication-failure-url="/failer.jsp"  32                 authentication-success-forward-url="/pages/main.jsp"  33         />  34  35         <!-- 关闭跨域请求 -->  36         <security:csrf disabled="true"/>  37  38         <!-- 退出 -->  39         <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" />  40  41     </security:http>  42  43     <!-- 切换成数据库中的用户名和密码 -->  44     <security:authentication-manager>  45         <security:authentication-provider user-service-ref="userService">  46             <!-- 配置加密的方式 -->  47             <security:password-encoder ref="passwordEncoder"/>  48         </security:authentication-provider>  49     </security:authentication-manager>  50  51     <!-- 配置加密类 -->  52     <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>  53  54 </beans>

2.3使用数据库完成用户登录流程

下面是使用数据库完成认证操作的流程图

 

在Spring Security中如果想要使用数据进行认证操作,有很多种操作方式,这里我们介绍使用UserDetails、UserDetailsService来完成操作。

IUserService接口继承了UserDetailsService类,UserServiceImpl类实现了IUserService接口。

UserDetailsService 接口内有一个loadUserByUsername方法,返回的是UserDetails。

 1 public interface UserDetailsService {   2     // ~ Methods   3     // ========================================================================================================   4   5     /**   6      * Locates the user based on the username. In the actual implementation, the search   7      * may possibly be case sensitive, or case insensitive depending on how the   8      * implementation instance is configured. In this case, the <code>UserDetails</code>   9      * object that comes back may have a username that is of a different case than what  10      * was actually requested..  11      *  12      * @param username the username identifying the user whose data is required.  13      *  14      * @return a fully populated user record (never <code>null</code>)  15      *  16      * @throws UsernameNotFoundException if the user could not be found or the user has no  17      * GrantedAuthority  18      */  19     UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;  20 }

 根据spring-security的核心配置文件,需要将UserServiceImpl类命名为”userService”,并实现loadUserByUsername方法。

 loadUserByUsername方法根据用户名从数据库中查询用户信息UserInfo,并将UserInfo的用户名,密码和角色信息作为User的构造参数。

 1 package club.nipengfei.service.impl;   2   3 import club.nipengfei.dao.IUserDao;   4 import club.nipengfei.domain.Role;   5 import club.nipengfei.domain.UserInfo;   6 import club.nipengfei.service.IUserService;   7 import org.springframework.beans.factory.annotation.Autowired;   8 import org.springframework.security.core.authority.SimpleGrantedAuthority;   9 import org.springframework.security.core.userdetails.User;  10 import org.springframework.security.core.userdetails.UserDetails;  11 import org.springframework.security.core.userdetails.UsernameNotFoundException;  12 import org.springframework.stereotype.Service;  13 import org.springframework.transaction.annotation.Transactional;  14  15 import java.util.ArrayList;  16 import java.util.Collection;  17 import java.util.List;  18  19 @Service("userService")  20 @Transactional  21 public class UserServiceImpl implements IUserService {  22  23     @Autowired  24     private IUserDao userDao;  25  26     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {  27         UserInfo userInfo = null;  28         try {  29             userInfo = userDao.findByUsername(username);31         } catch (Exception e) {  32             e.printStackTrace();  33         }  34         // 处理自己的用户对象分装成UserDetails  35         // 该spring security的User实现了UserDetails  36         User user = new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority(userInfo.getRoles()));38         return user;  39     }  40  41     public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) {  42         List<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>();  43         for (Role role:roles){  44             list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));  45         }  46         return list;  47     }  48 }

 接口UserDetails,封装了当前认证用户的信息,但由于是一个接口,我们可以对其实现,也可以使用spring security提供的UserDetails实现类User完成操作

1 public interface UserDetails extends Serializable {  2     Collection<? extends GrantedAuthority> getAuthorities();  3     String getPassword();  4     String getUsername();  5     boolean isAccountNonExpired();  6     boolean isAccountNonLocked();  7     boolean isCredentialsNonExpired();  8     boolean isEnabled();  9 }

1 public class User implements UserDetails, CredentialsContainer {  2     private String password;  3     private final String username;  4     private final Set<GrantedAuthority> authorities;  5     private final boolean accountNonExpired; //帐户是否过期  6     private final boolean accountNonLocked; //帐户是否锁定  7     private final boolean credentialsNonExpired; //认证是否过期  8     private final boolean enabled; //帐户是否可用  9

 下面是根据用户名查询用户信息的IUserDao接口

 1 package club.nipengfei.dao;   2   3 import club.nipengfei.domain.UserInfo;   4 import org.apache.ibatis.annotations.Many;   5 import org.apache.ibatis.annotations.Result;   6 import org.apache.ibatis.annotations.Results;   7 import org.apache.ibatis.annotations.Select;   8   9 public interface IUserDao {  10  11     @Select("select * from users where username=#{username}")  12     @Results({  13             @Result(id = true,property = "id",column = "id"),  14             @Result(property = "username",column = "username"),  15             @Result(property = "email",column = "email"),  16             @Result(property = "password",column = "password"),  17             @Result(property = "phoneNum",column = "phoneNum"),  18             @Result(property = "status",column = "status"),  19             @Result(property = "roles",column = "id",javaType = java.util.List.class,many = @Many(select = "club.nipengfei.dao.IRoleDao.findRoleByUserId"))  20     })  21     public UserInfo findByUsername(String username) throws Exception;  22 }

 2.4使用spring security完成权限控制(JSR-250注解)

不同的用户有不同的角色,根据角色使用户有不同的权限。在服务器端我们可以通过Spring security提供的注解对方法来进行权限控制。Spring Security在方法的权限控制上支持三种类型的注解,JSR-250注解、@Secured注解和支持表达式的注解,这三种注解默认都是没有启用的,需要单独通过global-method-security元素的对应属性进行启用

下面使用JSR-250注解完成权限控制:

需要在security-security.xml中开启权限,并且在pom.xml引入坐标

<security:global-method-security jsr250-annotations="enabled"></security:global-method-security>

<dependency>          <groupId>javax.annotation</groupId>          <artifactId>jsr250-api</artifactId>          <version>1.0</version>   </dependency>

  1. @RolesAllowed表示访问对应方法时所应该具有的角色
  2. @PermitAll表示允许所有的角色进行访问,也就是说不进行权限控制
  3. @DenyAll是和PermitAll相反的,表示无论什么角色都不能访问

 示例:

@RolesAllowed({"USER", "ADMIN"}) 该方法只要具有"USER", "ADMIN"任意一种权限就可以访问。这里可以省略前缀ROLE_,实际的权限可能是ROLE_ADMIN

 2.5使用spring security完成权限控制(@Secured注解)

 与上面的类似,少一步pom.xml坐标引入,因为该注解是spring security本身提供的。