01.SpringSecurity基础应用——概念、整合SpringSecurity、自定义登录页面、数据库验证、Remember me、授权操作
2021/6/3 2:21:24
本文主要是介绍01.SpringSecurity基础应用——概念、整合SpringSecurity、自定义登录页面、数据库验证、Remember me、授权操作,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
一、SpringSecurity概念
SpringSecurity是Spring采用AOP思想,基于servlet过滤器实现的安全框架。它提供了完善的认证机制和方法级的授权功能。是一款非常优秀的权限管理框架。
SpringSecurity是一个功能强大且高度可定制的身份验证和访问控制框架。它是用于保护基于Spring的应用程序的事实上的标准。
SpringSecurity是一个框架,致力于为Java应用程序提供身份验证和授权。像所有Spring项目一样,SpringSecurity的真正强大支出在于它轻松扩展以满足定制需求的能力。
特征:
- 对身份验证和授权的全面且可扩展的支持
- 包括免受会话固定,点击劫持,跨站点请求伪造等攻击
- servlet Api 集成
- 与Spring Web MVC的可选集成
二、入门案例
1.环境准备
我们准备一个SpringMVC+Spring+jsp的Web环境
1.1 创建Web项目
1.2 导入依赖
<dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.11</version> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>5.1.6.RELEASE</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <scope>provided</scope> <version>2.5</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.7.28</version> </dependency>
配置Tomcat
<plugins> <plugin> <groupId>org.apache.tomcat.maven</groupId> <artifactId>tomcat7-maven-plugin</artifactId> <version>2.2</version> <configuration> <port>8080</port> <path>/</path> <uriEncoding>utf-8</uriEncoding> </configuration> </plugin> </plugins>
1.3 添加相关的配置文件
1.3.1 applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> </beans>
1.3.2 spring-mvc.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> </beans>
1.3.3 log4j.properties
log4j.rootCategory=INFO, stdout , R log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=[QC] %p [%t] %C.%M(%L) | %m%n
1.3.4 web.xml
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <display-name>Archetype Created Web Application</display-name> <!--初始化spring容器--> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:applicationContext.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- 配置一个SpringMVC的前端控制器 目的是所有的客户端的请求都会被DispatcherServlet处理 --> <servlet> <servlet-name>springmvc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-mvc.xml</param-value> </init-param> </servlet> <servlet-mapping> <!--支持Restful风格编程--> <servlet-name>springmvc</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <!--配置字符编码的过滤器--> <!--设置设置编码的过滤器--> <filter> <filter-name>encodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>forceRequestEncoding</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>forceResponseEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!--default 防止静态资源--> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.css</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.js</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.jpg</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.png</url-pattern> </servlet-mapping> </web-app>
2.整合SpringSecurity
2.1 添加相关的依赖
依赖 | 说明 |
---|---|
spring-security-core.jar | 核心包,然和SpringSecurity的功能都需要此包 |
spring-security-web.jar | web工程必备,包含过滤器和相关的web安全的基础结构代码 |
spring-security-config.jar | 用于xml文件解析处理 |
spring-security-tablibs.jar | 动态标签库 |
<!--添加SpringSecurity的相关依赖--> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>5.1.5.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>5.1.5.RELEASE</version> </dependency>
2.2 web.xml配置文件中配置SpringSecurity
<!--配置过滤器链 springSecurityFilterChain 名称固定--> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
2.3 添加SpringSecurity的配置文件
2.4 测试
3.自定义登录页面
3.1 登录页面
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>Title</title> </head> <body> <h1>登录页面</h1> <form action="/login" method="post"> 账号:<input type="text" name="username"><br> 密码:<input type="password" name="password"><br> <input type="submit" value="登录"> </form> </body> </html>
3.2 配置文件配置认证的信息
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd "> <!--SpringSecurity配置文件--> <!-- auto-config:表示自动加载SpringSecurity的配置文件 use-expressions:表示使用Spring的EL表达式 --> <security:http auto-config="true" use-expressions="true"> <!-- 匿名访问 access="permitAll()" 表示放过 --> <security:intercept-url pattern="/login.jsp" access="permitAll()"/> <!-- 拦截资源 pattern="/**" 拦截所有的资源 access="hasAnyRole('ROLE_USER')" 表示只有ROLE_USER这个角色可以访问资源 --> <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')"></security:intercept-url> <!-- 配置认证的信息 --> <security:form-login login-page="/login.jsp" login-processing-url="/login" default-target-url="/home.jsp" authentication-failure-url="/error.jsp" /> <!-- 注销 --> <security:logout logout-url="/logout" logout-success-url="/login.jsp"/> </security:http> <!--认证用户信息--> <security:authentication-manager> <security:authentication-provider> <security:user-service> <!-- 设置一个账号zhangsan 密码123 {noop}表示不加密 具有的角色是 ROLE_USER --> <security:user name="zhangsan" authorities="ROLE_USER" password="{noop}123"></security:user> <security:user name="lisi" authorities="ROLE_USER" password="{noop}123456"></security:user> </security:user-service> </security:authentication-provider> </security:authentication-manager> </beans>
3.3 测试
3.4 提交会出现403错误
3.4.1 CSRF拦截
为什么系统默认的登录页面提交没有CRSF拦截的问题呢?
3.5 解决403错误方法
3.5.1 方法一
关闭CSRF
3.5.2 方法二
使用CSRF防护
4.数据库认证
4.1 引入相关依赖
<!--数据库--> <dependency> <groupId>org.mybatis</groupId> <artifactId>mybatis</artifactId> <version>3.5.4</version> </dependency> <dependency> <groupId>org.mybatis</groupId> <artifactId>mybatis-spring</artifactId> <version>2.0.4</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>8.0.17</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid</artifactId> <version>1.0.9</version> </dependency>
4.2 创建db.properties
jdbc.driver=com.mysql.cj.jdbc.Driver jdbc.url=jdbc:mysql://localhost:3306/logistics?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC jdbc.username=root jdbc.password=123456
4.3 在applicationContext.xml配置
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd"> <context:component-scan base-package="com.biao.service" ></context:component-scan> <!--SpringSecurity的配置文件--> <import resource="classpath:spring-security.xml"/> <context:property-placeholder location="classpath:db.properties"/> <bean class="com.alibaba.druid.pool.DruidDataSource" id="dataSource"> <property name="url" value="${jdbc.url}"/> <property name="driverClassName" value="${jdbc.driver}"/> <property name="username" value="${jdbc.username}"/> <property name="password" value="${jdbc.password}"/> </bean> <bean class="org.mybatis.spring.SqlSessionFactoryBean" id="sessionFactoryBean"> <property name="dataSource" ref="dataSource"/> <property name="configLocation" value="classpath:mybatis-config.xml"/> <property name="mapperLocations" value="classpath:mapper/*.xml"/> </bean> <bean class="org.mybatis.spring.mapper.MapperScannerConfigurer"> <property name="basePackage" value="com.biao.mapper"/> </bean> </beans>
4.4 需要完成认证的Service中继承UserDetailService父接口
package com.biao.service; import org.springframework.security.core.userdetails.UserDetailsService; /** * 要实现数据库验证 * 我们自定义的Service需要继承UserDetailsService接口 */ public interface IUserService extends UserDetailsService { }
4.5 实现类中实现验证方法
package com.biao.service.impl; import com.biao.mapper.UserMapper; import com.biao.pojo.User; import com.biao.pojo.UserExample; import com.biao.service.IUserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import java.util.ArrayList; import java.util.List; @Service public class UserServiceImpl implements IUserService { @Autowired private UserMapper mapper; @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { // 根据账号查询用户信息 UserExample example = new UserExample(); example.createCriteria().andUserNameEqualTo(s); List<User> users = mapper.selectByExample(example); if (users != null && users.size() > 0){ User user = users.get(0); if (user != null ){ List<SimpleGrantedAuthority> authorities = new ArrayList<>(); //设置登录账号的角色 authorities.add(new SimpleGrantedAuthority("ROLE_USER")); UserDetails userDetails = new org.springframework.security.core.userdetails.User( user.getUserName(),"{noop}"+user.getPassword(),authorities ); return userDetails; } } return null; } }
4.6 最后修改SpringSecurity配置文件关联我们的service即可
4.7 加密
在SpringSecurity中推荐我们是使用的加密算法是BCryptPasswordEncoder
4.7.1 首先生成密文,保存到数据库
4.7.2 修改配置文件
在验证信息放开,说明用什么验证
4.7.3 去掉{noop}
4.8 认证状态
用户的状态包括 是否可用,账号过期,凭证过期,账号锁定
有重载的方法的可以使用
我们可以在用户的表结构中添加相关字段来维护这种关系
5.记住我Remember me功能
5.1 在表单页面添加一个记住我的按钮
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> <html> <head> <title>Title</title> </head> <body> <h1>登录页面</h1> <form action="/login" method="post"> 账号:<input type="text" name="username"><br> 密码:<input type="password" name="password"><br> <input type="checkbox" name="remember-me" value="true"> 记住我 <br> <security:csrfInput/> <input type="submit" value="登录"> </form> </body> </html>
5.2 配置文件中开启
在SpringSecurity中是默认关闭RememberMe功能的,我们需要放开
记住我的功能会方便大家的使用,但是安全性却是令人担忧的,因为Cookie信息存储在客户端很容易被人盗取,这时我们可以将这些数据持久化到数据库中。
5.3 持久化记住我
5.3.1 建立一个表
CREATE TABLE `persistent_logins` ( `username` varchar(64) NOT NULL, `series` varchar(64) NOT NULL, `token` varchar(64) NOT NULL, `last_used` timestamp NOT NULL, PRIMARY KEY (`series`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8
5.3.2 修改配置文件
6.授权
6.1 注解使用
6.1.1 开启注解的支持
在SpringMVC的配置文件中
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd"> <context:component-scan base-package="com.biao.controller"></context:component-scan> <mvc:annotation-driven/> <!-- 开启权限控制注解支持 jsr250-annotations="enabled" 表示支持jsr250-api的注解支持,需要jsr250-api的jar包 pre-post-annotations="enabled" 表示支持Spring的表达式注解 secured-annotations="enabled" 这个才是SpringSecurity提供的注解 --> <security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled" secured-annotations="enabled" /> </beans>
6.1.2 添加依赖
<dependency> <groupId>javax.annotation</groupId> <artifactId>jsr250-api</artifactId> <version>1.0</version> </dependency>
6.1.3 控制器通过注解设置
package com.biao.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import javax.annotation.security.RolesAllowed; @Controller @RequestMapping("/user") public class UserController { @RolesAllowed(value = {"ROLE_ADMIN"}) @RequestMapping("/query") public String query(){ System.out.println("用户查询"); return "/home.jsp"; } @RolesAllowed(value = {"ROLE_USER"}) @RequestMapping("/save") public String save(){ System.out.println("用户查询"); return "/home.jsp"; } @RolesAllowed(value = {"ROLE_USER"}) @RequestMapping("/update") public String update(){ System.out.println("用户查询"); return "/home.jsp"; } }
6.1.4 测试
6.1.5 Spring表达式的使用
package com.biao.controller; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import javax.annotation.security.RolesAllowed; @Controller @RequestMapping("/order") public class OrderController { @PreAuthorize(value = "hasAnyRole('ROLE_USER')") @RequestMapping("/query") public String query(){ System.out.println("用户查询"); return "/home.jsp"; } @PreAuthorize(value = "hasAnyRole('ROLE_ADMIN')") @RequestMapping("/save") public String save(){ System.out.println("用户查询"); return "/home.jsp"; } @PreAuthorize(value = "hasAnyRole('ROLE_USER')") @RequestMapping("/update") public String update(){ System.out.println("用户查询"); return "/home.jsp"; } }
6.1.6 SpringSecurity提供的注解
package com.biao.controller; import org.springframework.security.access.annotation.Secured; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller @RequestMapping("/role") public class RoleController { @Secured("ROLE_USER") @RequestMapping("/query") public String query(){ System.out.println("用户查询"); return "/home.jsp"; } @Secured("ROLE_ADMIN") @RequestMapping("/save") public String save(){ System.out.println("用户查询"); return "/home.jsp"; } @Secured("ROLE_USER") @RequestMapping("/update") public String update(){ System.out.println("用户查询"); return "/home.jsp"; } }
6.1.7 异常处理
新增一个错误页面,然后在SpringSecurity的配置文件中配置即可
6.2 标签使用
前面介绍的注解的权限管理可以控制用户是否具有这个操作的权限,但是当用户具有这个权限后进入到具体的操作页面,这时我们还有进行更细粒度的控制,这时注解的方式就不太适用了,这时我们可以通过标签来处理。
<html> <head> <title>主页</title> </head> <body> <h1>欢迎光临</h1> <security:authentication property="principal.username"/> <security:authorize access="hasAnyRole('ROLE_USER')"> <a href="#">用户查询</a> </security:authorize> <a href="#">用户添加</a> <security:authorize access="hasAnyRole('ROLE_ADMIN')"> <a href="#">用户更新</a> </security:authorize> <security:authorize access="hasAnyRole('ROLE_USER')"> <a href="#">用户删除</a> </security:authorize> </body> </html>
页面效果
这篇关于01.SpringSecurity基础应用——概念、整合SpringSecurity、自定义登录页面、数据库验证、Remember me、授权操作的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-10-05小米13T Pro系统合集:性能与摄影的极致融合,值得你升级的系统ROM
- 2024-10-01基于Python+Vue开发的医院门诊预约挂号系统
- 2024-10-01基于Python+Vue开发的旅游景区管理系统
- 2024-10-01RestfulAPI入门指南:打造简单易懂的API接口
- 2024-10-01初学者指南:了解和使用Server Action
- 2024-10-01Server Component入门指南:搭建与配置详解
- 2024-10-01React 中使用 useRequest 实现数据请求
- 2024-10-01使用 golang 将ETH账户的资产平均分散到其他账户
- 2024-10-01JWT用户校验课程:从入门到实践
- 2024-10-01Server Component课程入门指南