springboot + springsecurity(系统认证与权限控制)
1、什么是spring security?
Spring Security 用来为java应用提供认证和授权管理,是一个强大的并且可以自定义的认证和权限控制框架。
最主要的就是两部分内容:Authentication(认证)和Authorization(授权,也称访问控制)
Authentication(认证):验证当前用户是否是系统中的合法主体,也就是说此用户能否访问系统。用户认证一般要求用户输入用户名和密码,系统通过校验用户名和密码来完成整个认证过程。
Authorization(授权):验证某个用户是否有权限执行某个操作。系统中不同的用户所拥有的权限是不一样的,系统会为不同的用户分配不同的角色,而每个角色则对应一系列的系统资源的权限。
2、开始一个简单的项目(跟着别人的博客学习,然后自己试着从头搭一次帮助理解)。
2.1、首先创建一个springboot项目(主要是选择Mybatis和redis等依赖),创建好的项目目录大致如下图所示:
2.2、pom文件如下:
<dependencies>
<!--使用Spring缓存-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-cache</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.0.1</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>6.0.6</version>
</dependency>
<!-- 引入thymeleaf的依赖包. -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!--kaptcha验证码生成器-->
<dependency>
<groupId>com.github.axet</groupId>
<artifactId>kaptcha</artifactId>
<version>0.0.9</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.0.31</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
2.3、application.yml(把原来application.properties改成.yml的后缀)
2.4、建表(一共有五张表user、role、menu、user_role、role_menu)表之间的关系如下图:
2.5、生成对应的实体类和mapper.xml文件以及service层的方法:
2.6、准备好所有前端页面:
2.7、spring security的配置
package com.example.demo.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(customUserDetailsService())
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// 所有用户均可访问的资源
.antMatchers( "/favicon.ico","/css/**","/common/**","/js/**","/images/**","/captcha.jpg","/login","/userLogin","/login-error").permitAll()
// 任何尚未匹配的URL只需要验证用户即可访问
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").successForwardUrl("/index").failureForwardUrl("/login?error=1")
.and()
//权限拒绝的页面
.exceptionHandling().accessDeniedPage("/403");
http.logout().logoutSuccessUrl("/login");
}
/**
* 设置用户密码的加密方式
* @return
*/
@Bean
public Md5PasswordEncoder passwordEncoder() {
return new Md5PasswordEncoder();
}
/**
* 自定义UserDetailsService,授权
* @return
*/
@Bean
public CustomUserDetailsService customUserDetailsService(){
return new CustomUserDetailsService();
}
/**
* AuthenticationManager
* @return
* @throws Exception
*/
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
}
密码加密规则:此处没有加密
package com.example.demo.security;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* 自定义密码比较器 3
* 在此 密码我就不加密了
*/
public class Md5PasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence charSequence) {
return charSequence.toString();
}
@Override
public boolean matches(CharSequence charSequence, String s) {
return s.equals(charSequence);
}
}
UserDetail来实现UserDetailsService接口:
package com.example.demo.security;
import com.example.demo.dto.Menu;
import com.example.demo.dto.User;
import com.example.demo.service.MenuService;
import com.example.demo.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.List;
/**
* 认证和授权
*/
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserService userService;
@Autowired
private MenuService menuService;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
//--------------------认证账号
User user = userService.loadUserByUsername(s);
if (user == null) {
throw new UsernameNotFoundException("账号不存在");
}
//-------------------开始授权
List<Menu> menus = menuService.getMenusByUserId(user.getId());
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
for (Menu menu : menus) {
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(menu.getUrl());
//此处将权限信息添加到 GrantedAuthority 对象中,在后面进行全权限验证时会使用GrantedAuthority 对象。
grantedAuthorities.add(grantedAuthority);
}
user.setAuthorities(grantedAuthorities);
return user;
}
}
自定义SpringSecurityUtils工具类,校验是否拥有权限:
package com.example.demo.security;
import com.example.demo.dto.User;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.StringUtils;
import java.util.Collection;
public class SecurityUtils {
public static Authentication getAuthentication() {
return SecurityContextHolder.getContext().getAuthentication();
}
public static Collection<? extends GrantedAuthority> getAllPermission(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
return authorities;
}
public static boolean hasPermission(String permission){
if(StringUtils.isEmpty(permission)){
return false;
}
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
boolean hasPermission = false;
for(GrantedAuthority grantedAuthority : authorities){
String authority = grantedAuthority.getAuthority();
if(authority.equals(permission)){
hasPermission =true;
}
}
return hasPermission;
}
public static User getUser() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return (User) authentication.getPrincipal();
}
public static void logout(){
SecurityContextHolder.clearContext();
}
}
2.8、在登陆方法中,使用AuthenticationManager拦截登陆请求
package com.example.demo.controller;
import com.example.demo.common.util.ConstantVal;
import com.example.demo.dto.ReturnMessage;
import com.example.demo.dto.User;
import com.google.code.kaptcha.impl.DefaultKaptcha;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.imageio.ImageIO;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.awt.image.BufferedImage;
import java.io.IOException;
@Controller
public class LoginController {
@Autowired
private AuthenticationManager myAuthenticationManager;
@Autowired
DefaultKaptcha defaultKaptcha;
@RequestMapping(value = "/userLogin")
public String userLogin(HttpServletRequest request) {
User userInfo = new User();
String username = request.getParameter("username");
String password = request.getParameter("password");
String kaptcha = request.getParameter("kaptcha");
userInfo.setUsername(username);
userInfo.setPassword(password);
String s = request.getSession().getAttribute(ConstantVal.CHECK_CODE).toString();
if (StringUtils.isEmpty(kaptcha) || !s.equals(kaptcha)) {
return "redirect:login-error?error=1";
}
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
try{
//使用SpringSecurity拦截登陆请求 进行认证和授权
Authentication authenticate = myAuthenticationManager.authenticate(usernamePasswordAuthenticationToken);
SecurityContextHolder.getContext().setAuthentication(authenticate);
//使用redis session共享
HttpSession session = request.getSession();
session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()); // 这个非常重要,否则验证后将无法登陆
}catch (Exception e){
e.printStackTrace();
return "redirect:login-error?error=2";
}
return "redirect:index";
}
@RequestMapping("/captcha.jpg")
@ResponseBody
public ReturnMessage applyCheckCode(HttpServletRequest request, HttpServletResponse response) throws IOException {
ReturnMessage r = new ReturnMessage();
response.setHeader("Cache-Control", "no-store, no-cache");
response.setContentType("image/jpeg");
//生成文字验证码
String text = defaultKaptcha.createText();
//生成图片验证码
BufferedImage image = defaultKaptcha.createImage(text);
//保存到session
request.getSession().setAttribute(ConstantVal.CHECK_CODE, text);
ServletOutputStream out = response.getOutputStream();
ImageIO.write(image, "jpg", out);
return r;
}
}
3、user表中有两个用户一个admin,一个user,admin具有所有权限,而user不具有操作权限
4、说明
本篇文章是完全根据 别等时光染了梦想这个博主的这篇文章来写的,他的git上源码拉下来可以直接运行(注意:他的userMapper.xml中的表名USER大写了,会报此表不存在的错误)。根据他的文章内容结合代码可以较快的学习springboot 整合 security的内容,并且可以使用的这个demo来慢慢掌握security的内容。建议看着代码 然后自己从新来整合一遍,会更加加深印象。