數據後臺管理（四）權限控制

當咱們在管理後臺數據的時候須要對管理者的身份進行認證和受權，在該項目中用到的安全認證服務框架是Spring Security。

1.Spring Security的簡單入門

經過一個spring security的入門案例來了解使用該框架的基本步驟。

1.1使用IDEA新建一個webapp的maven工程，在pom.xml文件中引入spring security框架的相關座標。

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 
 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5   <modelVersion>4.0.0</modelVersion>
 6 
 7   <groupId>club.nipengfei</groupId>
 8   <artifactId>spring_security_rumeng</artifactId>
 9   <version>1.0-SNAPSHOT</version>
10   <packaging>war</packaging>
11 
12   <name>spring_security_rumeng Maven Webapp</name>
13   <!-- FIXME change it to the project's website -->
14   <url>http://www.example.com</url>
15 
16   <properties>
17     <spring.version>5.0.2.RELEASE</spring.version>
18     <spring.security.version>5.0.1.RELEASE</spring.security.version>
19   </properties>
20 
21   <dependencies>
22     <dependency>
23       <groupId>org.springframework</groupId>
24       <artifactId>spring-core</artifactId>
25       <version>${spring.version}</version>
26     </dependency>
27     <dependency>
28       <groupId>org.springframework</groupId>
29       <artifactId>spring-web</artifactId>
30       <version>${spring.version}</version>
31     </dependency>
32     <dependency>
33       <groupId>org.springframework</groupId>
34       <artifactId>spring-webmvc</artifactId>
35       <version>${spring.version}</version>
36     </dependency>
37     <dependency>
38       <groupId>org.springframework</groupId>
39       <artifactId>spring-context-support</artifactId>
40       <version>${spring.version}</version>
41     </dependency>
42     <dependency>
43       <groupId>org.springframework</groupId>
44       <artifactId>spring-test</artifactId>
45       <version>${spring.version}</version>
46     </dependency>
47     <dependency>
48       <groupId>org.springframework</groupId>
49       <artifactId>spring-jdbc</artifactId>
50       <version>${spring.version}</version>
51     </dependency>
52 
53     <dependency>
54       <groupId>org.springframework.security</groupId>
55       <artifactId>spring-security-web</artifactId>
56       <version>${spring.security.version}</version>
57     </dependency>
58     <dependency>
59       <groupId>org.springframework.security</groupId>
60       <artifactId>spring-security-config</artifactId>
61       <version>${spring.security.version}</version>
62     </dependency>
63     <dependency>
64       <groupId>javax.servlet</groupId>
65       <artifactId>javax.servlet-api</artifactId>
66       <version>3.1.0</version>
67       <scope>provided</scope>
68     </dependency>
69   </dependencies>
70   <build>
71     <plugins>
72       <!-- java編譯插件 -->
73       <plugin>
74         <groupId>org.apache.maven.plugins</groupId>
75         <artifactId>maven-compiler-plugin</artifactId>
76         <version>3.2</version>
77         <configuration>
78           <source>1.8</source>
79           <target>1.8</target>
80           <encoding>UTF-8</encoding>
81         </configuration>
82       </plugin>
83       <plugin>
84         <groupId>org.apache.tomcat.maven</groupId>
85         <artifactId>tomcat7-maven-plugin</artifactId>
86         <configuration>
87           <!-- 指定端口 -->
88           <port>8090</port>
89           <!-- 請求路徑 -->
90           <path>/</path>
91         </configuration>
92       </plugin>
93     </plugins>
94   </build>
95 </project>

1.2在web.xml中配置一個spring security的過濾器和引入spring security的核心配置文件。

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3          xmlns="http://java.sun.com/xml/ns/javaee"
 4          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
 5          version="2.5">
 6   <display-name>SpringSecurity314</display-name>
 7 
 8   <context-param>
 9     <param-name>contextConfigLocation</param-name>
10     <param-value>classpath:spring-security.xml</param-value>
11   </context-param>
12   <listener>
13     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
14   </listener>
15   <filter>
16     <filter-name>springSecurityFilterChain</filter-name>
17     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
18   </filter>
19   <filter-mapping>
20     <filter-name>springSecurityFilterChain</filter-name>
21     <url-pattern>/*</url-pattern>
22   </filter-mapping>
23   <welcome-file-list>
24     <welcome-file>index.html</welcome-file>
25     <welcome-file>index.htm</welcome-file>
26     <welcome-file>index.jsp</welcome-file>
27     <welcome-file>default.html</welcome-file>
28     <welcome-file>default.htm</welcome-file>
29     <welcome-file>default.jsp</welcome-file>
30   </welcome-file-list>
31 </web-app>

1.3在resource資源路徑下新建一個該框架的核心配置文件spring-security.xml

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <beans xmlns="http://www.springframework.org/schema/beans"
 3        xmlns:security="http://www.springframework.org/schema/security"
 4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 5        xsi:schemaLocation="http://www.springframework.org/schema/beans
 6 http://www.springframework.org/schema/beans/spring-beans.xsd
 7 http://www.springframework.org/schema/security
 8 http://www.springframework.org/schema/security/spring-security.xsd">
 9     <security:http auto-config="true" use-expressions="false">
10         <!-- intercept-url定義一個過濾規則 pattern表示對哪些url進行權限控制，ccess屬性表示在請求對應
11         的URL時須要什麼權限，
12         默認配置時它應該是一個以逗號分隔的角色列表，請求的用戶只需擁有其中的一個角色就能成功訪問對應
13         的URL -->
14         <security:intercept-url pattern="/**" access="ROLE_USER" />
15         <!-- auto-config配置後，不須要在配置下面信息 <security:form-login /> 定義登陸表單信息
16         <security:http-basic
17         /> <security:logout /> -->
18     </security:http>
19     <security:authentication-manager>
20         <security:authentication-provider>
21             <security:user-service>
22                 <security:user name="user" password="{noop}user"
23                                authorities="ROLE_USER" />
24                 <security:user name="admin" password="{noop}admin"
25                                authorities="ROLE_ADMIN" />
26             </security:user-service>
27         </security:authentication-provider>
28     </security:authentication-manager>
29 </beans>

1.4入門案例總結

啓動該入門案例發現直接跳轉到了登陸頁面，可是咱們並無寫有關登陸的頁面，這個頁面是該框架自己本身的。

由於在覈心配置文件中有<security:http auto-config="true" use-expressions="false">開啓spring security的默認的配置，固然也能夠自定義登陸頁面。

 

當咱們隨意輸入一個用戶名"npf"和密碼"1233"（配置文件中沒有該用戶名密碼）時會出現以下提示

 

當咱們輸入用戶名"admin"密碼"admin"（配置文件中有該用戶名密碼但該角色不符合要求）時會出現以下提示,該提示表示權限不足。

當咱們輸入用戶名"user"密碼"user"時可以正常訪問到index.jsp頁面

 

上述簡單入門案例存在明顯不足之處，須要改進。

1. 登陸頁面太簡陋須要自定義
2. 登陸的帳號通常在數據庫中而不是在配置文件中

2.spring security在數據後臺管理中的使用

爲了確保數據的安全，在管理數據過程當中須要對管理者的身份進行驗證，而且讓不一樣的管理者有不一樣的操做權限。

2.1與入門案例類似，在pom.xml文件中引入相應座標，並在web.xml中配置一個spring security的過濾器和引入spring security的核心配置文件。

  1 <?xml version="1.0" encoding="UTF-8"?>
  2 
  3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5   <modelVersion>4.0.0</modelVersion>
  6 
  7   <groupId>club.nipengfei</groupId>
  8   <artifactId>ssm5</artifactId>
  9   <version>1.0-SNAPSHOT</version>
 10   <packaging>war</packaging>
 11 
 12   <name>ssm5 Maven Webapp</name>
 13   <!-- FIXME change it to the project's website -->
 14   <url>http://www.example.com</url>
 15 
 16   <properties>
 17     <spring.version>5.0.2.RELEASE</spring.version>
 18     <slf4j.version>1.6.6</slf4j.version>
 19     <log4j.version>1.2.12</log4j.version>
 20     <mysql.version>5.1.6</mysql.version>
 21     <mybatis.version>3.4.5</mybatis.version>
 22     <spring.security.version>5.0.1.RELEASE</spring.security.version>
 23   </properties>
 24   <dependencies>
 25     <!-- spring -->
 26     <dependency>
 27       <groupId>org.aspectj</groupId>
 28       <artifactId>aspectjweaver</artifactId>
 29       <version>1.6.8</version>
 30     </dependency>
 31     <dependency>
 32       <groupId>org.springframework</groupId>
 33       <artifactId>spring-aop</artifactId>
 34       <version>${spring.version}</version>
 35     </dependency>
 36     <dependency>
 37       <groupId>org.springframework</groupId>
 38       <artifactId>spring-context</artifactId>
 39       <version>${spring.version}</version>
 40     </dependency>
 41     <dependency>
 42       <groupId>org.springframework</groupId>
 43       <artifactId>spring-web</artifactId>
 44       <version>${spring.version}</version>
 45     </dependency>
 46     <dependency>
 47       <groupId>org.springframework</groupId>
 48       <artifactId>spring-webmvc</artifactId>
 49       <version>${spring.version}</version>
 50     </dependency>
 51     <dependency>
 52       <groupId>org.springframework</groupId>
 53       <artifactId>spring-test</artifactId>
 54       <version>${spring.version}</version>
 55     </dependency>
 56     <dependency>
 57       <groupId>org.springframework</groupId>
 58       <artifactId>spring-tx</artifactId>
 59       <version>${spring.version}</version>
 60     </dependency>
 61     <dependency>
 62       <groupId>org.springframework</groupId>
 63       <artifactId>spring-jdbc</artifactId>
 64       <version>${spring.version}</version>
 65     </dependency>
 66     <dependency>
 67       <groupId>junit</groupId>
 68       <artifactId>junit</artifactId>
 69       <version>4.12</version>
 70       <scope>compile</scope>
 71     </dependency>
 72     <dependency>
 73       <groupId>mysql</groupId>
 74       <artifactId>mysql-connector-java</artifactId>
 75       <version>${mysql.version}</version>
 76     </dependency>
 77     <dependency>
 78       <groupId>javax.servlet</groupId>
 79       <artifactId>servlet-api</artifactId>
 80       <version>2.5</version>
 81       <scope>provided</scope>
 82     </dependency>
 83     <dependency>
 84       <groupId>javax.servlet.jsp</groupId>
 85       <artifactId>jsp-api</artifactId>
 86       <version>2.0</version>
 87       <scope>provided</scope>
 88     </dependency>
 89     <dependency>
 90       <groupId>jstl</groupId>
 91       <artifactId>jstl</artifactId>
 92       <version>1.2</version>
 93     </dependency>
 94     <!-- log start -->
 95     <dependency>
 96       <groupId>log4j</groupId>
 97       <artifactId>log4j</artifactId>
 98       <version>${log4j.version}</version>
 99     </dependency>
100     <dependency>
101       <groupId>org.slf4j</groupId>
102       <artifactId>slf4j-api</artifactId>
103       <version>${slf4j.version}</version>
104     </dependency>
105     <dependency>
106       <groupId>org.slf4j</groupId>
107       <artifactId>slf4j-log4j12</artifactId>
108       <version>${slf4j.version}</version>
109     </dependency>
110     <!-- log end -->
111     <dependency>
112       <groupId>org.mybatis</groupId>
113       <artifactId>mybatis</artifactId>
114       <version>${mybatis.version}</version>
115     </dependency>
116     <dependency>
117       <groupId>org.mybatis</groupId>
118       <artifactId>mybatis-spring</artifactId>
119       <version>1.3.0</version>
120     </dependency>
121     <dependency>
122       <groupId>c3p0</groupId>
123       <artifactId>c3p0</artifactId>
124       <version>0.9.1.2</version>
125       <type>jar</type>
126       <scope>compile</scope>
127     </dependency>
128     <dependency>
129       <groupId>com.github.pagehelper</groupId>
130       <artifactId>pagehelper</artifactId>
131       <version>5.1.2</version>
132     </dependency>
133     <dependency>
134       <groupId>org.springframework.security</groupId>
135       <artifactId>spring-security-web</artifactId>
136       <version>${spring.security.version}</version>
137     </dependency>
138     <dependency>
139       <groupId>org.springframework.security</groupId>
140       <artifactId>spring-security-config</artifactId>
141       <version>${spring.security.version}</version>
142     </dependency>
143     <dependency>
144       <groupId>org.springframework.security</groupId>
145       <artifactId>spring-security-core</artifactId>
146       <version>${spring.security.version}</version>
147     </dependency>
148     <dependency>
149       <groupId>org.springframework.security</groupId>
150       <artifactId>spring-security-taglibs</artifactId>
151       <version>${spring.security.version}</version>
152     </dependency>
153 
154     <dependency>
155       <groupId>mysql</groupId>
156       <artifactId>mysql-connector-java</artifactId>
157       <version>${mysql.version}</version>
158     </dependency>
159 
160     <dependency>
161       <groupId>javax.annotation</groupId>
162       <artifactId>jsr250-api</artifactId>
163       <version>1.0</version>
164     </dependency>
165 
166   </dependencies>
167 
168   <build>
169     <finalName>ssm5</finalName>
170     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
171       <plugins>
172         <plugin>
173           <artifactId>maven-clean-plugin</artifactId>
174           <version>3.1.0</version>
175         </plugin>
176         <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
177         <plugin>
178           <artifactId>maven-resources-plugin</artifactId>
179           <version>3.0.2</version>
180         </plugin>
181         <plugin>
182           <artifactId>maven-compiler-plugin</artifactId>
183           <version>3.8.0</version>
184         </plugin>
185         <plugin>
186           <artifactId>maven-surefire-plugin</artifactId>
187           <version>2.22.1</version>
188         </plugin>
189         <plugin>
190           <artifactId>maven-war-plugin</artifactId>
191           <version>3.2.2</version>
192         </plugin>
193         <plugin>
194           <artifactId>maven-install-plugin</artifactId>
195           <version>2.5.2</version>
196         </plugin>
197         <plugin>
198           <artifactId>maven-deploy-plugin</artifactId>
199           <version>2.8.2</version>
200         </plugin>
201       </plugins>
202     </pluginManagement>
203   </build>
204 </project>

pom.xml

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3          xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 4          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
 5          version="3.1">
 6 
 7     <display-name>Archetype Created web Application</display-name>
 8     <!--配置監聽器，默認只加載WEB-INF目錄下的applicationContext.xml配置文件-->
 9     <listener>
10         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
11     </listener>
12     <!--設置配置文件路徑-->
13     <context-param>
14         <param-name>contextConfigLocation</param-name>
15         <param-value>classpath*:applicationContext.xml,classpath*:spring-security.xml</param-value>
16     </context-param>
17     <!--配置前端控制器-->
18     <servlet>
19         <servlet-name>dispatcherServlet</servlet-name>
20         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
21         <!--加載springmvc.xml配置文件-->
22         <init-param>
23             <param-name>contextConfigLocation</param-name>
24             <param-value>classpath:springmvc.xml</param-value>
25         </init-param>
26         <!--啓動服務器，建立servlet-->
27         <load-on-startup>1</load-on-startup>
28     </servlet>
29     <servlet-mapping>
30         <servlet-name>dispatcherServlet</servlet-name>
31         <url-pattern>*.do</url-pattern>
32     </servlet-mapping>
33 
34     <!--解決中文亂碼過濾器-->
35     <filter>
36         <filter-name>characterEncodingFilter</filter-name>
37         <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
38         <init-param>
39             <param-name>encoding</param-name>
40             <param-value>UTF-8</param-value>
41         </init-param>
42     </filter>
43     <filter-mapping>
44         <filter-name>characterEncodingFilter</filter-name>
45         <url-pattern>/*</url-pattern>
46     </filter-mapping>
47 
48     <!--spring security的過濾器-->
49     <filter>
50         <filter-name>springSecurityFilterChain</filter-name>
51         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
52     </filter>
53     <filter-mapping>
54         <filter-name>springSecurityFilterChain</filter-name>
55         <url-pattern>/*</url-pattern>
56     </filter-mapping>
57 
58     <welcome-file-list>
59         <welcome-file>index.html</welcome-file>
60         <welcome-file>index.htm</welcome-file>
61         <welcome-file>index.jsp</welcome-file>
62         <welcome-file>default.html</welcome-file>
63         <welcome-file>default.htm</welcome-file>
64         <welcome-file>default.jsp</welcome-file>
65     </welcome-file-list>
66 </web-app>

web.xml

2.2配置spring security的核心配置文件

與入門案例相比，這裏配置了不攔截的資源，自定義了登陸頁面，實現了退出操做，將原先定義在配置頁面中的登陸用戶名和密碼切換成在數據庫中。

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <beans xmlns="http://www.springframework.org/schema/beans"
 3        xmlns:security="http://www.springframework.org/schema/security"
 4        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 5        xsi:schemaLocation="http://www.springframework.org/schema/beans
 6     http://www.springframework.org/schema/beans/spring-beans.xsd
 7     http://www.springframework.org/schema/security
 8     http://www.springframework.org/schema/security/spring-security.xsd">
 9 
10     <!-- 配置不攔截的資源 -->
11     <security:http pattern="/login.jsp" security="none"/>
12     <security:http pattern="/failer.jsp" security="none"/>
13     <security:http pattern="/css/**" security="none"/>
14     <security:http pattern="/img/**" security="none"/>
15     <security:http pattern="/plugins/**" security="none"/>
16 
17     <!--
18         配置具體的規則
19         auto-config="true"    不用本身編寫登陸的頁面，框架提供默認登陸頁面
20         use-expressions="false"    是否使用SPEL表達式（沒學習過）
21     -->
22     <security:http auto-config="true" use-expressions="true">
23         <!-- 配置具體的攔截的規則 pattern="請求路徑的規則" access="訪問系統的人，必須有ROLE_USER的角色" -->
24         <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
25 
26         <!-- 定義跳轉的具體的頁面 -->
27         <security:form-login
28                 login-page="/login.jsp"
29                 login-processing-url="/login.do"
30                 default-target-url="/index.jsp"
31                 authentication-failure-url="/failer.jsp"
32                 authentication-success-forward-url="/pages/main.jsp"
33         />
34 
35         <!-- 關閉跨域請求 -->
36         <security:csrf disabled="true"/>
37 
38         <!-- 退出 -->
39         <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp" />
40 
41     </security:http>
42 
43     <!-- 切換成數據庫中的用戶名和密碼 -->
44     <security:authentication-manager>
45         <security:authentication-provider user-service-ref="userService">
46             <!-- 配置加密的方式 -->
47             <security:password-encoder ref="passwordEncoder"/>
48         </security:authentication-provider>
49     </security:authentication-manager>
50 
51     <!-- 配置加密類 -->
52     <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
53 
54 </beans>

2.3使用數據庫完成用戶登陸流程

下面是使用數據庫完成認證操做的流程圖

 

在Spring Security中若是想要使用數據進行認證操做，有不少種操做方式，這裏咱們介紹使用UserDetails、UserDetailsService來完成操做。

IUserService接口繼承了UserDetailsService類，UserServiceImpl類實現了IUserService接口。

UserDetailsService 接口內有一個loadUserByUsername方法，返回的是UserDetails。

 1 public interface UserDetailsService {
 2     // ~ Methods
 3     // ========================================================================================================
 4 
 5     /**
 6      * Locates the user based on the username. In the actual implementation, the search
 7      * may possibly be case sensitive, or case insensitive depending on how the
 8      * implementation instance is configured. In this case, the <code>UserDetails</code>
 9      * object that comes back may have a username that is of a different case than what
10      * was actually requested..
11      *
12      * @param username the username identifying the user whose data is required.
13      *
14      * @return a fully populated user record (never <code>null</code>)
15      *
16      * @throws UsernameNotFoundException if the user could not be found or the user has no
17      * GrantedAuthority
18      */
19     UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
20 }

 根據spring-security的核心配置文件，須要將UserServiceImpl類命名爲"userService"，並實現loadUserByUsername方法。

 loadUserByUsername方法根據用戶名從數據庫中查詢用戶信息UserInfo，並將UserInfo的用戶名，密碼和角色信息做爲User的構造參數。

 1 package club.nipengfei.service.impl;
 2 
 3 import club.nipengfei.dao.IUserDao;
 4 import club.nipengfei.domain.Role;
 5 import club.nipengfei.domain.UserInfo;
 6 import club.nipengfei.service.IUserService;
 7 import org.springframework.beans.factory.annotation.Autowired;
 8 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 9 import org.springframework.security.core.userdetails.User;
10 import org.springframework.security.core.userdetails.UserDetails;
11 import org.springframework.security.core.userdetails.UsernameNotFoundException;
12 import org.springframework.stereotype.Service;
13 import org.springframework.transaction.annotation.Transactional;
14 
15 import java.util.ArrayList;
16 import java.util.Collection;
17 import java.util.List;
18 
19 @Service("userService")
20 @Transactional
21 public class UserServiceImpl implements IUserService {
22 
23     @Autowired
24     private IUserDao userDao;
25 
26     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
27         UserInfo userInfo = null;
28         try {
29             userInfo = userDao.findByUsername(username);31         } catch (Exception e) {
32             e.printStackTrace();
33         }
34         // 處理本身的用戶對象分裝成UserDetails
35         // 該spring security的User實現了UserDetails
36         User user = new User(userInfo.getUsername(),userInfo.getPassword(),getAuthority(userInfo.getRoles()));38         return user;
39     }
40 
41     public List<SimpleGrantedAuthority> getAuthority(List<Role> roles) {
42         List<SimpleGrantedAuthority> list = new ArrayList<SimpleGrantedAuthority>();
43         for (Role role:roles){
44             list.add(new SimpleGrantedAuthority("ROLE_"+role.getRoleName()));
45         }
46         return list;
47     }
48 }

 接口UserDetails，封裝了當前認證用戶的信息，但因爲是一個接口，咱們能夠對其實現，也能夠使用spring security提供的UserDetails實現類User完成操做

1 public interface UserDetails extends Serializable {
2     Collection<? extends GrantedAuthority> getAuthorities();
3     String getPassword();
4     String getUsername();
5     boolean isAccountNonExpired();
6     boolean isAccountNonLocked();
7     boolean isCredentialsNonExpired();
8     boolean isEnabled();
9 }

1 public class User implements UserDetails, CredentialsContainer {
2     private String password;
3     private final String username;
4     private final Set<GrantedAuthority> authorities;
5     private final boolean accountNonExpired; //賬戶是否過時
6     private final boolean accountNonLocked; //賬戶是否鎖定
7     private final boolean credentialsNonExpired; //認證是否過時
8     private final boolean enabled; //賬戶是否可用
9 ｝

 下面是根據用戶名查詢用戶信息的IUserDao接口

 1 package club.nipengfei.dao;
 2 
 3 import club.nipengfei.domain.UserInfo;
 4 import org.apache.ibatis.annotations.Many;
 5 import org.apache.ibatis.annotations.Result;
 6 import org.apache.ibatis.annotations.Results;
 7 import org.apache.ibatis.annotations.Select;
 8 
 9 public interface IUserDao {
10 
11     @Select("select * from users where username=#{username}")
12     @Results({
13             @Result(id = true,property = "id",column = "id"),
14             @Result(property = "username",column = "username"),
15             @Result(property = "email",column = "email"),
16             @Result(property = "password",column = "password"),
17             @Result(property = "phoneNum",column = "phoneNum"),
18             @Result(property = "status",column = "status"),
19             @Result(property = "roles",column = "id",javaType = java.util.List.class,many = @Many(select = "club.nipengfei.dao.IRoleDao.findRoleByUserId"))
20     })
21     public UserInfo findByUsername(String username) throws Exception;
22 }

 2.4使用spring security完成權限控制（JSR-250註解）

不一樣的用戶有不一樣的角色，根據角色使用戶有不一樣的權限。在服務器端咱們能夠經過Spring security提供的註解對方法來進行權限控制。Spring Security在方法的權限控制上支持三種類型的註解，JSR-250註解、@Secured註解和支持表達式的註解，這三種註解默認都是沒有啓用的，須要單獨經過global-method-security元素的對應屬性進行啓用

下面使用JSR-250註解完成權限控制：

須要在security-security.xml中開啓權限，而且在pom.xml引入座標

<security:global-method-security jsr250-annotations="enabled"></security:global-method-security>

<dependency>
        <groupId>javax.annotation</groupId>
        <artifactId>jsr250-api</artifactId>
        <version>1.0</version>
 </dependency>

1. @RolesAllowed表示訪問對應方法時所應該具備的角色
2. @PermitAll表示容許全部的角色進行訪問，也就是說不進行權限控制
3. @DenyAll是和PermitAll相反的，表示不管什麼角色都不能訪問

 示例：

@RolesAllowed({"USER", "ADMIN"}) 該方法只要具備"USER", "ADMIN"任意一種權限就能夠訪問。這裏能夠省略前綴ROLE_，實際的權限多是ROLE_ADMIN

 2.5使用spring security完成權限控制（@Secured註解）

 與上面的相似，少一步pom.xml座標引入，由於該註解是spring security自己提供的。