Spring Security --- 权限控制安全框架入门简介

本文转自：https://blog.csdn.net/ka_ka314/article/details/79513991
Spring Security — 权限控制安全框架入门简介
一、Spring Security简介

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC，DI（控制反转Inversion of Control ,DI:Dependency Injection 依赖注入）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。

二、入门案例

1、引入Jar

org.springframework.security
spring-security-web
4.1.0.RELEASE

org.springframework.security
spring-security-config
4.1.0.RELEASE
2、web.xml配置

contextConfigLocation
classpath:spring/spring-security.xml

org.springframework.web.context.ContextLoaderListener

springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /* 1 2 3 4 5 6 7 8 3、spring-security.xml配置 <?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns=“http://www.springframework.org/schema/security”
xmlns:beans=“http://www.springframework.org/schema/beans”
xmlns:dubbo=“http://code.alibabatech.com/schema/dubbo”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=“http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd”>

<!-- 开启表达登录功能 -->
<!--
    参数说明：
    login-processing-url : 配置登录提交的action，默认/login
    login-page : 配置登录的页面
    default-target-url : 登录成功后的访问页
    authentication-failure-url : 登录失败的跳转页
    username-parameter : 指定用户名<input>的name属性值，默认username
    password-parameter : 指定密码<input>的name属性值，默认password
    注意：页面上的form表单的method必须是post
-->
<form-login login-page="/shoplogin.html" default-target-url="/admin/index.html"
            authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>

<!-- 关闭csrf验证 -->
<csrf disabled="true"/>

<!--spring security默认拦截内置框架页，如iframe，需要如下配置取消拦截 -->
<headers>
    <frame-options policy="SAMEORIGIN"/>
</headers>

<!-- 退出
    参数说明；
    logout-url退出地址，默认/logout
    logout-success-url退出成功的访问地址
 -->
<logout/>

<beans:bean id=“userDetailService” class=“com.xxx.shop.service.UserDetailsServiceImpl”>
<beans:property name=“sellerService” ref=“sellerService”></beans:property>
</beans:bean>

<dubbo:application name=“xxx-shop-web” />
<dubbo:registry address=“zookeeper://192.168.25.128:2181”/>

<dubbo:reference id=“sellerService” interface=“com.xxx.sellergoods.service.SellerService”></dubbo:reference>

<beans:bean id=“bCryptPasswordEncoder” class=“org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder”></beans:bean>
</beans:beans>

4、UserDetailsServiceImpl实现类
package com.xxx.shop.service;

import com.xxx.pojo.TbSeller;
import com.xxx.sellergoods.service.SellerService;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import java.util.ArrayList;
import java.util.List;

public class UserDetailsServiceImpl implements UserDetailsService{

private SellerService sellerService;

public void setSellerService(SellerService sellerService) {
this.sellerService = sellerService;
}

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println(“UserDetailsServiceImpl”);

// 构建角色列表
List<GrantedAuthority> grantAuths = new ArrayList<>();
grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));

TbSeller seller = sellerService.findOne(username);
if (seller != null)
    if (seller.getStatus().equals("1"))
        return new User(username,seller.getPassword(),grantAuths);

return null;

}