spring安全框架:spring-security

　　Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC，DI（控制反转Inversion of Control ,DI:Dependency Injection 依赖注入）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作

(1) 相关依赖

        <!-- spring安全框架 -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
        </dependency>

(2) spring-security.xml配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
    
    <context:property-placeholder location="classpath:properties/*.properties" />
    
    <!-- 以下页面不被拦截 -->
    <http pattern="/*.html" security="none"></http>
    <http pattern="/seller/add.do" security="none"></http><!-- 放行注册请求 -->
    <http pattern="/css/**" security="none"></http>
    <http pattern="/img/**" security="none"></http>
    <http pattern="/js/**" security="none"></http>
    <http pattern="/plugins/**" security="none"></http>

    <!-- 页面拦截规则 -->
    <http use-expressions="false">
        <!-- 
            use-expressions="false":是否使用spel表达式
            pattern="/*":拦截根目录;pattern="/**":拦截根目录及子目录
            login-page="/login.html":登录页
            default-target-url="/admin/index.html":登陆成功跳转
            authentication-failure-url="/login.html":登陆失败跳转
            always-use-default-target="true":
         -->
        <intercept-url pattern="/**" access="ROLE_SELLER" />
        <!-- spring security登陆 -->
        <form-login login-page="/shoplogin.html" default-target-url="/admin/index.html"
            authentication-failure-url="/shoplogin.html" always-use-default-target="true" />
        <!-- spring security登出 -->
        <logout logout-url="/loginout" logout-success-url="/shoplogin.html"/>
        <!-- 防止跨站请求伪造(jsp页面),项目是html,所以可以设置关闭 -->
        <csrf disabled="true" />
        <!-- spring security默认拦截框架页(iframe等) -->
        <headers>
            <frame-options policy="SAMEORIGIN" />
        </headers>
    </http>

    <!-- 认证管理器 -->
    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService">
            <!-- 配置加密/解密算法 -->
            <password-encoder ref="passwordEncoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>
    
    <!-- 配置认证类 -->
    <beans:bean id="userDetailsService" class="com.xxx.sellergoods.service.impl.UserDetailsServiceImpl">
        <beans:property name="sellerService" ref="sellerService"></beans:property>
    </beans:bean>
    
    <!-- 引用dubbo 服务 -->
    <!-- 引用信息使用方,用于计算依赖关系 -->
    <dubbo:application name="xxx-sellergoods-web" />
    <!-- zookeeper注册中心 -->
    <dubbo:registry protocol="zookeeper" address="127.0.0.1:2181"></dubbo:registry>
    <!-- 获取远程服务实例到本地 -->
    <dubbo:reference id="sellerService" interface="com.xxx.sellergoods.service.SellerService"></dubbo:reference>
    
    <!-- 配置加密/解密算法bean -->
    <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></beans:bean>
</beans:beans>

(3) web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">
    <display-name>xxx-sellergoods-web</display-name>
    <welcome-file-list>
        <welcome-file>shoplogin.html</welcome-file>
    </welcome-file-list>

    <!-- post乱码过滤器 -->
    <filter>
        <filter-name>CharacterEncodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>utf-8</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CharacterEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- 前端控制器 -->
    <servlet>
        <servlet-name>xxx-sellergoods-web</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <!-- contextConfigLocation不是必须的， 如果不配置contextConfigLocation,
　　　　　　　　springmvc的配置文件默认在：WEB-INF/servlet的name+"-servlet.xml" -->
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring/springmvc.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>xxx-sellergoods-web</servlet-name>
        <!-- 拦截所有请求jsp除外 -->
        <url-pattern>*.do</url-pattern>
    </servlet-mapping>
    <!-- 加载spring容器 -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring/spring-*.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <!-- spring安全框架 -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>

(4) 认证类

import java.util.ArrayList;
import java.util.List;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class UserDetailsServiceImpl implements UserDetailsService {

    private SellerService sellerService;
    
    public void setSellerService(SellerService sellerService) {
        this.sellerService = sellerService;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        
        List<GrantedAuthority> grantAuths = new ArrayList<>();
        grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));
        /**
         * User:
         * * 参数：
         *     * 1.用户名
         *  * 2.密码
         *  * 3.认证信息（角色）
         */
        // 去数据库进行查询:
        TbSeller seller = sellerService.findByUserName(username);
        if(seller != null){
            if(seller.getStatus().equals("1")){
                return new User(username,seller.getPassword(),grantAuths );
            }else{
                return null;
            }
        }
        return null; 
    }
}