Spring Security整合SSM

最新推荐文章于 2024-01-22 16:55:22 发布

原创最新推荐文章于 2024-01-22 16:55:22 发布 · 331 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#spring

本文详细介绍SpringSecurity框架的导入与配置步骤，包括Maven依赖、过滤器配置及XML文件模板。同时，深入讲解如何实现用户认证与授权，涉及自定义登录页面、权限注解使用等关键环节。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

简介

Spring Security是 Spring提供的安全认证服务的框架。使用Spring Security可以帮助我们来简化认证和授权的过程。官网：https://spring.io/projects/spring-security.

1.1导入Spring Security环境

第一步：对应的maven坐标：

<dependency>  
	<groupId>org.springframework.security</groupId> 
    <artifactId>spring-security-web</artifactId>  
    <version>5.0.5.RELEASE</version>
</dependency> 
<dependency>  
	 <groupId>org.springframework.security</groupId>  
	 <artifactId>spring-security-config</artifactId>  
	 <version>5.0.5.RELEASE</version>
</dependency>

第二步：在工程的web.xml文件中配置用于整合Spring Security框架的过滤器 DelegatingFilterProxy

<!--委派过滤器，用于整合其他框架-->
<filter>
	<!--整合spring security时，此过滤器的名称固定springSecurityFilterChain-->
	<filter-name>springSecurityFilterChain</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filterclass>
</filter>
<filter-mapping>
	<filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

第三步：配置Spring Security的xml文件，这里有个模板，可以拿来稍微改改直接用

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
						http://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/mvc
						http://www.springframework.org/schema/mvc/spring-mvc.xsd
						http://code.alibabatech.com/schema/dubbo
						http://code.alibabatech.com/schema/dubbo/dubbo.xsd
						http://www.springframework.org/schema/context
						http://www.springframework.org/schema/context/spring-context.xsd
                     http://www.springframework.org/schema/security
                     http://www.springframework.org/schema/security/spring-security.xsd">

    <!--配置哪些资源匿名可以访问（不登录也可以访问）-->
    <!--<security:http security="none" pattern="/pages/a.html"></security:http>
    <security:http security="none" pattern="/pages/b.html"></security:http>-->
    <!--<security:http security="none" pattern="/pages/**"></security:http>-->
    <security:http security="none" pattern="/login.html"></security:http>
    <security:http security="none" pattern="/css/**"></security:http>
    <security:http security="none" pattern="/img/**"></security:http>
    <security:http security="none" pattern="/js/**"></security:http>
    <security:http security="none" pattern="/plugins/**"></security:http>
<!--    <security:http security="none" pattern="/statics/**"></security:http>-->
    <!--
        auto-config:自动配置，如果设置为true，表示自动应用一些默认配置，比如框架会提供一个默认的登录页面
        use-expressions:是否使用spring security提供的表达式来描述权限
    -->
    <security:http auto-config="true" use-expressions="true">
        <security:headers>
            <!--设置在页面可以通过iframe访问受保护的页面，默认为不允许访问-->
            <security:frame-options policy="SAMEORIGIN"></security:frame-options>
        </security:headers>
        <!--配置拦截规则, 表示拦截所有请求-->
        <!--
            pattern:描述拦截规则
            asscess:指定所需的访问角色或者访问权限
        -->
        <!--只要认证通过就可以访问-->
        <security:intercept-url pattern="/pages/**"  access="isAuthenticated()" />

        <!--如果我们要使用自己指定的页面作为登录页面，必须配置登录表单.页面提交的登录表单请求是由框架负责处理-->
        <!--
            login-page:指定登录页面访问URL
        -->
        <security:form-login
                login-page="/login.html"
                username-parameter="username"
                password-parameter="password"
                login-processing-url="/login.do"
                default-target-url="/pages/index.html"
                authentication-failure-url="/login.html"></security:form-login>

        <!--
          csrf：对应CsrfFilter过滤器
          disabled：是否启用CsrfFilter过滤器，如果使用自定义登录页面需要关闭此项，否则登录操作会被禁用（403）
        -->
        <security:csrf disabled="true"></security:csrf>

        <!--
          logout：退出登录
          logout-url：退出登录操作对应的请求路径
          logout-success-url：退出登录后的跳转页面
        -->
        <security:logout logout-url="/logout.do"
                         logout-success-url="/login.html" invalidate-session="true"/>

    </security:http>

    <!--配置认证管理器-->
    <security:authentication-manager>
        <!--配置认证提供者-->
        <security:authentication-provider user-service-ref="springSecurityUserService">
            <!--
                    配置一个具体的用户，后期需要从数据库查询用户
            <security:user-service>
                <security:user name="admin" password="{noop}1234" authorities="ROLE_ADMIN"/>
            </security:user-service>
            -->
            <!--指定度密码进行加密的对象-->
            <security:password-encoder ref="passwordEncoder"></security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <!--配置密码加密对象-->
    <bean id="passwordEncoder"
          class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <!--开启注解方式权限控制-->
    <security:global-method-security pre-post-annotations="enabled" />
</beans>

1.2 实现认证和授权

首先在service包下创建一个类，并实现UserDetailsService接口,重写接口方法，方法的参数是将前端的用户名传过来，我们需要返回用户名、密码、角色和权限（List）信息封装到框架给我们提供的User对象，让框架进行比对

package com.app.service;
import com.alibaba.dubbo.config.annotation.Reference;
import com.app.pojo.DevUser;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;

@Component
public class SpringSecurityUserService implements UserDetailsService {

    @Reference
    private DevUserService devUserService;
    
    /**
     * 使用Spring Security框架对用户进行认证授权
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        //向数据库去拿user信息
        DevUser user = devUserService.findByUserName(username);
        if(user == null){
            //当没查到用户就说明该用户不存在
            return null;
        }
        List<GrantedAuthority> list = new ArrayList<>();
        /*list.add(new SimpleGrantedAuthority("permission_A"));//授权
        list.add(new SimpleGrantedAuthority("ROLE_ADMIN"));*/

        User securityUser = new User(username, user.getDevPassword(), list);
        return securityUser;
    }
}

在Controller中方法上添加该注解，表示给方法授予权限，必须要有权限该方法才能访问，否则返回给前台403（权限不足），字符串以’ROLE’开头框架默认当做角色处理

@PreAuthorize("hasAuthority('add')")//调用此方法要求当前用户必须具有add权限

@PreAuthorize("hasRole('ROLE_ADMIN')")//调用此方法要求当前用户必须具有ROLE_ADMIN角色