一、导入依赖
导入 spring-boot-starter-security 依赖,在 SpringBoot 2.0 环境下默认使用的是 5.0 版本。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.2</version>
</dependency>
<!--注意,这里必须要指定版本,MySQL5用的驱动url是com.mysql.jdbc.Driver,
MySQL6以后用的是com.mysql.cj.jdbc.Driver。版本不匹配便会报驱动类已过时的错误。-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.15</version>
</dependency>二、创建数据库
一般权限控制有三层,即:用户<–>角色<–>权限,用户与角色是多对多,角色和权限也是多对多。这里我们先暂时不考虑权限,只考虑用户<–>角色。
-- 创建用户表 sys_user: --
DROP TABLE IF EXISTS `sys_user`;
CREATE TABLE `sys_user`(
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(255) NOT NULL,
`password` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
)ENGINE=InnoDB DEFAULT CHARSET = utf8;
-- 创建权限表 sys_role: --
DROP TABLE IF EXISTS `sys_role`;
CREATE TABLE `sys_role`(
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
)ENGINE=InnoDB DEFAULT CHARSET = utf8;
-- 创建用户-角色表 sys_user_role:(外键这里有点困惑,先标记下) --
DROP TABLE IF EXISTS `sys_user_role`;
CREATE TABLE `sys_user_role`(
`user_id` int(11) NOT NULL ,
`role_id` int(11) NOT NULL,
PRIMARY KEY (`user_id`,`role_id`),
KEY `fk_role_id` (`role_id`),
CONSTRAINT `fk_role_id` FOREIGN KEY (`role_id`) REFERENCES `sys_role` (`id`) ON DELETE CASCADE ON UPDATE CASCADE,
CONSTRAINT `fk_user_id` FOREIGN KEY (`user_id`) REFERENCES `sys_user` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
)ENGINE=InnoDB DEFAULT CHARSET = utf8;
-- 添加数据:(注意:传值的时候里面是单引号,如:'1') --
INSERT INTO `sys_role` VALUES ('1', 'ROLE_ADMIN');
INSERT INTO `sys_role` VALUES ('2', 'ROLE_USER');
INSERT INTO `sys_user` VALUES ('1', 'admin', '123');
INSERT INTO `sys_user` VALUES ('2', 'jitwxs', '123');
INSERT INTO `sys_user_role` VALUES ('1', '1');
INSERT INTO `sys_user_role` VALUES ('2', '2');注意:权限格式为 ROLE_XXX,是 Spring Security 的规定。
三、准备页面
因为是示例程序,页面越简单越好,只用于登录的 login.html 以及用于登录成功后的 home.html,将其放置在 resources/static 目录下:
(1)login.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>登录</title>
</head>
<body>
<h1>欢迎来到登录页面</h1>
<form action="/login" method="post">
<div>
用户名:<input type="text" name="username">
</div>
<div>
密码:<input type="password" name="password">
</div>
<div>
<button type="submit">立即登录</button>
</div>
</form>
</body>
</html>注意:用户的登录认证是由 Spring Security 进行处理的,请求路径默认为 /login,用户名字段默认为 username,密码字段默认为 password 。
(2)home.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>欢迎回家</title>
</head>
<body>
<h1>登录成功</h1>
<a href="/admin">检测是否具有ROLE_ADMIN角色</a>
<a href="/user">检测是否具有ROLE_USER角色</a>
<button onclick="window.location.href='/logout'">退出登录</button>
</body>
</html>四、配置 application.properties
在配置文件中配置下数据库连接:
spring.datasource.username=root
spring.datasource.password=root
#JDBC连接MySQL6 (com.mysql.cj.jdbc.Driver), 需要指定时区serverTimezone,否则会报错
spring.datasource.url=jdbc:mysql://localhost:3306/spring_security?useUnicode=true&characterEncoding=UTF-8&serverTimezone=Asia/Shanghai
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
#开启下划线转驼峰命令法
mybatis.configuration.map-underscore-to-camel-case=true五、创建Model实体、Mapper、Service 和 Controller
5.1 Model
(1)SysUser
com.gavin.springsecuriity01.Model.SysUser
public class SysUser implements Serializable{
static final long serialVersionUID = 1L;
private Integer id;
//这里必须是name,与数据库对应,否则运行会报错
private String name;
private String password;
// 省略getter/setter
}(2)SysRole
public class SysRole implements Serializable {
static final long serialVersionUID = 1L;
private Integer id;
private String name;
// 省略getter/setter
}(3)SysUserRole
public class SysUserRole implements Serializable {
static final long serialVersionUID = 1L;
private Integer userId;
private Integer roleId;
// 省略getter/setter
}5.2 Mapper
(1)SysUserMapper
com.gavin.springsecuriity01.Mapper.SysUserMapper
@Mapper
public interface SysUserMapper {
@Select("SELECT * FROM sys_user WHERE id = #{id}")
SysUser selectById(Integer id);
@Select("SELECT * FROM sys_user WHERE name = #{name}")
SysUser selectByName(String name);
}(2)SysRoleMapper
@Mapper
public interface SysRoleMapper {
@Select("SELECT * FROM sys_role WHERE id = #{id}")
SysRole selectById(Integer id);
}(3)SysUserRoleMapper
@Mapper
public interface SysUserRoleMapper {
@Select("SELECT * FROM sys_user_role WHERE user_id = #{id}")
List<SysUserRole> listByUserId(Integer userId);
}5.3 Service
(1)SysUserService
@Service
public class SysUserService {
@Autowired
SysUserMapper sysUserMapper;
public SysUser selectById(Integer id){
return sysUserMapper.selectById(id);
}
public SysUser selectByName(String name){
return sysUserMapper.selectByName(name);
}
}(2)SysRoleService
@Service
public class SysRoleService {
@Autowired
SysRoleMapper sysRoleMapper;
public SysRole selectById(Integer id){
return sysRoleMapper.selectById(id);
}
}(3)SysUserRoleService
@Service
public class SysUserRoleService {
@Autowired
SysUserRoleMapper sysUserRoleMapper;
public List<SysUserRole> listByUserId(Integer userId){
return sysUserRoleMapper.listByUserId(userId);
}
}5.4 Controller
@Controller
public class LoginController {
private Logger logger = LoggerFactory.getLogger(LoginController.class);
@RequestMapping("/")
public String showHome(){
String name = SecurityContextHolder.getContext().getAuthentication().getName();
logger.info("当前登录用户:"+name);
return "home.html";
}
@RequestMapping("/login")
public String showLogin(){
return "login.html";
}
@RequestMapping("/admin")
@ResponseBody
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String printAdmin(){
return "如果你看见这句话,说明你有ROLE_ADMIN角色";
}
@RequestMapping("/user")
@ResponseBody
@PreAuthorize("hasRole('ROLE_USER')")
public String printUser(){
return "如果你看见这句话,说明你有ROLE_USER角色";
}
}- 如代码所示,获取当前登录用户:
SecurityContextHolder.getContext().getAuthentication() @PreAuthorize用于判断用户是否有指定权限,没有就不能访问
六、配置 SpringSecurity
6.1 UserDetailsService
首先我们需要自定义 UserDetailsService ,将用户信息和权限注入进来。
我们需要重写 loadUserByUsername 方法,参数是用户输入的用户名。返回值是UserDetails,这是一个接口,一般使用它的子类org.springframework.security.core.userdetails.User,它有三个参数,分别是用户名、密码和权限集。
实际情况下,大多将 DAO 中的 User 类继承
org.springframework.security.core.userdetails.User返回。
@Service("userDetailsService")
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
SysUserService sysUserService;
@Autowired
SysRoleService sysRoleService;
@Autowired
SysUserRoleService sysUserRoleService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Collection<GrantedAuthority> authorities = new ArrayList<>();
//从数据库中取出用户信息
SysUser user = sysUserService.selectByName(username);
//判断用户是否存在
if(user == null){
throw new UsernameNotFoundException("用户名不存在!!");
}
//如果用户存在,就添加权限给他
List<SysUserRole> userRoles = sysUserRoleService.listByUserId(user.getId());
for(SysUserRole userRole:userRoles){
SysRole role = sysRoleService.selectById(userRole.getRoleId());
authorities.add(new SimpleGrantedAuthority(role.getName()));
}
//返回UserDetails的实现类
return new User(user.getName(),user.getPassword(),authorities);
}
}6.2 WebSecurityConfig
该类是 Spring Security 的配置类,该类的三个注解分别是标识该类是配置类、开启 Security 服务、开启全局 Securtiy 注解。
首先将我们自定义的 userDetailsService 注入进来,在 configure() 方法中使用 auth.userDetailsService() 方法替换掉默认的 userDetailsService。
这里我们还指定了密码的加密方式(5.0 版本强制要求设置),因为我们数据库是明文存储的,所以明文返回即可,如下所示:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomUserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return encodedPassword.equals(rawPassword.toString());
}
});
}
@Override
public void configure(WebSecurity web) throws Exception {
//设置拦截忽略文件夹,可以对静态资源访问
web.ignoring().antMatchers("/css/**","/js/**","/css/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// 如果有允许匿名的url,填在下面
// .antMatchers().permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/").permitAll()
// 自定义登录用户名和密码参数,默认为username和password
// .usernameParameter("username")
// .passwordParameter("password")
.and()
.logout().permitAll();
//关闭CRSF跨域
http.csrf().disable();
}
}七、运行程序
ROLE_ADMIN 账户:用户名 admin,密码 123
ROLE_USER 账户:用户名 jitwxs,密码 123
注:本系列文章来源于https://www.jitwxs.cn/categories/%E5%AE%89%E5%85%A8%E6%A1%86%E6%9E%B6/Spring-Security/
本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!