在我们得软件开发过程中,很多时候都会遇到需要根据用户的角色来管理用户的功能。由于是基于SSM框架的,因此我们在这里引入了spring-security相关的jar包进行处理。 1、首先用Maven导入项目依赖,在这里<spring.security.version>5.0.1.RELEASE</spring.security.version>
<!--spring-security--> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.security.version}</version> </dependency>2、配置spring-security.xml中的内容,注意user-service-ref="userInfoServer"中的userInfoServer要与服务中的@Server()中的名字相对应
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <security:global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled"></security:global-method-security> <!-- 配置不拦截的资源 --> <security:http pattern="/login.jsp" security="none"/> <security:http pattern="/failer.jsp" security="none"/> <security:http pattern="/css/**" security="none"/> <security:http pattern="/img/**" security="none"/> <security:http pattern="/plugins/**" security="none"/> <!-- 配置具体的规则 auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面 use-expressions="false" 是否使用SPEL表达式(没学习过) --> <security:http auto-config="true" use-expressions="true"> <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" --> <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> <security:form-login login-page="/login.jsp" login-processing-url="/login.do" default-target-url="/index.jsp" authentication-failure-url="/failer.jsp" authentication-success-forward-url="/pages/main.jsp"/> <!-- 关闭跨域请求 --> <security:csrf disabled="true"/> <!--退出并跳转到首页--> <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp"></security:logout> </security:http> <!-- 切换成数据库中的用户名和密码 --> <security:authentication-manager> <security:authentication-provider user-service-ref="userInfoServer"> <!-- 配置加密的方式 <security:password-encoder ref="passwordEncoder"/> --> </security:authentication-provider> </security:authentication-manager> <!-- 配置加密类 --> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> <!-- <bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />--> <!-- 提供了入门的方式,在内存中存入用户名和密码 <security:authentication-manager> <security:authentication-provider> <security:user-service> <security:user name="admin" password="{noop}admin" authorities="ROLE_USER"/> </security:user-service> </security:authentication-provider> </security:authentication-manager> --> </beans>3、在web.xml中引入spring-security
<!-- 配置加载类路径的配置文件 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>4、对应的service类
@Service("userInfoServer") public class UserInfoServerImpl implements IUserInfoServer { @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { UserInfo userInfo= userInfoDao.selectByUsername(s); System.out.println(userInfo); List<Role> roles = roleDao.getRoleByUserId(userInfo.getId()); System.out.println(roles); User user = new User(userInfo.getUsername(),"{noop}"+userInfo.getPassword(), getAuthority(roles)); return user; } private Collection<? extends GrantedAuthority> getAuthority(List<Role> roles) { List<SimpleGrantedAuthority> list = new ArrayList<>(); for(Role role:roles){ list.add(new SimpleGrantedAuthority("ROLE_"+role.getRole())); } return list; } }5、对应的Dao层
public interface IRoleDao { public List<Role> getRoleByUserId(int id); } public interface IUserInfoDao { public UserInfo selectByUsername(String name); }6、例如前端中我们不想显示用户管理这个功能
<security:authorize access="hasRole('ADMIN')"> <a href="/user/findAll.do?page=1&size=5"> <i class="fa fa-circle-o"></i> 用户管理 </a> </security:authorize>这样我们就完成了用户在未登录时不能访问其他的界面,会自动跳转到登录界面,同时还完成了用户的认证,只有账号和密码都正确的才能进入系统,最后我们还完成了只有权限为ADMIN的用户才能访问用户管理。
