之前说在springSecurity.xml文件中用户名和密码不会固定死,需要从数据库中查询,需要在service层实现UserDetailSerive接口,重写方法loadUserByUsername方法.完成调用dao层实现和数据库的交互.
1.UserDetailService实现类的编写.
a.返回值如果为null,用户登陆都会失败;
b.查询数据库后,返回密码和springscurity的上下问中比较密码是否匹配.
public class UserDetailsServiceImpl implements UserDetailsService {
private LoginService loginService;
public void setLoginService (LoginService loginService) {
this.LoginService = loginService;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println("经过userdetailsServiceImpl");
List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_loginUser"));
User user = loginService.findOne(username);
if (seller!=null) {
if ("1".equals(user.getStatus())) {
return new User(username,user.getPassword(),grantedAuths);
}
}
return null;
}
}
2.springSecurity.xml配置文件的编写
a.只需要修改认证管理器中的类容,
b.利用dubbo引入service实现和数据库的交互.
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:dubbo="http://code.alibabatech.com/schema/dubbo" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 设置页面不登陆也可以访问 --> <http pattern="/*.html" security="none"></http> <http pattern="/css/**" security="none"></http> <http pattern="/img/**" security="none"></http> <http pattern="/js/**" security="none"></http> <http pattern="/plugins/**" security="none"></http> <http pattern="/seller/add.do" security="none"></http> <!-- 页面的拦截规则 use-expressions:是否启动SPEL表达式 默认是true --> <http use-expressions="false"> <!-- 当前用户必须有ROLE_USER的角色 才可以访问根目录及所属子目录的资源 --> <intercept-url pattern="/**" access="ROLE_userLogin"/> <!-- 开启表单登陆功能 --> <form-login login-page="/shoplogin.html" default-target-url="/admin/index.html" authentication-failure-url="/shoplogin.html" always-use-default-target="true"/> <csrf disabled="true"/> <headers> <frame-options policy="SAMEORIGIN"/> </headers> <logout/> </http> <!-- 认证管理器 --> <authentication-manager> <authentication-provider user-service-ref="userDetailService"> </authentication-provider> </authentication-manager> <!-- 认证类 --> <beans:bean id="userDetailService" class="com.pinyougou.service.UserDetailsServiceImpl"> <beans:property name="userService" ref="userService"></beans:property> </beans:bean> <!-- 引用dubbo 服务 --> <dubbo:application name="maven-demo" /> <dubbo:registry address="zookeeper://192.168.25.129:2181"/> <dubbo:reference id="userService" interface="com.maven.demo.service.UserService"></dubbo:reference> </beans:beans>
spring security里面的四个重要的类
1、UserDetailsService 读取登录用户信息、权限
2、AbstractSecurityInterceptor 这个类是用来继承的,还要实现servler的Filter,作用过滤url
3、FilterInvocationSecurityMetadataSource 读取url资源
4、AccessDecisionManager 控制访问权限