springsecurity配合jdbc使用

  • Post author:
  • Post category:其他




springsecurity



这是一个安全框架,通过授予用户特定的访问权限,访问特定的资源,这里结合jdbc从中获取权限验证


使用技术:thymeleaf+sercurity+springBoot+Mybatis-plus+mysql+Durid数据链接池


注意:在刚刚导入依赖时候,直接启动项目,访问login页面,是security自带的,可以试试,账户是user,密码在控制台随机生成的密码!



1.导入依赖

 <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
        </dependency>
        <dependency>
            <groupId>com.baomidou</groupId>
            <artifactId>mybatis-plus-boot-starter</artifactId>
            <version>3.4.2</version>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid-spring-boot-starter</artifactId>
            <version>1.2.6</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
            <version>3.0.4.RELEASE</version>
        </dependency>
    </dependencies>
  • springsecurity5:这个包是为了前段页面规定哪些显示,或者哪些隐藏用的



2.创建数据库

create table form
(
    id       INT(10) auto_increment comment '登录id'
        primary key,
    username VARCHAR(10) not null comment '账户名',
    password VARCHAR(15) not null comment '登录密码
',
    role     VARCHAR(20) null comment '权限角色名'
)
    comment '登录表单';

create unique index from_id_uindex
    on form (id);
1,admin,admin,"vip1,vip2,vip3"
2,root,root,"vip1,vip2"
3,user,123,vip1



3.编写配置文件application.yml

spring:
  datasource:
    type: com.alibaba.druid.pool.DruidDataSource
    druid:
      driver-class-name: com.mysql.cj.jdbc.Driver
      url: jdbc:mysql://localhost:3306/mrxu?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8
      username: root
      password: root
mybatis-plus:
  type-aliases-package: com.xu.pojo
  configuration:
    log-impl: org.apache.ibatis.logging.stdout.StdOutImpl


这里配置了mybatis-plus自带的日志



4.编写3个html

  • login.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>登录页</title>
</head>
<body>
<form action="/index" method="post">
    <table>
        <tr>
            <td>用户名:</td>
            <td><input type="text" name="username"></td>
        </tr>
        <tr>
            <td>&nbsp;码:</td>
            <td><input type="password" name="password"></td>
        </tr>
        <tr>
            <td><input type="submit" value="登录"></td>
        </tr>
    </table>
</form>
</body>
</html>
  • index.html
<!DOCTYPE html>
<html lang="en" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
<head>
    <meta charset="UTF-8">
    <title>首页</title>
</head>
<body>
登陆成功!<a href="/a" sec:authorize="hasAnyAuthority('vip2')">vip2请点我</a><br>
<a href="/logout">点我注销</a>
</body>
</html>

**这里就是导入之前那个springsecurity5的作用,同时还要加入命名空间 **


xmlns:sec=”http://www.thymeleaf.org/thymeleaf-extras-springsecurity5″


这句sec:authorize=”hasAnyAuthority(‘vip2’)”意思是,权限中有任意包含一个vip2就显示,否则隐藏

  • a.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>vip2</title>
</head>
<body>
vip2欢迎
</body>
</html>



5.编写实体类Form

package com.xu.pojo;

import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;

import java.io.Serializable;
@Data
@AllArgsConstructor
@NoArgsConstructor
public class Form implements Serializable {
    private int id;
    private String username;
    private String password;
    private String role;
}



6.编写FormMapper

package com.xu.mapper;

import com.baomidou.mybatisplus.core.mapper.BaseMapper;
import com.xu.pojo.Form;
import org.apache.ibatis.annotations.Mapper;

@Mapper
public interface FormMapper extends BaseMapper<Form> {
}



7.编写LoginController

package com.xu.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class LoginController {
    @RequestMapping("/login")
    public String toLogin(){
        System.out.println("进入登录页跳转");
        return "login";
    }

    @PostMapping("/index")
    public String toIndex(){
        System.out.println("进入首页跳转");
        return "index";
    }

    @GetMapping("/a")
    public String toVip2(){
        return "a";
    }
}



8.编写SecurityConfig

package com.xu.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //登录页配置
        http.formLogin().
                //这是指定我们的登录页面
                loginPage("/login").
                //这是指定登录成功后的跳转链接,一般是form表单的action链接
                loginProcessingUrl("/index").
                //这是跳转成功后,URl地址显示
                successForwardUrl("/index").
                //这是跳转失败后,url地址栏显示
                failureForwardUrl("/login");

        //这是url链接访问的设置
        http.authorizeRequests()
                //login这个链接所有人可以访问,不需要权限,相当于放行
                .antMatchers("/login").permitAll()
                //这里给定访问a链接需要的权限是vip,才能跳转访问
                .antMatchers("/a").hasAnyAuthority("vip2")
                //这里拦截所有的请求,进入逻辑验证,相当于一个过滤器,拦截了恶意访问首页
                .anyRequest().authenticated();
        //这是注销操作,注销登录
        http.logout().logoutSuccessUrl("/login");
        //关闭csrf功能:跨站请求伪造,默认只能通过post方式提交logout请求
        http.csrf().disable();
    }
    
    //加密容器
    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

}

PasswordEncoder这个注入容器托管,是为了后面的逻辑验证进行密码加密使用



9.编写我们的逻辑验证FormService

package com.xu.service;

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.xu.mapper.FormMapper;
import com.xu.pojo.Form;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

@Service
public class FormService implements UserDetailsService {
    @Autowired
    FormMapper formMapper;

    @Autowired
    PasswordEncoder passwordEncoder;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        System.out.println("进入逻辑判断");
        if (username==null) {
            throw new UsernameNotFoundException("用户名为空!");
        }
        QueryWrapper<Form> wrapper = new QueryWrapper<>();
        wrapper.eq("username",username);
        Form form = formMapper.selectOne(wrapper);

        String password = passwordEncoder.encode(form.getPassword());
        System.out.println(form.getRole());
        return new User(username,password, AuthorityUtils.commaSeparatedStringToAuthorityList(form.getRole()));
    }
}



请注意这个放回的user类,是哪个包下的,这不是自己写的类!


然后启动我们的项目访问测试即可!


总结:



使用security时,如果没有重新配置他的逻辑判断,每次重启都是在控制台随机生成密码的,使用此框架后方便了账户和密码的判断,不用在controlelr中判断账户密码了,这里只是简单的应用,详细还是请君奋力!


项目结构

项目结构



版权声明:本文为m0_49454784原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。