在项目中其实一直在使用spring的security框架.核心主要是几张表:用户表,用户角色关联表,角色表,角色权限关联表,权限表(菜单表)
工作中所使用的几张关联表,authorization(类似权限表),menu_list(菜单表,主要是关联authorization下的菜单名称进行子父菜单关联),user(用户表),role(角色表),role_action(角色权限表,主要关联role和authorization的关联表).
这次主要根据springcloud官方自己搭建一套security进行练习,并重新对security进行更深入的理解。
1.准备五张表
image.png
2.新建一个springboot项目
添加marven:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.1.RELEASE</version>
</parent>
<!-- 管理依赖 -->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Finchley.M7</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!-- SpringBoot整合Web组件 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<!-- springboot整合freemarker -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-freemarker</artifactId>
</dependency>
<!-->spring-boot 整合security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.3.2</version>
</dependency>
<!-- alibaba的druid数据库连接池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.9</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
</dependencies>
<!-- 注意: 这里必须要添加, 否者各种依赖有问题 -->
<repositories>
<repository>
<id>spring-milestones</id>
<name>Spring Milestones</name>
<url>https://repo.spring.io/libs-milestone</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
配置application.yml
# 配置freemarker
spring:
freemarker:
# 设置模板后缀名
suffix: .ftl
# 设置文档类型
content-type: text/html
# 设置页面编码格式
charset: UTF-8
# 设置页面缓存
cache: false
# 设置ftl文件路径
template-loader-path:
- classpath:/templates
# 设置静态文件路径,js,css等
mvc:
static-path-pattern: /static/**
datasource:
name: test
url: jdbc:mysql://127.0.0.1:3306/rbac_db
username: root
password: root
# druid 连接池
type: com.alibaba.druid.pool.DruidDataSource
driver-class-name: com.mysql.jdbc.Driver
主要是为了练习,所以添加了前端页面的模板
这里说个知识:
base64加密是属于双向加密,就是加密后可以解密回来
MD5是单向加密,就是加密后无法解密
MD5加盐加密就是将(用户名+密码)进行MD5加密(类似都叫加盐,这里用户名就是盐值)
支付宝的公钥私钥加密,公钥解密私钥,这个是最安全的加密方式.
另外https是使用了安全证书,https的端口一般是443.http的端口是80
导入mapper
public interface UserMapper {
// 查询用户信息
@Select(" select * from sys_user where username = #{userName}")
User findByUsername(@Param("userName") String userName);
// 查询用户的权限
@Select(" select permission.* from sys_user user" + " inner join sys_user_role user_role"
+ " on user.id = user_role.user_id inner join "
+ "sys_role_permission role_permission on user_role.role_id = role_permission.role_id "
+ " inner join sys_permission permission on role_permission.perm_id = permission.id where user.username = #{userName};")
List<Permission> findPermissionByUsername(@Param("userName") String userName);
}
public interface PermissionMapper {
// 查询苏所有权限
@Select(" select * from sys_permission ")
List<Permission> findAllPermission();
}
动态查询账号
使用UserDetailsService实现动态查询数据库验证账号(这里新建了user的实体类,并且implements userDetails),这个userDetails是security默认提供给我们的,因此对应的username和password字段不能写错否则对应不上。
@Component
public class MyUserDetailsService implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 1.根据数据库查询,用户是否登陆
User user = userMapper.findByUsername(username);
// 2.查询该用户信息权限
if (user != null) {
// 设置用户权限
List<Permission> listPermission = userMapper.findPermissionByUsername(username);
System.out.println("用户信息权限:" + user.getUsername() + ",权限:" + listPermission.toString());
if (listPermission != null && listPermission.size() > 0) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (Permission permission : listPermission) {
// 添加用户权限
authorities.add(new SimpleGrantedAuthority(permission.getPermTag()));
}
// 设置用户权限
user.setAuthorities(authorities);
}
}
return user;
}
}
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// // 添加admin账号
// auth.inMemoryAuthentication().withUser("admin").password("123456").
// authorities("showOrder","addOrder","updateOrder","deleteOrder");
// // 添加userAdd账号
// auth.inMemoryAuthentication().withUser("userAdd").password("123456").authorities("showOrder","addOrder");
// // 如果想实现动态账号与数据库关联 在该地方改为查询数据库
auth.userDetailsService(myUserDetailsService);
}
密码使用MD5加密
public class MD5Util {
private static final String SALT = "mayikt";
public static String encode(String password) {
password = password + SALT;
MessageDigest md5 = null;
try {
md5 = MessageDigest.getInstance("MD5");
} catch (Exception e) {
throw new RuntimeException(e);
}
char[] charArray = password.toCharArray();
byte[] byteArray = new byte[charArray.length];
for (int i = 0; i < charArray.length; i++)
byteArray[i] = (byte) charArray[i];
byte[] md5Bytes = md5.digest(byteArray);
StringBuffer hexValue = new StringBuffer();
for (int i = 0; i < md5Bytes.length; i++) {
int val = ((int) md5Bytes[i]) & 0xff;
if (val < 16) {
hexValue.append("0");
}
hexValue.append(Integer.toHexString(val));
}
return hexValue.toString();
}
public static void main(String[] args) {
System.out.println(MD5Util.encode("123456"));
}
}
auth.userDetailsService(myUserDetailsService).passwordEncoder(new PasswordEncoder() {
//验证密码
public boolean matches(CharSequence rawPassword, String encodedPassword) {
String rawPass= MD5Util.encode((String)rawPassword);
boolean result = rawPass.equals(encodedPassword);
return result;
}
// 加密密码
public String encode(CharSequence rawPassword) {
return MD5Util.encode((String)rawPassword);
}
});
动态请求资源
// 配置拦截请求资源
protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests = http
.authorizeRequests();
// 查询数据库获取权限列表
List<Permission> listPermission = permissionMapper.findAllPermission();
for (Permission permission : listPermission) {
authorizeRequests.antMatchers(permission.getUrl()).hasAuthority(permission.getPermTag());
}
authorizeRequests.antMatchers("/login").permitAll().antMatchers("/**").fullyAuthenticated().and().formLogin()
.loginPage("/login").successHandler(successHandler).failureHandler(failureHandler).and().csrf()
.disable();
}
通过本次动手建表,搭环境,写代码,对security又有了深刻的理解.
作者:zhuyuansj
链接:https://www.jianshu.com/p/292b49384f2d