springboot2.0--结合spring security5.0进行权限控制,从数据库中取权限信息及增加验证码

  1.在pom.xml中增加spring security jar的引用:     
     <dependency>
      <groupId>org.springframework.bootgroupId>
      <artifactId>spring-boot-starter-securityartifactId>
   dependency>
2.增加一个配置类MySecurityConfig,该类继承WebSecurityConfigurerAdapter;
package com.lxht.emos.config;

import com.lxht.emos.bean.MenuBean;
import com.lxht.emos.security.MyUserDetailsService;
import com.lxht.emos.security.MyValidCodeProcessingFilter;
import com.lxht.emos.service.MenuService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;

import java.util.List; @EnableWebSecurity
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
    private String loginPage = "/userLogin";
    private String failureUrl = "/userLogin?error=T";
    private String successUrl = "/userLogin?error=F";
    private String applyCheckCode = "/applyCheckCode";

    @Autowired
    MenuService menuService;

    public MySecurityConfig() {
        super(true);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.securityContext().securityContextRepository(securityContextRepository());
        //从数据库读取对应的url地址及权限角色
        List  menuBeanList =  menuService.getMenus();
        for(MenuBean tmpBean : menuBeanList) {
            http.authorizeRequests().antMatchers(tmpBean.getMenuUrl()).hasAnyRole(tmpBean.getRoleIds().split(","));
        }
        //设置登录界面
        http.authorizeRequests()
                .and()
             //增加一个对验证码进行判断的filte
             .addFilterBefore(validCodeProcessingFilter(),UsernamePasswordAuthenticationFilter.class)              .formLogin().loginPage(getLoginPage()).failureUrl(getFailureUrl())
                           .failureForwardUrl(getFailureUrl()).
                           successForwardUrl(getSuccessUrl()).permitAll();
    }
   
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
     //设置根据用户名获取用户信息的自定义userDetailsService类,该类从数据库中读用用户信息
auth.userDetailsService(userDetailsService());
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        super.configure(web);
        web.ignoring().antMatchers(applyCheckCode); //设置申请验证码的url不进行访问控制
    }

    @SuppressWarnings("deprecation")
    @Bean
    public static NoOpPasswordEncoder passwordEncoder() { 
      //这里使用了密码不进行加密验证,正式项目还是必须要用加密验证方式
      return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance(); 
}
@Bean
public UserDetailsService userDetailsService() {
 MyUserDetailsService myUserDetailsService = new MyUserDetailsService(); return myUserDetailsService;
 }
@Bean
public SecurityContextRepository securityContextRepository() {
      //设置对spring security的UserDetails进行session保存,这个必须要有,不然不会保存至session对应的缓存redis中
        HttpSessionSecurityContextRepository httpSessionSecurityContextRepository = 
 new HttpSessionSecurityContextRepository();
        return httpSessionSecurityContextRepository;
    }

    @Bean
    public MyValidCodeProcessingFilter validCodeProcessingFilter() throws Exception{
        //设置对应的验证码验证filter,上面configure方法中通过
        //.addFilterBefore(validCodeProcessingFilter(),UsernamePasswordAuthenticationFilter.class)
        //将该filter放至UsernamePasswordAuthenticationFilter之间
        MyValidCodeProcessingFilter myValidCodeProcessingFilter = new MyValidCodeProcessingFilter(getLoginPage());
        myValidCodeProcessingFilter.getFailureHandler().setDefaultFailureUrl(getFailureUrl());
        myValidCodeProcessingFilter.setAuthenticationManager(this.authenticationManager());

        return myValidCodeProcessingFilter;
    }

    public String getLoginPage() {
        return loginPage;
    }

    public void setLoginPage(String loginPage) {
        this.loginPage = loginPage;
    }

    public String getFailureUrl() {
        return failureUrl;
    }

    public void setFailureUrl(String failureUrl) {
        this.failureUrl = failureUrl;
    }

    public String getSuccessUrl() {
        return successUrl;
    }

    public void setSuccessUrl(String successUrl) {
        this.successUrl = successUrl;
    }

    public String getApplyCheckCode() {
        return applyCheckCode;
    }

    public void setApplyCheckCode(String applyCheckCode) {
        this.applyCheckCode = applyCheckCode;
    }
}
下面对该类代码进行一下详细的解译:
(1)@EnableWebSecurity表示启用spring security进行web访问控制;
(2)引入MenuService menuService,表示从数据库读取配置的url访问控制;menuService从数据库(mysql)中读取的数据格式(表名:sys_menus)如下:
 
menu_id menu_name     menu_url rold_ids
1 用户登录 /userAuth 1,2
2 总控开关 /** 1,2
 其中role_ids表示访问该url项的角色id,多个角色以,分隔; (3)构造方法,super(true)表示取消spring security的默认设置项,因为我的应用结合了cache redis和session redis, 发现不取消默认设置项,自定义的userDetailsService不执行; 
 public MySecurityConfig() {
      super(true);
   }
(4)configure(HttpSecurity http)方法代码说明
   略,详见方法听注释
(5)对应的MyUserDetailsService类的内容:
     
package com.lxht.emos.security;

import com.lxht.emos.bean.UserBean;
import com.lxht.emos.bean.UserRolesBean;
import com.lxht.emos.bean.UserSessionBean;
import com.lxht.emos.service.UserService;
import com.lxht.emos.utils.ConstantVal;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.util.AutoPopulatingList;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
 public class MyUserDetailsService implements UserDetailsService {

    @Autowired
    private UserService userService; //从数据库中读取用户的信息

    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        ArrayList authorities = new ArrayList();
        UserBean userBean = new UserBean();
        userBean.setLoginName(s);
        UserBean userInfo = userService.getUserInfo(userBean); //读取用户信息
        if(userInfo == null) {
            throw new UsernameNotFoundException("username is not exist.");
        }

        UserRolesBean userRolesBean = new UserRolesBean();
        userRolesBean.setUserId(userInfo.getUserId());
        List rolesBeanList =  userService.getRolesBeanById(userRolesBean); //根据用户id读取用户的权限角色
        for(UserRolesBean tmpRoleBean : rolesBeanList) {
            authorities.add(new SimpleGrantedAuthority(ConstantVal.ROLE_PREFIX + tmpRoleBean.getRoleId().toString()));
        }

        User userDetails = new User(userInfo.getLoginName(),userInfo.getUserPwd(),authorities);
        return userDetails;
    }
}   
 用户表及用户与角色对应表内容:
    
(6)自定义MyValidCodeProcessingFilter内容:
package com.lxht.emos.security;

import com.lxht.emos.utils.ConstantVal;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
 public class MyValidCodeProcessingFilter extends AbstractAuthenticationProcessingFilter {
    public MyValidCodeProcessingFilter(String defaultFilterProcessesUrl) {
        super(defaultFilterProcessesUrl);
        setContinueChainBeforeSuccessfulAuthentication(true); //设置为true,否则该filter执行完毕后,将不会转至UsernamePasswordAuthenticationFilter执行,原因请查看AbstractAuthenticationProcessingFilter类的dofilter方法
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        String username = request.getParameter(ConstantVal.PAR_USER_NAME);
        String password = request.getParameter(ConstantVal.PAR_PASSWORD);
        String validCode = request.getParameter(ConstantVal.PAR_CHECK_CODE);
        valid(validCode, request.getSession()); //验证用户从前台录入的验证码是否有效
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
        return token;
    }
    
    //进行验证码验证的方法
    public void valid(String validCode, HttpSession session) {
        if (validCode == null) {
            throw new BadCredentialsException("验证码为空!");
        }

        String checkCode = (String)session.getAttribute(ConstantVal.CHECK_CODE);
        if (!validCode.equals(checkCode)) {
            session.removeAttribute(ConstantVal.CHECK_CODE);
            throw new BadCredentialsException("验证码错误!");
        } else {
            session.removeAttribute(ConstantVal.CHECK_CODE);
        }
    }
    
    public SimpleUrlAuthenticationFailureHandler getFailureHandler() {
        SimpleUrlAuthenticationFailureHandler failureHandler = (SimpleUrlAuthenticationFailureHandler)super.getFailureHandler();
        
     //本句也必须设置为true,否则验证失败后,不会转至MySecurityConfig类中配置的failureUrl方法中
     failureHandler.setUseForward(true);      return failureHandler;

     }

}

(7)Controller层的类 AuthValidController

package com.lxht.emos.controller;
import com.lxht.emos.bean.ReturnBean;
import com.lxht.emos.bean.UserBean;
import com.lxht.emos.bean.UserRolesBean;
import com.lxht.emos.bean.UserSessionBean;
import com.lxht.emos.event.UserModifiedPublisher;
import com.lxht.emos.exception.AuthException;
import com.lxht.emos.service.MenuService;
import com.lxht.emos.service.UserService;
import com.lxht.emos.utils.ConstantVal;
import com.sun.org.apache.bcel.internal.generic.RETURN;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.WebAttributes;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.List;
 @RestController
public class AuthValidController {
    @Autowired
    private UserService userService;

    @RequestMapping("/")
    public UserBean authCenterHome() {
        User userSessionBean = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        UserBean userBean = new UserBean();
        userBean.setLoginName(userSessionBean.getUsername());
        UserBean userInfo = userService.getUserInfo(userBean);
        return userInfo;
    }

    @RequestMapping("/userLogin")
    public UserBean userLogin(HttpServletRequest request) throws Exception{

        UserBean userInfo = new UserBean();
        String username = "";

        String lb = request.getParameter("error");

        if("T".equals(lb)) {
            Exception exception = (Exception)request.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
            if(exception != null) {
                throw new AuthException(exception.getMessage());
            } else {
                String errMsg = "用户名或密码错误!";
                throw new AuthException(errMsg);
            }
        } else {
            User userSessionBean = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
            UserBean userBean = new UserBean();
            userBean.setLoginName(userSessionBean.getUsername());
        }

        userInfo.setLoginName(username);
        return userInfo;
    }

    @RequestMapping("/userAuth")
    public UserBean userAuth() {
        User userSessionBean = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        UserBean userBean = new UserBean();
        userBean.setLoginName(userSessionBean.getUsername());
        UserBean userInfo = userService.getUserInfo(userBean);
        return userInfo;
    }

    @RequestMapping("/applyCheckCode") 
    public ReturnBean applyCheckCode(HttpServletRequest request) {
        ReturnBean returnBean = new ReturnBean();
        request.getSession().setAttribute("CHECK_CODE","1111"); //这里只是做demo演示,没有使用插件来生成正成的图片验证码,只是简单的固定将验证码1111写入了session中
        returnBean.setRetCode("1");
        return returnBean;
    }
}
(8)通过以上的代码和配置,即可以完成spring security的自定义权限控制和增加验证码功能;
(9)测试分两步:
     第一步: http://localhost:8000/applyCheckCode 获取验证码;     
    第二步:访问/userLogin进行用户登录操作
springboot2.0--结合spring security5.0进行权限控制,从数据库中取权限信息及增加验证码_第1张图片
  

(10)注意,我这里使用到了cache 和session均存至redis的配置,具体的配置说明方法,请参考另一篇文章:
      springboot2.0-启动cache和session同时存入redis(使用不同的数据库)
      https://blog.csdn.net/fycghy0803/article/details/80482447

(11) 系统demo源码地址:
      https://github.com/fycghy0803/authCenter/tree/master

你可能感兴趣的:(JAVA)