Spring Security中的UsernamePasswordAuthenticationFilter是用於處理基於表單的登錄請求。
UserDetails定義了Spring Security中用戶的一些基本信息。
這里通過實現UserDetails,繼承UserDetailsService實現loadUserByUsername方法來實現。
實體SysUser:
package cn.sivan.pojo;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class SysRole implements GrantedAuthority {
private Integer id;
private String roleName;
private String roleDesc;
@Override
public String getAuthority() {
return roleName;
}
}
實體SysUser:
package cn.sivan.pojo;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
import java.util.List;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class SysUser implements UserDetails {
private Integer id;
private String username;
private String password;
private Integer status;
private List<SysRole> roles;
/**
* 用戶的權限信息,通常使用角色表示
* @return
*/
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return roles;
}
/**
* 賬號是否過期
* @return
*/
@Override
public boolean isAccountNonExpired() {
return true;
}
/**
* 賬號是鎖定
* @return
*/
@Override
public boolean isAccountNonLocked() {
return true;
}
/**
* 密碼是否過期
* @return
*/
@Override
public boolean isCredentialsNonExpired() {
return true;
}
/**
* 賬號是否可用
* @return
*/
@Override
public boolean isEnabled() {
return status == 1;
}
}
使用mybatis,mapper實例:
package cn.sivan.mapper;
import cn.sivan.pojo.SysRole;
import org.apache.ibatis.annotations.Select;
import org.springframework.stereotype.Component;
import org.springframework.stereotype.Repository;
import java.util.List;
@Component
public interface RoleMapper {
@Select("select r.id,r.ROLE_NAME roleName,r.ROLE_DESC roleDesc " +
"from sys_role r,sys_user_role ur " +
"where r.ID=ur.RID and ur.UID=#{uid}")
List<SysRole> findRoleByUid(Integer uid);
}
package cn.sivan.mapper;
import cn.sivan.pojo.SysUser;
import org.apache.ibatis.annotations.Many;
import org.apache.ibatis.annotations.Result;
import org.apache.ibatis.annotations.Results;
import org.apache.ibatis.annotations.Select;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public interface UserMapper {
@Select("select * from sys_user u where u.username=#{username}")
@Results({
@Result(id = true, property = "id", column = "id"),
@Result(property = "roles", column = "id", javaType = List.class,
many = @Many(select = "cn.sivan.mapper.RoleMapper.findRoleByUid"))
})
SysUser findUserByUsername(String username);
}
實現UserDetailsService:
package cn.sivan.service.impl;
import cn.sivan.mapper.UserMapper;
import cn.sivan.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
@Component
public class UserServiceImpl implements UserService {
@Autowired
private UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDetails user = userMapper.findUserByUsername(username);
if (user == null) {
throw new UsernameNotFoundException("不存在該用戶!");
}
return user;
}
}
SpringSecurity配置:
package cn.sivan.config;
import cn.sivan.service.LoginValidateAuthenticationProvider;
import cn.sivan.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@EnableWebSecurity
public class SpringSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//指定userDetailsService
auth.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers( "/favicon.ico").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login/user")
.loginProcessingUrl("/login")
.defaultSuccessUrl("/")
.failureUrl("/login/failure")
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/login/user")
.logoutUrl("/logout")
.invalidateHttpSession(true)
.permitAll()
.and()
.csrf()
.disable();
}
}