①. 前言
1>.
认证和授权概念
认证
:只需要用户表就可以了,在用户登录时可以查询用户表t_user进行校验,判断 用户输入的用户名和密码是否正确
授权过程
:用户必须完成认证之后才可以进行授权,首先可以根据用户查询其角色,再 根据角色查询对应的菜单,这样就确定了用户能够看到哪些菜单。然后再根据用户的角 色查询对应的权限,这样就确定了用户拥有哪些权限
②. Spring Security 入门案例
2>.
Spring Security 入门案例
①. 导包
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring‐security‐web</artifactId> <version>5.0.5.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring‐security‐config</artifactId> <version>5.0.5.RELEASE</version> </dependency>
②.环境搭建 [ 创建maven工程,打包方式为war,为了方便起见我们可以让入门案例工程依赖 health_interface,这样相关的依赖都继承过来了]
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.itheima</groupId> <artifactId>springsecuritydemo</artifactId> <version>1.0-SNAPSHOT</version> <packaging>war</packaging> <properties> <spring.version>5.0.5.RELEASE</spring.version> </properties> <dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> <scope>provided</scope> </dependency> </dependencies> <!--tomcat7插件--> <build> <plugins> <plugin> <groupId>org.apache.tomcat.maven</groupId> <artifactId>tomcat7-maven-plugin</artifactId> <configuration> <!-- 指定端口 --> <port>85</port> <uriEncoding>UTF-8</uriEncoding> <!-- 请求路径 --> <path>/</path> </configuration> </plugin> </plugins> </build> </project>
③. 配置web.xml
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Archetype Created Web Application</display-name> <filter> <!-- DelegatingFilterProxy用于整合第三方框架 整合Spring Security时过滤器的名称必须为springSecurityFilterChain, 否则会抛出NoSuchBeanDefinitionException异常 --> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>springmvc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <!-- 指定加载的配置文件 ,通过参数contextConfigLocation加载 --> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-security.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>springmvc</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> </web-app>
④.配置spring-security.xml [ 在spring-security.xml中主要配置Spring Security的拦截规则和认证管理器 ]
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:dubbo="http://code.alibabatech.com/schema/dubbo" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- auto-config:自动配置,如果设置为true,表示可以自动应用一些配置,比如框架会提供一个默认 的登录页面 use-expressions:是否使用spring security提供表达式来描述权限 --> <security:http auto-config="true" use-expressions="true"> <!-- 配置拦截规则,/**表示拦截所有请求 pattern:来描述拦截规则 access:指定所需的访问角色、访问权限 注意:use-expressions 和 access 相匹配的 如果use-expressions=false,则access=“‘ROLE_ADMIN’” --> <security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')"/> </security:http> <!--认证管理器 --> <security:authentication-manager> <!--配置认证的提供者--> <security:authentication-provider> <security:user-service> <!--配置一个具体的用户,后期需要从数据库查询用户--> <security:user name="admin" password="{noop}1234" authorities="ROLE_ADMIN"/> </security:user-service> </security:authentication-provider> </security:authentication-manager> </beans>
⑤. 访问路径如下: