一、SpringSecurity介绍
- Spring Security 的前身是 Acegi Security ,是 Spring 项目组中用来提供安全认证服务的框架。
安全包括两个主要操作:
- “认证”,是为用户建立一个他所声明的主体。主题一般式指用户,设备或可以在你系 统中执行动作的其他系统。
- “授权”指的是一个用户能否在你的应用中执行某个操作,在到达授权判断之前,身份的主题已经由 身份验证过程建立了。
二、快速入门
2.1 pom.xml
在SSM框架中的
pom.xml,主要需要导入两个关键的jar包依赖spring-security-webspring-security-config
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.1.RELEASE</version>
</dependency>
</dependencies>2.2 web.xml
- 设置配置文件的加载路径
- 配置监听器
ContextLoaderListener - 配置过滤器
DelegatingFilterProxy
<context-param>
<param-name>contextConfigLocation</param-name>
<!--需要读取类路径下的spring-security.xml文件-->
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>2.3 spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--开启注解配置-->
<!--<security:global-method-security jsr250-annotations="enabled"/>-->
<security:global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled"/>
<!-- 配置不拦截的资源 -->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<!--
配置具体的规则
auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面
use-expressions="false" 是否使用SPEL表达式(没学习过)
-->
<security:http auto-config="true" use-expressions="true">
<!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER的角色" -->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')"/>
<!-- 定义跳转的具体的页面 -->
<security:form-login
login-page="/login.jsp"
login-processing-url="/login.do"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"
authentication-success-forward-url="/pages/main.jsp"
/>
<!-- 关闭跨域请求 -->
<security:csrf disabled="true"/>
<!-- 退出 -->
<security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp"/>
</security:http>
<!-- 切换成数据库中的用户名和密码 -->
<!--authentication-manager:认证管理器-->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<!-- 配置加密的方式
一旦配置,代码部分就不能以明文显示,即"{noop}"+password失效-->
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置加密类 -->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<!-- 提供了入门的方式,在内存中存入用户名和密码
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="{noop}admin" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
-->
</beans>2.4.0 SpringSecurity使用数据库认证(知识铺垫)
- 使用
UserDetails、UserDetailsService来完成操作。SpringSecurity提供了一个UserDetails的实现类User来完成操作。 UserDetails
public interface UserDetails extends Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
String getPassword();
String getUsername();
boolean isAccountNonExpired();
boolean isAccountNonLocked();
boolean isCredentialsNonExpired();
boolean isEnabled();
}User
public class User implements UserDetails, CredentialsContainer {
private String password;
private final String username;
private final Set<GrantedAuthority> authorities;
private final boolean accountNonExpired; //帐户是否过期
private final boolean accountNonLocked; //帐户是否锁定
private final boolean credentialsNonExpired; //认证是否过期
private final boolean enabled; //帐户是否可用
public User(String username, String password, Collection<? extends GrantedAuthority> authorities) {
this(username, password, true, true, true, true, authorities);
}
public User(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {
if (username != null && !"".equals(username) && password != null) {
this.username = username;
this.password = password;
this.enabled = enabled;
this.accountNonExpired = accountNonExpired;
this.credentialsNonExpired = credentialsNonExpired;
this.accountNonLocked = accountNonLocked;
this.authorities = Collections.unmodifiableSet(sortAuthorities(authorities));
} else {
throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
}
}
}UserDetailsService
public interface UserDetailsService {
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}2.4 用户登陆
2.4.1 IUserService
- 继承
UserDetailsService
package com.ruki.eams.service;
import com.ruki.eams.domain.Role;
import com.ruki.eams.domain.UserInfo;
import org.springframework.security.core.userdetails.UserDetailsService;
import java.util.List;
public interface IUserService extends UserDetailsService {
}
2.4.2 UserServiceImpl
- 重写方法
package com.ruki.eams.service.impl;
import com.ruki.eams.dao.IUserDao;
import com.ruki.eams.domain.Role;
import com.ruki.eams.domain.UserInfo;
import com.ruki.eams.service.IUserService;
import com.sun.org.apache.bcel.internal.generic.RETURN;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.util.ArrayList;
import java.util.List;
@Service("userService")
@Transactional
public class UserServiceImpl implements IUserService {
@Autowired
private IUserDao userDao;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserInfo userInfo = null;
try {
userInfo = userDao.findByUsername(username);
} catch (Exception e) {
e.printStackTrace();
}
//将包含用户信息的userInfo对象封装成UserDetails,明文密码需要在密码前加上前缀
//User user = new User(userInfo.getUsername(), "{noop}"+userInfo.getPassword(), getAuthority(userInfo.getRoles()));
//配置文件中<security:password-encoder ref="passwordEncoder"/>要注释掉
//User user = new User(userInfo.getUsername(), "{noop}"+userInfo.getPassword(), userInfo.getStatus() == 1?true:false,true,true,true,getAuthority(userInfo.getRoles()));
//如果有账户状态的信息,需要传入状态信息参数
//public User(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)
User user = new User(userInfo.getUsername(), userInfo.getPassword(), userInfo.getStatus() == 1?true:false,true,true,true,getAuthority(userInfo.getRoles()));
return user;
}
//获得用户权限集合的方法,集合中装的是角色描述
public List<SimpleGrantedAuthority> getAuthority(List<Role> roles){
List<SimpleGrantedAuthority> list = new ArrayList<>();
for(Role role : roles){
list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));
}
return list;
}
@Override
public void save(UserInfo userInfo) throws Exception {
//对密码进行加密
userInfo.setPassword(bCryptPasswordEncoder.encode(userInfo.getPassword()));
userDao.save(userInfo);
}
}2.4.3 IUserDao
package com.ruki.eams.dao;
import com.ruki.eams.domain.Role;
import com.ruki.eams.domain.UserInfo;
import org.apache.ibatis.annotations.*;
import java.util.List;
public interface IUserDao {
@Select("select *from users where username=#{username}")
@Results({
@Result(id = true, property = "id", column = "id"),
@Result(property = "email", column = "email"),
@Result(property = "username", column = "username"),
@Result(property = "password", column = "password"),
@Result(property = "phoneNum", column = "phoneNum"),
@Result(property = "status", column = "status"),
@Result(property = "roles", column = "id", javaType = java.util.List.class, many = @Many(select = "com.ruki.eams.dao.IRoleDao.findRoleByUserId"))
})
UserInfo findByUsername(String username) throws Exception;
@Select("select * from users where id=#{id}")
@Results({
@Result(id = true, property = "id", column = "id"),
@Result(property = "email", column = "email"),
@Result(property = "username", column = "username"),
@Result(property = "password", column = "password"),
@Result(property = "phoneNum", column = "phoneNum"),
@Result(property = "status", column = "status"),
@Result(property = "roles", column = "id", javaType = java.util.List.class, many = @Many(select = "com.ruki.eams.dao.IRoleDao.findRoleByUserId"))
})
UserInfo findById(String id);
}
2.5 用户退出
- 在spring-security.xml文件中添加配置
<security:logout invalidate-session="true" logout-url="/logout.do" logout-successurl="/login.jsp" />2.6 总结
- 导入jar包依赖(2.1)
- 配置web.xml,设置配置文件加载路径,配置必备监听器和过滤器(2.2)
- spring-security.xml文件的配置(2.3)
IUserService继承UsersDetailIUserServiceImpl重写方法(重要)- 用SpringSecurity提供的
User增强从数据库查出来的User,并利用getAuthority(userInfo.getRoles())方法获得SimpleGrantedAuthority类型的用户权限集合 - 返回增强后的
user即可。
- 用SpringSecurity提供的
三、服务器端方法级权限控制
- 在服务器端我们可以通过Spring security提供的注解对方法来进行权限控制。Spring Security在方法的权限控制上支持三种类型的注解,
JSR-250注解、@Secured注解和支持表达式的注解,这三种注解默认都是没有启用的,需要单独通过global-method-security元素的对应属性进行启用
3.1 开启注解使用
配置文件
<security:global-method-security jsr250-annotations="enabled"/> <security:global-method-security secured-annotations="enabled"/> <security:global-method-security pre-post-annotations="disabled"/>
3.2 JSR-250注解
@RolesAllowed:访问对应方法时锁应该具有的角色@PermitAll:允许所以的角色急性访问,即不进行权限控制@DenyAll:拒绝所有角色的访问
@Controller
@RequestMapping("/product")
public class ProductController {
@Autowired
private IProductService productService;
@RequestMapping("/findAll.do")
@RolesAllowed("ADMIN")//表示只有ADMIN用户才能使用,JSR250前缀ROLE_可以省略
public ModelAndView findAll(@RequestParam(name = "page", required = true, defaultValue = "1") Integer page, @RequestParam(name="size", required = true, defaultValue = "4") Integer size) throws Exception {
ModelAndView mv = new ModelAndView();
List<Product> products = productService.findAll(page, size);
PageInfo pageInfo = new PageInfo(products);
mv.addObject("pageInfo", pageInfo);
mv.setViewName("product-page-list1");
return mv;
}
}
3.3 支持表达式的注解
@PreAuthorize在方法调用之前,基于表达式的计算结果来限制对方法的访问
@PreAuthorize("#userId == authentication.principal.userId or hasAuthority(‘ADMIN’)")
void changePassword(@P("userId") long userId ){ }
//这里表示在changePassword方法执行之前,判断方法参数userId的值是否等于principal中保存的当前用户的userId,或者当前用户是否具有ROLE_ADMIN权限,两种符合其一,就可以访问该方法。@PostAuthorize允许方法调用,但是如果表达式计算结果为false,将抛出一个安全性异常@PostFilter允许方法调用,但必须按照表达式来过滤方法的结果@PreFilter允许方法调用,但必须在进入方法之前过滤输入值
3.4 @Secured注解
@Secured注解标注的方法进行权限控制的支持,其值默认为disabled。
@Controller
@RequestMapping("/orders")
public class OrdersController {
@Autowired
private IOrdersService ordersService;
@RequestMapping("/findAll.do")
@Secured("ROLE_ADMIN")// @Secured注解下,前缀不能省略
public ModelAndView findAll(@RequestParam(name = "page", required = true, defaultValue = "1") Integer page, @RequestParam(name = "size", required = true, defaultValue = "4") Integer size) throws Exception {
ModelAndView mv = new ModelAndView();
List<Orders> ordersList = ordersService.findAll(page, size);
//PageInfo就是一个分页Bean
PageInfo pageInfo = new PageInfo(ordersList);
mv.addObject("pageInfo", pageInfo);
mv.setViewName("orders-page-list");
return mv;
}
}四、页面端标签控制权限
- 在jsp页面中我们可以使用spring security提供的权限标签来进行权限控制
4.1 导入依赖
4.1.1 maven导入
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>version</version>
</dependency>4.1.2 页面导入
<%@taglib uri="http://www.springframework.org/security/tags" prefix="security"%>4.2 常用标签
4.2.1 authentication
<security:authentication property="" htmlEscape="" scope="" var=""/>property: 只允许指定Authentication所拥有的属性,可以进行属性的级联获取,如“principle.username”,不允许直接通过方法进行调用htmlEscape:表示是否需要将html进行转义。默认为true。scope:与var属性一起使用,用于指定存放获取的结果的属性名的作用范围,默认为pageContext。Jsp中拥有的作用范围都进行进行指定var: 用于指定一个属性名,这样当获取到了authentication的相关信息后会将其以var指定的属性名进行存放,默认是存放在pageConext中
4.2.2 authorize
authorize是用来判断普通权限的,通过判断用户是否具有对应的权限而控制其所包含内容的显示
<security:authorize access="" method="" url="" var=""></security:authorize>access: 需要使用表达式来判断权限,当表达式的返回结果为true时表示拥有对应的权限method:method属性是配合url属性一起使用的,表示用户应当具有指定url指定method访问的权限,method的默认值为GET,可选值为http请求的7种方法url:url表示如果用户拥有访问指定url的权限即表示可以显示authorize标签包含的内容var:用于指定将权限鉴定的结果存放在pageContext的哪个属性中
<security:authorize access="hasRole('ADMIN')"><%-- ADMIN角色才能看得到--%>
<a href="${pageContext.request.contextPath}/user/findAll.do">
<i class="fa fa-circle-o"></i>
用户管理
</a>
</security:authorize>4.2.3 accesscontrollist
accesscontrollist标签是用于鉴定ACL权限的。其一共定义了三个属性:hasPermission、domainObject和var,其中前两个是必须指定的
<security:accesscontrollist hasPermission="" domainObject="" var=""></security:accesscontrollist>hasPermission:hasPermission属性用于指定以逗号分隔的权限列表domainObject:domainObject用于指定对应的域对象var:var则是用以将鉴定的结果以指定的属性名存入pageContext中,以供同一页面的其它地方使用