这一章使我们的认证可以跟数据库关联
认证类:
定义一个自定义类实现UserDetailsService,返回org.springframework.security.core.userdetails.User,User需要账号,密码,授权列表
package com.pinyougou.service;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import com.pinyougou.pojo.TbSeller;
import com.pinyougou.sellergoods.service.SellerService;
public class UserDetailsServiceImpl implements UserDetailsService{
private SellerService sellerService;
public SellerService getSellerService() {
return sellerService;
}
public void setSellerService(SellerService sellerService) {
this.sellerService = sellerService;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
TbSeller seller = sellerService.findOne(username);
if(seller!=null){
return new User(username, seller.getPassword(), authorities);
}else{
return null;
}
}
}
spring-security.xml配置
设置一个userDetailsService set注入可以查询用户的类,并将这个bean注入security的认证管理器中,密码使用BCrypt强哈希方法来加密密码(虽然每次 BCryptPasswordEncoder 的 encoder 结果都不一样,但是存贮其中一次加密结果 也能够验证成功)
<?xml version="1.0" encoding="UTF-8"?>
<bean:beans xmlns="http://www.springframework.org/schema/security"
xmlns:bean="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 不需要权限控制的资源 -->
<http pattern="/*.html" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/plugins/**" security="none"></http>
<http pattern="/seller/add.do" security="none"></http>
<!-- 拦截规则 -->
<http>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<form-login login-page="/shoplogin.html" login-processing-url="/login"
always-use-default-target="true"
default-target-url="/admin/index.html"
authentication-failure-url="/login_error.html"/>
<csrf disabled="true"/>
<logout/>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
<!-- 加密配置 -->
<bean:bean id="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<!-- 认证管理器 -->
<authentication-manager alias="authenticationManager">
<!-- 引用自定义真正类 -->
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="bcryptEncoder"></password-encoder>
</authentication-provider>
</authentication-manager>
<!-- 引用dubbo服务 -->
<dubbo:application name="pinyougou-shop-web" />
<dubbo:registry address="zookeeper://192.168.25.100:2181"/>
<dubbo:reference id="sellerService" interface="com.pinyougou.sellergoods.service.SellerService"></dubbo:reference>
<!-- 认证类 -->
<bean:bean id="userDetailsService" class="com.pinyougou.service.UserDetailsServiceImpl">
<bean:property name="sellerService" ref="sellerService"></bean:property>
</bean:bean>
</bean:beans>这样Security每次验证都和数据库联系起来
注: 注册时需要使用BCrypt加密
//密码加密 BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); String password = passwordEncoder.encode(seller.getPassword()); seller.setPassword(password);