This navigation:
1.spring security maven dependency level access control methods and annotations (JSR250) in dependence maven
2.spring-security.xml
3.service part
4.dao part
5. Table
1.maven dependence:
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.1.RELEASE</version>
</dependency>
方法级权限控制注解
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
</dependencies>2. Profiles spring-security.xml required configuration information
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 方法级别的拦截 -->
<security:global-method-security jsr250-annotations="enabled"></security:global-method-security>
<!-- 配置不拦截的资源 -->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<!--
配置具体的规则
auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面
use-expressions="false" 是否使用SPEL表达式(没学习过)
-->
<!--
使用这个bean 就可以不用修改下面内容也可以使用表达式(<security:authentication>这个就是表达式)
access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"就是这个表达式
然后在页面中就可以使用:功能是:在页面显示当前登录用户的用户名,
<security:authentication property="principal.username"></security:authentication>
然而我在jsp中使用的话需要在jsp头部加上:
<%@taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<aside class="main-sidebar">
-->
<bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
<security:http auto-config="true" use-expressions="false">
<!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" -->
<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
<!-- 定义跳转的具体的页面 -->
<security:form-login
login-page="/login.jsp"
login-processing-url="/login.do"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"
/>
<!-- 关闭跨域请求 -->
<security:csrf disabled="true"/>
<!-- 退出 -->
<security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" />
</security:http>
<!-- 切换成数据库中的用户名和密码 -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<!-- 配置加密的方式 -->
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置加密类 -->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</beans> 3.seivice
Usually we write business is: html -> Controller -> service -> dao -> html, spring security is not the Controller this layer, and direct access to the request after logging on to the back of the same service
service which should inherit UserDetailsService
import org.springframework.security.core.userdetails.UserDetailsService;
public interface IUserService extends UserDetailsService {
}service implementation
import com.qy.ssm.domain.Role;
import com.qy.ssm.domain.UserInfo;
import com.qy.ssm.service.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.util.ArrayList;
import java.util.List;
@SuppressWarnings("SpringJavaAutowiringInspection") //我的userDao自动注入的它监测不到,报红,但是运行不报错,就用注解忽略一下这个报红
@Service("userService")
@Transactional
public class UserServiceImpl implements IUserService {
@Autowired
private IUserDao userDao;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserInfo userInfo = null; //UserInfo 是我的bean类封装用户信息
try {
userInfo = userDao.findByUsername(username);
} catch (Exception e) {
e.printStackTrace();
}
/**
* 处理自己的用户对象封装成UserDetails
*
* 1.下面有两个构造方法 都可以实现
* 第二个构造方法有一个userInfo.getStatus(),他是判断当前用户是否启用,我这个0是没有启用1是启用了,没有启用就还是不能登录,这个值在我的dao步骤我的数据表面能看见 status
* 2.重点getAuthority(userInfo.getRoles())这个方法里面放的是用户查询出来的角色
*/
/*User user=new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority());*/
User user = new User(userInfo.getUsername(), "{noop}" + userInfo.getPassword(),
userInfo.getStatus() == 0 ? false : true, true, true, true, getAuthority(userInfo.getRoles()));
return user;
}
//作用就是返回一个List集合,集合中装入的是角色描述
public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) {
List<SimpleGrantedAuthority> list = new ArrayList<>();
for (Role role : roles) {
list.add(new SimpleGrantedAuthority("ROLE_" + role.getRoleName()));
}
return list;
}
}4.Dao users query table and the user table by the middle of the table query role of all privileges
import com.qy.ssm.domain.UserInfo;
import org.apache.ibatis.annotations.Many;
import org.apache.ibatis.annotations.Result;
import org.apache.ibatis.annotations.Results;
import org.apache.ibatis.annotations.Select;
import java.util.List;
public interface IUserDao {
@Select("select * from users where username=#{username}")
@Results({
@Result(id = true, property = "id", column = "id"),
@Result(property = "username", column = "username"),
@Result(property = "email", column = "email"),
@Result(property = "password", column = "password"),
@Result(property = "phoneNum", column = "phoneNum"),
@Result(property = "status", column = "status"),
@Result(property = "roles",column = "id",javaType = java.util.List.class,
many = @Many(select = "com.qy.ssm.dao.IRoleDao.findRoleByUserId"))
})
public UserInfo findByUsername(String username) throws Exception;
}Figure above many = @Many (select = "com.qy.ssm.dao.IRoleDao.findRoleByUserId") concatenated code query
@Select("select * from role where id in (select roleId from users_role where userId=#{id})")
@Results({
@Result(id = true,property = "id" ,column = "id"),
@Result(property = "roleName",column = "roleName"),
@Result(property = "roleDesc",column = "roleDesc"),
@Result(property = "permissions" , column = "id",javaType = java.util.List.class,
many = @Many(select = "com.qy.ssm.dao.IPermissionDao.findPermissionByRoleId")
)
})
public List<Role> findRoleByUserId(String id) throws Exception;The figure above com.qy.ssm.dao.IPermissionDao.findPermissionByRoleId cascade query code
@Select("select * from permission where id in (select permissionId from role_permission where roleId=#{id})")
public List<Permission> findPermissionByRoleId(String id) throws Exception;The three tables required users users-role role
