數據後台管理(四)許可權控制
- 2019 年 11 月 3 日
- 筆記
當我們在管理後台數據的時候需要對管理者的身份進行認證和授權,在該項目中用到的安全認證服務框架是Spring Security。
1.Spring Security的簡單入門
通過一個spring security的入門案例來了解使用該框架的基本步驟。
1.1使用IDEA新建一個webapp的maven工程,在pom.xml文件中引入spring security框架的相關坐標。
1 <?xml version="1.0" encoding="UTF-8"?> 2 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0</modelVersion> 6 7 <groupId>club.nipengfei</groupId> 8 <artifactId>spring_security_rumeng</artifactId> 9 <version>1.0-SNAPSHOT</version> 10 <packaging>war</packaging> 11 12 <name>spring_security_rumeng Maven Webapp</name> 13 <!-- FIXME change it to the project's website --> 14 <url>http://www.example.com</url> 15 16 <properties> 17 <spring.version>5.0.2.RELEASE</spring.version> 18 <spring.security.version>5.0.1.RELEASE</spring.security.version> 19 </properties> 20 21 <dependencies> 22 <dependency> 23 <groupId>org.springframework</groupId> 24 <artifactId>spring-core</artifactId> 25 <version>${spring.version}</version> 26 </dependency> 27 <dependency> 28 <groupId>org.springframework</groupId> 29 <artifactId>spring-web</artifactId> 30 <version>${spring.version}</version> 31 </dependency> 32 <dependency> 33 <groupId>org.springframework</groupId> 34 <artifactId>spring-webmvc</artifactId> 35 <version>${spring.version}</version> 36 </dependency> 37 <dependency> 38 <groupId>org.springframework</groupId> 39 <artifactId>spring-context-support</artifactId> 40 <version>${spring.version}</version> 41 </dependency> 42 <dependency> 43 <groupId>org.springframework</groupId> 44 <artifactId>spring-test</artifactId> 45 <version>${spring.version}</version> 46 </dependency> 47 <dependency> 48 <groupId>org.springframework</groupId> 49 <artifactId>spring-jdbc</artifactId> 50 <version>${spring.version}</version> 51 </dependency> 52 53 <dependency> 54 <groupId>org.springframework.security</groupId> 55 <artifactId>spring-security-web</artifactId> 56 <version>${spring.security.version}</version> 57 </dependency> 58 <dependency> 59 <groupId>org.springframework.security</groupId> 60 <artifactId>spring-security-config</artifactId> 61 <version>${spring.security.version}</version> 62 </dependency> 63 <dependency> 64 <groupId>javax.servlet</groupId> 65 <artifactId>javax.servlet-api</artifactId> 66 <version>3.1.0</version> 67 <scope>provided</scope> 68 </dependency> 69 </dependencies> 70 <build> 71 <plugins> 72 <!-- java編譯插件 --> 73 <plugin> 74 <groupId>org.apache.maven.plugins</groupId> 75 <artifactId>maven-compiler-plugin</artifactId> 76 <version>3.2</version> 77 <configuration> 78 <source>1.8</source> 79 <target>1.8</target> 80 <encoding>UTF-8</encoding> 81 </configuration> 82 </plugin> 83 <plugin> 84 <groupId>org.apache.tomcat.maven</groupId> 85 <artifactId>tomcat7-maven-plugin</artifactId> 86 <configuration> 87 <!-- 指定埠 --> 88 <port>8090</port> 89 <!-- 請求路徑 --> 90 <path>/</path> 91 </configuration> 92 </plugin> 93 </plugins> 94 </build> 95 </project>
1.2在web.xml中配置一個spring security的過濾器和引入spring security的核心配置文件。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://java.sun.com/xml/ns/javaee" 4 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 5 version="2.5"> 6 <display-name>SpringSecurity314</display-name> 7 8 <context-param> 9 <param-name>contextConfigLocation</param-name> 10 <param-value>classpath:spring-security.xml</param-value> 11 </context-param> 12 <listener> 13 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 14 </listener> 15 <filter> 16 <filter-name>springSecurityFilterChain</filter-name> 17 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 18 </filter> 19 <filter-mapping> 20 <filter-name>springSecurityFilterChain</filter-name> 21 <url-pattern>/*</url-pattern> 22 </filter-mapping> 23 <welcome-file-list> 24 <welcome-file>index.html</welcome-file> 25 <welcome-file>index.htm</welcome-file> 26 <welcome-file>index.jsp</welcome-file> 27 <welcome-file>default.html</welcome-file> 28 <welcome-file>default.htm</welcome-file> 29 <welcome-file>default.jsp</welcome-file> 30 </welcome-file-list> 31 </web-app>
1.3在resource資源路徑下新建一個該框架的核心配置文件spring-security.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:security="http://www.springframework.org/schema/security" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://www.springframework.org/schema/beans 6 http://www.springframework.org/schema/beans/spring-beans.xsd 7 http://www.springframework.org/schema/security 8 http://www.springframework.org/schema/security/spring-security.xsd"> 9 <security:http auto-config="true" use-expressions="false"> 10 <!-- intercept-url定義一個過濾規則 pattern表示對哪些url進行許可權控制,ccess屬性表示在請求對應 11 的URL時需要什麼許可權, 12 默認配置時它應該是一個以逗號分隔的角色列表,請求的用戶只需擁有其中的一個角色就能成功訪問對應 13 的URL --> 14 <security:intercept-url pattern="/**" access="ROLE_USER" /> 15 <!-- auto-config配置後,不需要在配置下面資訊 <security:form-login /> 定義登錄表單資訊 16 <security:http-basic 17 /> <security:logout /> --> 18 </security:http> 19 <security:authentication-manager> 20 <security:authentication-provider> 21 <security:user-service> 22 <security:user name="user" password="{noop}user" 23 authorities="ROLE_USER" /> 24 <security:user name="admin" password="{noop}admin" 25 authorities="ROLE_ADMIN" /> 26 </security:user-service> 27 </security:authentication-provider> 28 </security:authentication-manager> 29 </beans>
1.4入門案例總結
啟動該入門案例發現直接跳轉到了登錄頁面,但是我們並沒有寫有關登錄的頁面,這個頁面是該框架本身自己的。
因為在核心配置文件中有<security:http auto-config=”true” use-expressions=”false”>開啟spring security的默認的配置,當然也可以自定義登錄頁面。
當我們隨意輸入一個用戶名”npf”和密碼”1233″(配置文件中沒有該用戶名密碼)時會出現如下提示
當我們輸入用戶名”admin”密碼”admin”(配置文件中有該用戶名密碼但該角色不符合要求)時會出現如下提示,該提示表示許可權不足。
當我們輸入用戶名”user”密碼”user”時能夠正常訪問到index.jsp頁面
上述簡單入門案例存在明顯不足之處,需要改進。
- 登錄頁面太簡陋需要自定義
- 登錄的帳號一般在資料庫中而不是在配置文件中
2.spring security在數據後台管理中的使用
為了確保數據的安全,在管理數據過程中需要對管理者的身份進行驗證,並且讓不同的管理者有不同的操作許可權。
2.1與入門案例相似,在pom.xml文件中引入相應坐標,並在web.xml中配置一個spring security的過濾器和引入spring security的核心配置文件。
1 <?xml version="1.0" encoding="UTF-8"?> 2 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0</modelVersion> 6 7 <groupId>club.nipengfei</groupId> 8 <artifactId>ssm5</artifactId> 9 <version>1.0-SNAPSHOT</version> 10 <packaging>war</packaging> 11 12 <name>ssm5 Maven Webapp</name> 13 <!-- FIXME change it to the project's website --> 14 <url>http://www.example.com</url> 15 16 <properties> 17 <spring.version>5.0.2.RELEASE</spring.version> 18 <slf4j.version>1.6.6</slf4j.version> 19 <log4j.version>1.2.12</log4j.version> 20 <mysql.version>5.1.6</mysql.version> 21 <mybatis.version>3.4.5</mybatis.version> 22 <spring.security.version>5.0.1.RELEASE</spring.security.version> 23 </properties> 24 <dependencies> 25 <!-- spring --> 26 <dependency> 27 <groupId>org.aspectj</groupId> 28 <artifactId>aspectjweaver</artifactId> 29 <version>1.6.8</version> 30 </dependency> 31 <dependency> 32 <groupId>org.springframework</groupId> 33 <artifactId>spring-aop</artifactId> 34 <version>${spring.version}</version> 35 </dependency> 36 <dependency> 37 <groupId>org.springframework</groupId> 38 <artifactId>spring-context</artifactId> 39 <version>${spring.version}</version> 40 </dependency> 41 <dependency> 42 <groupId>org.springframework</groupId> 43 <artifactId>spring-web</artifactId> 44 <version>${spring.version}</version> 45 </dependency> 46 <dependency> 47 <groupId>org.springframework</groupId> 48 <artifactId>spring-webmvc</artifactId> 49 <version>${spring.version}</version> 50 </dependency> 51 <dependency> 52 <groupId>org.springframework</groupId> 53 <artifactId>spring-test</artifactId> 54 <version>${spring.version}</version> 55 </dependency> 56 <dependency> 57 <groupId>org.springframework</groupId> 58 <artifactId>spring-tx</artifactId> 59 <version>${spring.version}</version> 60 </dependency> 61 <dependency> 62 <groupId>org.springframework</groupId> 63 <artifactId>spring-jdbc</artifactId> 64 <version>${spring.version}</version> 65 </dependency> 66 <dependency> 67 <groupId>junit</groupId> 68 <artifactId>junit</artifactId> 69 <version>4.12</version> 70 <scope>compile</scope> 71 </dependency> 72 <dependency> 73 <groupId>mysql</groupId> 74 <artifactId>mysql-connector-java</artifactId> 75 <version>${mysql.version}</version> 76 </dependency> 77 <dependency> 78 <groupId>javax.servlet</groupId> 79 <artifactId>servlet-api</artifactId> 80 <version>2.5</version> 81 <scope>provided</scope> 82 </dependency> 83 <dependency> 84 <groupId>javax.servlet.jsp</groupId> 85 <artifactId>jsp-api</artifactId> 86 <version>2.0</version> 87 <scope>provided</scope> 88 </dependency> 89 <dependency> 90 <groupId>jstl</groupId> 91 <artifactId>jstl</artifactId> 92 <version>1.2</version> 93 </dependency> 94 <!-- log start --> 95 <dependency> 96 <groupId>log4j</groupId> 97 <artifactId>log4j</artifactId> 98 <version>${log4j.version}</version> 99 </dependency> 100 <dependency> 101 <groupId>org.slf4j</groupId> 102 <artifactId>slf4j-api</artifactId> 103 <version>${slf4j.version}</version> 104 </dependency> 105 <dependency> 106 <groupId>org.slf4j</groupId> 107 <artifactId>slf4j-log4j12</artifactId> 108 <version>${slf4j.version}</version> 109 </dependency> 110 <!-- log end --> 111 <dependency> 112 <groupId>org.mybatis</groupId> 113 <artifactId>mybatis</artifactId> 114 <version>${mybatis.version}</version> 115 </dependency> 116 <dependency> 117 <groupId>org.mybatis</groupId> 118 <artifactId>mybatis-spring</artifactId> 119 <version>1.3.0</version> 120 </dependency> 121 <dependency> 122 <groupId>c3p0</groupId> 123 <artifactId>c3p0</artifactId> 124 <version>0.9.1.2</version> 125 <type>jar</type> 126 <scope>compile</scope> 127 </dependency> 128 <dependency> 129 <groupId>com.github.pagehelper</groupId> 130 <artifactId>pagehelper</artifactId> 131 <version>5.1.2</version> 132 </dependency> 133 <dependency> 134 <groupId>org.springframework.security</groupId> 135 <artifactId>spring-security-web</artifactId> 136 <version>${spring.security.version}</version> 137 </dependency> 138 <dependency> 139 <groupId>org.springframework.security</groupId> 140 <artifactId>spring-security-config</artifactId> 141 <version>${spring.security.version}</version> 142 </dependency> 143 <dependency> 144 <groupId>org.springframework.security</groupId> 145 <artifactId>spring-security-core</artifactId> 146 <version>${spring.security.version}</version> 147 </dependency> 148 <dependency> 149 <groupId>org.springframework.security</groupId> 150 <artifactId>spring-security-taglibs</artifactId> 151 <version>${spring.security.version}</version> 152 </dependency> 153 154 <dependency> 155 <groupId>mysql</groupId> 156 <artifactId>mysql-connector-java</artifactId> 157 <version>${mysql.version}</version> 158 </dependency> 159 160 <dependency> 161 <groupId>javax.annotation</groupId> 162 <artifactId>jsr250-api</artifactId> 163 <version>1.0</version> 164 </dependency> 165 166 </dependencies> 167 168 <build> 169 <finalName>ssm5</finalName> 170 <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) --> 171 <plugins> 172 <plugin> 173 <artifactId>maven-clean-plugin</artifactId> 174 <version>3.1.0</version> 175 </plugin> 176 <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging --> 177 <plugin> 178 <artifactId>maven-resources-plugin</artifactId> 179 <version>3.0.2</version> 180 </plugin> 181 <plugin> 182 <artifactId>maven-compiler-plugin</artifactId> 183 <version>3.8.0</version> 184 </plugin> 185 <plugin> 186 <artifactId>maven-surefire-plugin</artifactId> 187 <version>2.22.1</version> 188 </plugin> 189 <plugin> 190 <artifactId>maven-war-plugin</artifactId> 191 <version>3.2.2</version> 192 </plugin> 193 <plugin> 194 <artifactId>maven-install-plugin</artifactId> 195 <version>2.5.2</version> 196 </plugin> 197 <plugin> 198 <artifactId>maven-deploy-plugin</artifactId> 199 <version>2.8.2</version> 200 </plugin> 201 </plugins> 202 </pluginManagement> 203 </build> 204 </project>
pom.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://xmlns.jcp.org/xml/ns/javaee" 4 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 5 version="3.1"> 6 7 <display-name>Archetype Created web Application</display-name> 8 <!--配置監聽器,默認只載入WEB-INF目錄下的applicationContext.xml配置文件--> 9 <listener> 10 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 11 </listener> 12 <!--設置配置文件路徑--> 13 <context-param> 14 <param-name>contextConfigLocation</param-name> 15 <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value> 16 </context-param> 17 <!--配置前端控制器--> 18 <servlet> 19 <servlet-name>dispatcherServlet</servlet-name> 20 <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 21 <!--載入springmvc.xml配置文件--> 22 <init-param> 23 <param-name>contextConfigLocation</param-name> 24 <param-value>classpath:springmvc.xml</param-value> 25 </init-param> 26 <!--啟動伺服器,創建servlet--> 27 <load-on-startup>1</load-on-startup> 28 </servlet> 29 <servlet-mapping> 30 <servlet-name>dispatcherServlet</servlet-name> 31 <url-pattern>*.do</url-pattern> 32 </servlet-mapping> 33 34 <!--解決中文亂碼過濾器--> 35 <filter> 36 <filter-name>characterEncodingFilter</filter-name> 37 <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> 38 <init-param> 39 <param-name>encoding</param-name> 40 <param-value>UTF-8</param-value> 41 </init-param> 42 </filter> 43 <filter-mapping> 44 <filter-name>characterEncodingFilter</filter-name> 45 <url-pattern>/*</url-pattern> 46 </filter-mapping> 47 48 <!--spring security的過濾器--> 49 <filter> 50 <filter-name>springSecurityFilterChain</filter-name> 51 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 52 </filter> 53 <filter-mapping> 54 <filter-name>springSecurityFilterChain</filter-name> 55 <url-pattern>/*</url-pattern> 56 </filter-mapping> 57 58 <welcome-file-list> 59 <welcome-file>index.html</welcome-file> 60 <welcome-file>index.htm</welcome-file> 61 <welcome-file>index.jsp</welcome-file> 62 <welcome-file>default.html</welcome-file> 63 <welcome-file>default.htm</welcome-file> 64 <welcome-file>default.jsp</welcome-file> 65 </welcome-file-list> 66 </web-app>
web.xml
2.2配置spring security的核心配置文件
與入門案例相比,這裡配置了不攔截的資源,自定義了登錄頁面,實現了退出操作,將原先定義在配置頁面中的登錄用戶名和密碼切換成在資料庫中。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:security="http://www.springframework.org/schema/security" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://www.springframework.org/schema/beans 6 http://www.springframework.org/schema/beans/spring-beans.xsd 7 http://www.springframework.org/schema/security 8 http://www.springframework.org/schema/security/spring-security.xsd"> 9 10 <!-- 配置不攔截的資源 --> 11 <security:http pattern="/login.jsp" security="none"/> 12 <security:http pattern="/failer.jsp" security="none"/> 13 <security:http pattern="/css/**" security="none"/> 14 <security:http pattern="/img/**" security="none"/> 15 <security:http pattern="/plugins/**" security="none"/> 16 17 <!-- 18 配置具體的規則 19 auto-config="true" 不用自己編寫登錄的頁面,框架提供默認登錄頁面 20 use-expressions="false" 是否使用SPEL表達式(沒學習過) 21 --> 22 <security:http auto-config="true" use-expressions="true"> 23 <!-- 配置具體的攔截的規則 pattern="請求路徑的規則" access="訪問系統的人,必須有ROLE_USER的角色" --> 24 <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> 25 26 <!-- 定義跳轉的具體的頁面 --> 27 <security:form-login 28 login-page="/login.jsp" 29 login-processing-url="/login.do" 30 default-target-url="/index.jsp" 31 authentication-failure-url="/failer.jsp" 32 authentication-success-forward-url="/pages/main.jsp" 33 /> 34 35 <!-- 關閉跨域請求 --> 36 <security:csrf disabled="true"/> 37 38 <!-- 退出 --> 39 <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" /> 40 41 </security:http> 42 43 <!-- 切換成資料庫中的用戶名和密碼 --> 44 <security:authentication-manager> 45 <security:authentication-provider user-service-ref="userService"> 46 <!-- 配置加密的方式 --> 47 <security:password-encoder ref="passwordEncoder"/> 48 </security:authentication-provider> 49 </security:authentication-manager> 50 51 <!-- 配置加密類 --> 52 <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> 53 54 </beans>
2.3使用資料庫完成用戶登錄流程
下面是使用資料庫完成認證操作的流程圖
在Spring Security中如果想要使用數據進行認證操作,有很多種操作方式,這裡我們介紹使用UserDetails、UserDetailsService來完成操作。
IUserService介面繼承了UserDetailsService類,UserServiceImpl類實現了IUserService介面。
UserDetailsService 介面內有一個loadUserByUsername方法,返回的是UserDetails。
1 public interface UserDetailsService { 2 // ~ Methods 3 // ======================================================================================================== 4 5 /** 6 * Locates the user based on the username. In the actual implementation, the search 7 * may possibly be case sensitive, or case insensitive depending on how the 8 * implementation instance is configured. In this case, the <code>UserDetails</code> 9 * object that comes back may have a username that is of a different case than what 10 * was actually requested.. 11 * 12 * @param username the username identifying the user whose data is required. 13 * 14 * @return a fully populated user record (never <code>null</code>) 15 * 16 * @throws UsernameNotFoundException if the user could not be found or the user has no 17 * GrantedAuthority 18 */ 19 UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; 20 }
根據spring-security的核心配置文件,需要將UserServiceImpl類命名為”userService”,並實現loadUserByUsername方法。
loadUserByUsername方法根據用戶名從資料庫中查詢用戶資訊UserInfo,並將UserInfo的用戶名,密碼和角色資訊作為User的構造參數。
1 package club.nipengfei.service.impl; 2 3 import club.nipengfei.dao.IUserDao; 4 import club.nipengfei.domain.Role; 5 import club.nipengfei.domain.UserInfo; 6 import club.nipengfei.service.IUserService; 7 import org.springframework.beans.factory.annotation.Autowired; 8 import org.springframework.security.core.authority.SimpleGrantedAuthority; 9 import org.springframework.security.core.userdetails.User; 10 import org.springframework.security.core.userdetails.UserDetails; 11 import org.springframework.security.core.userdetails.UsernameNotFoundException; 12 import org.springframework.stereotype.Service; 13 import org.springframework.transaction.annotation.Transactional; 14 15 import java.util.ArrayList; 16 import java.util.Collection; 17 import java.util.List; 18 19 @Service("userService") 20 @Transactional 21 public class UserServiceImpl implements IUserService { 22 23 @Autowired 24 private IUserDao userDao; 25 26 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 27 UserInfo userInfo = null; 28 try { 29 userInfo = userDao.findByUsername(username);31 } catch (Exception e) { 32 e.printStackTrace(); 33 } 34 // 處理自己的用戶對象分裝成UserDetails 35 // 該spring security的User實現了UserDetails 36 User user = new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority(userInfo.getRoles()));38 return user; 39 } 40 41 public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) { 42 List<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>(); 43 for (Role role:roles){ 44 list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName())); 45 } 46 return list; 47 } 48 }
介面UserDetails,封裝了當前認證用戶的資訊,但由於是一個介面,我們可以對其實現,也可以使用spring security提供的UserDetails實現類User完成操作
1 public interface UserDetails extends Serializable { 2 Collection<? extends GrantedAuthority> getAuthorities(); 3 String getPassword(); 4 String getUsername(); 5 boolean isAccountNonExpired(); 6 boolean isAccountNonLocked(); 7 boolean isCredentialsNonExpired(); 8 boolean isEnabled(); 9 }
1 public class User implements UserDetails, CredentialsContainer { 2 private String password; 3 private final String username; 4 private final Set<GrantedAuthority> authorities; 5 private final boolean accountNonExpired; //帳戶是否過期 6 private final boolean accountNonLocked; //帳戶是否鎖定 7 private final boolean credentialsNonExpired; //認證是否過期 8 private final boolean enabled; //帳戶是否可用 9 }
下面是根據用戶名查詢用戶資訊的IUserDao介面
1 package club.nipengfei.dao; 2 3 import club.nipengfei.domain.UserInfo; 4 import org.apache.ibatis.annotations.Many; 5 import org.apache.ibatis.annotations.Result; 6 import org.apache.ibatis.annotations.Results; 7 import org.apache.ibatis.annotations.Select; 8 9 public interface IUserDao { 10 11 @Select("select * from users where username=#{username}") 12 @Results({ 13 @Result(id = true,property = "id",column = "id"), 14 @Result(property = "username",column = "username"), 15 @Result(property = "email",column = "email"), 16 @Result(property = "password",column = "password"), 17 @Result(property = "phoneNum",column = "phoneNum"), 18 @Result(property = "status",column = "status"), 19 @Result(property = "roles",column = "id",javaType = java.util.List.class,many = @Many(select = "club.nipengfei.dao.IRoleDao.findRoleByUserId")) 20 }) 21 public UserInfo findByUsername(String username) throws Exception; 22 }
2.4使用spring security完成許可權控制(JSR-250註解)
不同的用戶有不同的角色,根據角色使用戶有不同的許可權。在伺服器端我們可以通過Spring security提供的註解對方法來進行許可權控制。Spring Security在方法的許可權控制上支援三種類型的註解,JSR-250註解、@Secured註解和支援表達式的註解,這三種註解默認都是沒有啟用的,需要單獨通過global-method-security元素的對應屬性進行啟用
下面使用JSR-250註解完成許可權控制:
需要在security-security.xml中開啟許可權,並且在pom.xml引入坐標
<security:global-method-security jsr250-annotations="enabled"></security:global-method-security>
<dependency> <groupId>javax.annotation</groupId> <artifactId>jsr250-api</artifactId> <version>1.0</version> </dependency>
- @RolesAllowed表示訪問對應方法時所應該具有的角色
- @PermitAll表示允許所有的角色進行訪問,也就是說不進行許可權控制
- @DenyAll是和PermitAll相反的,表示無論什麼角色都不能訪問
示例:
@RolesAllowed({"USER", "ADMIN"}) 該方法只要具有"USER", "ADMIN"任意一種許可權就可以訪問。這裡可以省略前綴ROLE_,實際的許可權可能是ROLE_ADMIN
2.5使用spring security完成許可權控制(@Secured註解)
與上面的類似,少一步pom.xml坐標引入,因為該註解是spring security本身提供的。
