1.自定义认证类
1.pom.xml、web.xml 参照运营商管理后台
2.在 pinyougou-shop-web 创 建 com.pinyougou.service 包 , 包 下 创 建 类UserDetailsServiceImpl.java 实现 UserDetailsService 接口
package com.pyg.shop.service.impl; import java.util.ArrayList; import java.util.List; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import com.pyg.manager.service.SellerService; import com.pyg.pojo.TbSeller; public class UserDetailsServiceImpl implements UserDetailsService { private SellerService sellerService; public SellerService getSellerService() { return sellerService; } public void setSellerService(SellerService sellerService) { this.sellerService = sellerService; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { //定义角色封装集合 List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); //添加角色 authorities.add(new SimpleGrantedAuthority("ROLE_USER")); //调用商家服务对象,查询商家密码 TbSeller seller = sellerService.findOne(username); return new User(username, seller.getPassword(), authorities); } }
3.在 pinyougou-shop-web 的 spring 目录下创建 spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <bean:beans xmlns="http://www.springframework.org/schema/security" xmlns:dubbo="http://code.alibabatech.com/schema/dubbo" xmlns:bean="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd"> <!-- 在权限认证之前访问资源需要放行 --> <http pattern="/shoplogin.html" security="none"></http> <http pattern="/error.html" security="none"></http> <http pattern="/register.html" security="none"></http> <http pattern="/css/**" security="none"></http> <http pattern="/js/**" security="none"></http> <http pattern="/img/**" security="none"></http> <http pattern="/plugins/**" security="none"></http> <!-- 商家入驻url --> <http pattern="/seller/add" security="none"></http> <!-- http安全控制规则 --> <http> <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <!-- 表单认证 --> <form-login login-page="/shoplogin.html" default-target-url="/admin/index.html" always-use-default-target="true" authentication-failure-url="/error.html" login-processing-url="/login" /> <!-- 屏蔽跨域 --> <csrf disabled="true" /> <!-- 配置ifram访问 --> <headers> <frame-options policy="SAMEORIGIN" /> </headers> <!-- 推出登录配置 --> <!-- logout: spring security 安全框架自动生成推出地址:/logout --> <logout logout-success-url="/shoplogin.html" /> </http> <!-- 引用dubbo 服务 --> <dubbo:application name="pinyougou-shop-web" /> <dubbo:registry address="zookeeper://192.168.232.128:2181" /> <!-- xml引入sellerService对象 --> <dubbo:reference id="sellerService" interface="com.pyg.manager.service.SellerService"></dubbo:reference> <!-- 配置认证管理器 --> <authentication-manager> <authentication-provider user-service-ref="userDetailsServiceImpl"> <password-encoder ref="passwordEncoder"></password-encoder> </authentication-provider> </authentication-manager> <!-- 自定义认证类 --> <bean:bean id="userDetailsServiceImpl" class="com.pyg.shop.service.impl.UserDetailsServiceImpl"> <bean:property name="sellerService" ref="sellerService"></bean:property> </bean:bean> <!-- 定义spring security安全加密算法对象 --> <bean:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></bean:bean> </bean:beans>
2.认证类调用服务方法
修改 UserDetailsServiceImpl.java ,添加属性和 getter setter 方法 ,修改 loadUserByUsername方法。
public class UserDetailsServiceImpl implements UserDetailsService { private SellerService sellerService; public SellerService getSellerService() { return sellerService; } public void setSellerService(SellerService sellerService) { this.sellerService = sellerService; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { //定义角色封装集合 List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); //添加角色 authorities.add(new SimpleGrantedAuthority("ROLE_USER")); //调用商家服务对象,查询商家密码 TbSeller seller = sellerService.findOne(username); return new User(username, seller.getPassword(), authorities); } }
修改 pinyougou-shop-web 的 spring-security.xml ,添加如下配置
<!-- 引用dubbo 服务 --> <dubbo:application name="pinyougou-shop-web" /> <dubbo:registry address="zookeeper://192.168.232.128:2181" /> <!-- xml引入sellerService对象 --> <dubbo:reference id="sellerService" interface="com.pyg.manager.service.SellerService"></dubbo:reference> <!-- 配置认证管理器 --> <authentication-manager> <authentication-provider user-service-ref="userDetailsServiceImpl"> <password-encoder ref="passwordEncoder"></password-encoder> </authentication-provider> </authentication-manager> <!-- 自定义认证类 --> <bean:bean id="userDetailsServiceImpl" class="com.pyg.shop.service.impl.UserDetailsServiceImpl"> <bean:property name="sellerService" ref="sellerService"></bean:property> </bean:bean>
3.密码加密
1.BCrypt 加密算法
用户表的密码通常使用 MD5 等不可逆算法加密后存储,为防止彩虹表破解更会先使用一个特定的字符串(如域名)加密,然后再使用一个随机的 salt(盐值)加密。 特定字符串是程序代码中固定的,salt 是每个密码单独随机,一般给用户表加一个字段单独存储,比较麻烦。 BCrypt 算法将 salt 随机并混入最终加密后的密码,验证时也无需单独提供之前的salt,从而无需单独处理 salt 问题。
2.商家入驻密码加密
商家申请入驻的密码要使用 BCrypt 算法进行加密存储,修改 SellerController.java 的 add 方法
/** * 增加 * @param seller * @return */ @RequestMapping("/add") public Result add(@RequestBody TbSeller seller){ //密码加密 BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); String password = passwordEncoder.encode(seller.getPassword()); seller.setPassword(password); try { sellerService.add(seller); return new Result(true, "增加成功"); } catch (Exception e) { e.printStackTrace(); return new Result(false, "增加失败"); } }
3.加密配置
修改 pinyougou-shop-web 的 spring-security.xml ,添加如下配置
<bean:bean id="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
修改认证管理器的配置
<!-- 认证管理器 --> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref='userDetailService'> <password-encoder ref="bcryptEncoder"></password-encoder> </authentication-provider> </authentication-manager>