在這裏附上項目的地址,喜歡的能夠給個star:https://git.oschina.net/huyup/shiyanshebeiguanlixinxixitongjava
一、Spring Security 所需的依賴git
<!-- spring-security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.version}</version> </dependency>
二、spring-security.xml 的配置spring
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 不攔截的資源 --> <http pattern="/static/**" security="none" /> <http pattern="/login.jsp" security="none" /> <http auto-config="true" use-expressions="false"> <!-- 配置用戶正常訪問page--> <intercept-url pattern="/**" access="ROLE_USER"/> <form-login login-page="/login.jsp" username-parameter="user.userName" password-parameter="user.userPassword" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-handler-ref="loginFailHandler" /> </http> <!--用戶權限管理--> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="userInfoProvider" > </authentication-provider> </authentication-manager> <!--用戶信息Provider--> <beans:bean id="userInfoProvider" class="com.gxuwz.service.impl.UserInfoServiceImpl" /> <!--登錄成功--> <beans:bean id="loginSuccessHandler" class="com.gxuwz.handler.MyLoginSuccessHandler" /> <!--登錄失敗--> <beans:bean id="loginFailHandler" class="com.gxuwz.handler.MyLoginFailHandler"/> </beans:beans>
三、用戶實體代碼(與角色是多對多的關係,在這就不貼角色實體的代碼了)express
package com.gxuwz.entity; import java.util.*; import javax.persistence.*; import org.springframework.security.core.*; /** * 用戶實體 * @author 小胡 * @date 2017年5月28日 */ @Entity @Table(name = "sys_user") public class SysUser extends BaseEntity implements UserDetails{ private static final long serialVersionUID = 103889943178214590L; @Column(name = "user_name", unique = true, nullable = false) private String userName; // 用戶名 @Column(name = "user_password") private String userPassword; // 密碼 @ManyToMany(fetch = FetchType.EAGER) @JoinTable(name = "sys_user_role", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "role_id")) private Set<SysRole> user_role; // 所屬角色 @Column(name = "telephone") private String telephone; // 電話 @Column(name = "user_create_date") private String createDate; // 建立日期 @ManyToMany(fetch = FetchType.EAGER) @JoinTable(name = "sys_user_lab", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "lab_id")) private Set<SysLaboratory> user_lab; public SysUser() { } // 省略屬性的get、set的方法 @Override public Collection<? extends GrantedAuthority> getAuthorities() { Set<GrantedAuthority> auths = new HashSet<>(); Set<SysRole> roles = this.getUser_role(); // 默認全部的用戶有"USER"的權利 auths.add(new SimpleGrantedAuthority("ROLE_USER")); for (SysRole role : roles) { auths.add(new SimpleGrantedAuthority(role.getRoleName())); //得到該用戶所擁有的權限 } return auths; } @Override public String getPassword() { return this.userPassword; } @Override public String getUsername() { return this.userName; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } }
四、用戶信息的DAOapache
package com.gxuwz.dao; import com.gxuwz.entity.SysUser; public interface IUserInfoDao { public SysUser getUserByName(String username); } package com.gxuwz.dao.impl; import javax.annotation.Resource; import org.hibernate.*; import org.springframework.*; import com.gxuwz.dao.IUserInfoDao; import com.gxuwz.entity.SysUser; @Repository("userInfoDao") public class UserInfoDaoImpl extends HibernateDaoSupport implements IUserInfoDao { @Resource(name = "sessionFactory") public void setSuperSessionFactory(SessionFactory sessionFactory) { super.setSessionFactory(sessionFactory); } @Override public SysUser getUserByName(String username) { Query query = this.getSession().createQuery( "from SysUser where user_name = ?"); query.setString(0, username); SysUser user = (SysUser) query.uniqueResult(); if (user == null) { return null; }else{ return user; } } }
五、用戶信息的SERVICEsession
package com.gxuwz.service; import org.springframework.security.core.userdetails.UserDetailsService; public interface IUserInfoService extends UserDetailsService{ } package com.gxuwz.service.impl; import javax.annotation.Resource; import org.apache.commons.lang.StringUtils; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import com.gxuwz.dao.IUserInfoDao; import com.gxuwz.entity.SysUser; import com.gxuwz.service.IUserInfoService; @Service("userInfoService") public class UserInfoServiceImpl implements IUserInfoService { @Resource(name = "userInfoDao") private IUserInfoDao userInfoDao; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { System.out.println("service login..."); if (StringUtils.isNotEmpty(username)) { SysUser user = userInfoDao.getUserByName(username.trim()); if (user != null) { System.out.println("用戶名:"+user.getUsername()+" "+"密碼:"+user.getPassword()); return user; } } throw new UsernameNotFoundException( "Can't not find user while username is '" + username.trim() + "'"); } }
六、struts2 的登錄的方法jsp
@LogMsg(msg="用戶登錄") // 這裏使用Spring AOP的日誌管理,具體看參考上一篇文章 public String doLogin(){ setPrompt("/WEB-INF/pages/main.jsp"); return SUCCESS; }
七、登錄頁面的連接使用Spring Security自帶的ide
<ul> <div style="padding:5px;text-align:center;color: red;">${msg}</div> <form name="loginForm" method="post" action="<%=basePath%>j_spring_security_check"> <li><input name="user.userName" type="text" class="loginuser" value="admin" onclick="JavaScript:this.value=''"/></li> <li><input name="user.userPassword" type="password" class="loginpwd" value="密碼" onclick="JavaScript:this.value=''"/></li> <li><input name="" type="submit" class="loginbtn" value="登陸" /> <label><input name="" type="checkbox" value="" checked="checked" />記住密碼</label><label> <a href="#">忘記密碼?</a></label></li> </form> </ul>
八、自定義的登錄成功和失敗的處理post
package com.gxuwz.handler; import java.io.IOException; import javax.annotation.Resource; import javax.servlet.*; import org.springframework.security.*; import com.gxuwz.entity.SysUser; import com.gxuwz.service.IUserInfoService; /** * 配置登錄成功處理器 * @author h * */ public class MyLoginSuccessHandler implements AuthenticationSuccessHandler { @Resource(name = "userInfoService") private IUserInfoService userInfoService; @Override public void onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication authentication) throws IOException, ServletException { SysUser user = null; Object o = SecurityContextHolder.getContext().getAuthentication() .getPrincipal(); if (o != null && o instanceof SysUser) { user = (SysUser) o; resp.sendRedirect("User_doLogin.action"); System.out.println("密碼:" + user.getPassword()); HttpSession session = req.getSession(); if (session != null) { session.setAttribute("user", user); } } } } package com.gxuwz.handler; import java.io.IOException; import javax.servlet.*; import org.springframework.security.*; import com.gxuwz.common.Const; /** * 配置登錄失敗處理器 * @author h * */ public class MyLoginFailHandler implements AuthenticationFailureHandler { @Override public void onAuthenticationFailure(HttpServletRequest req, HttpServletResponse resp, AuthenticationException authenticationexception) throws IOException, ServletException { resp.sendRedirect("login.jsp"); HttpSession session = req.getSession(); if (session != null) { session.setAttribute("msg", Const.LOGIN_ERROE_MSG); } } }
九、具體的權限標籤在WEB-INF/pages/left.jspfetch
<!-- 權限標籤 --> <!-- ifAllGranted,只有當前用戶同時擁有 ROLE_ADMIN 和 ROLE_USER 兩個權限時,才能顯示標籤內部內容 --> <!-- ifAnyGranted,若是當前用戶擁有 ROLE_ADMIN 或 ROLE_USER 其中一個權限時,就能顯示標籤內部內容 --> <!-- ifNotGranted,若是當前用戶沒有 ROLE_ADMIN 時,才能顯示標籤內部內容 --> <dd> <div class="title"> <span><img src="static/images/leftico01.png" /></span>基本信息</div> <ul class="menuson"> <li class="active"><cite></cite><a href="PageFrame_index.action" target="rightFrame">首頁</a><i></i></li> <sec:authorize ifAnyGranted="ROLE_ADMIN"> <li><cite></cite><a href="Department_listPrompt.action" target="rightFrame">部門列表</a><i></i></li> <li><cite></cite><a href="Laboratory_listPrompt.action" target="rightFrame">實驗室列表</a><i></i></li> </sec:authorize> <sec:authorize ifAnyGranted="ROLE_ADMIN,ROLE_TCH,ROLE_TECH"> <li><cite></cite><a href="Equipment_listPrompt.action" target="rightFrame">設備列表</a><i></i></li> </sec:authorize> <sec:authorize ifAnyGranted="ROLE_ADMIN"> <li><cite></cite><a href="Role_listPrompt.action" target="rightFrame">角色列表</a><i></i></li> <li><cite></cite><a href="User_listPrompt.action" target="rightFrame">用戶列表</a><i></i></li> </sec:authorize> </ul> </dd>