Spring Security框架(续集)

从上一篇博客:初识Spring Security框架对该安全框架进行简单的阐释，该篇是对其补充和延展。

在目前的企业开发中，如果使用spring security作为安全框架，更多的是采用下述的方式去构建和实现。注：以下的工程是基于maven工程而言，如果你使用的是其他的工程，那么只需要对引入的maven依赖方式进行调整。

开发步骤：

1、引入依赖jar文件

<dependency>
	<groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
</dependency>
	
<dependency>
	<groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
</dependency>

2、配置web.xml

<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
<listener>
		<listener-class>
			org.springframework.web.context.ContextLoaderListener
		</listener-class>
</listener>
	 
<filter>  
		<filter-name>springSecurityFilterChain</filter-name>  
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
</filter>  
<filter-mapping>  
		<filter-name>springSecurityFilterChain</filter-name>  
		<url-pattern>/*</url-pattern>  
</filter-mapping>

3、修改登录页面

<form class="sui-form" action="/login" method="post" id="loginform">
	<div class="input-prepend"><span class="add-on loginname"></span>
			<input id="prependedInput" type="text" name="username" placeholder="邮箱/用户名/手机号" class="span2 input-xfat">
	</div>
	<div class="input-prepend"><span class="add-on loginpwd"></span>
			<input id="prependedInput" type="password" name="password" placeholder="请输入密码" class="span2 input-xfat">
	</div>
	<div class="setting">
			<label class="checkbox inline"><input name="m1" type="checkbox" value="2" checked="">自动登录</label>
			<span class="forget">忘记密码？</span>
	</div>
	<div class="logined">
			<a class="sui-btn btn-block btn-xlarge btn-danger" onclick="document:loginform.submit()" target="_blank">登&nbsp;&nbsp;录</a>
	</div>
</form>

4、书写认证类

public class UserDetailsServiceImpl implements UserDetailsService {

	
	private SellerService sellerService;
	
	public void setSellerService(SellerService sellerService) {
		this.sellerService = sellerService;
	}

	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

		//构建角色列表
		List<GrantedAuthority> grantAuths=new ArrayList();
		grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));
		
		//得到商家对象
		TbSeller seller = sellerService.findOne(username);
		if(seller!=null){
			if(seller.getStatus().equals("1")){
				return new User(username,seller.getPassword(),grantAuths);
			}else{
				return null;
			}			
		}else{
			return null;
		}
	}
}

5、配置spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
						http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
   
	<!-- 设置页面不登陆也可以访问 -->
	<http pattern="/*.html" security="none"></http>
	<http pattern="/css/**" security="none"></http>
	<http pattern="/img/**" security="none"></http>
	<http pattern="/js/**" security="none"></http>
	<http pattern="/plugins/**" security="none"></http>
	<http pattern="/seller/add.do" security="none"></http>

	<!-- 页面的拦截规则    use-expressions:是否启动SPEL表达式 默认是true -->
	<http use-expressions="false">
		<!-- 当前用户必须有ROLE_USER的角色 才可以访问根目录及所属子目录的资源 -->
		<intercept-url pattern="/**" access="ROLE_SELLER"/>
		<!-- 开启表单登陆功能 -->
		<form-login  login-page="/shoplogin.html" default-target-url="/admin/index.html" authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>
		<csrf disabled="true"/>
		<headers>
			<frame-options policy="SAMEORIGIN"/>
		</headers>
		<logout/>
	</http>
	
	<!-- 认证管理器 -->
	<authentication-manager>
		<authentication-provider user-service-ref="userDetailService">
		   <password-encoder ref="encoder"></password-encoder>	
		</authentication-provider>	
	</authentication-manager>
		
	<!-- 认证类 -->
	<beans:bean id="userDetailService" class="com.pinyougou.service.UserDetailsServiceImpl">
		<beans:property name="sellerService" ref="sellerService"></beans:property>
	</beans:bean>
	
	<!-- 引用dubbo 服务 -->
	<dubbo:application name="pinyougou-shop-web" />
	<dubbo:registry address="zookeeper://10.103.7.129:2181"/>	
	<dubbo:reference id="sellerService" interface="com.pinyougou.sellergoods.service.SellerService"></dubbo:reference>
	
    <！-- 引入密码加密类 -->
	<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
</beans:beans>

福利：BCrypt算法

BCrypt，是一个跨平台的文件加密工具。BCrypt算法将salt随机并混入最终加密后的密码，验证时无需单独提供之前的salt,从而无需单独的处理salt。

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

用法：

BCryptPasswordEncoder bcrypt = new BCryptPasswordEncoder();
// 获取加密后的密码
String password = bcrypt.encode(seller.getPassword

效果：

123456加密后效果：
$2a$10$tmqplZjjDvMp6TM.ZRpGNeUKjr.ceKsm6j11VYvLuvnRc2y5.ieUK

注意：相同密码在经过上述加密后，生成的密文都是不一样的。在解密的时候只需要在上述的配置spring-security.xml中配置密码加密类：

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />