Spring Security 03

認證和鑑權

配置文件方式

<authentication-manager>
        <authentication-provider>
            <!-- 用戶的權限控制 -->
            <user-service>
                <user name="admin" password="123" authorities="ROLE_USER, ROLE_ADMIN" />
                <user name="user" password="123" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

jdbc-user-service方式

<!-- 默認數據庫對用戶進行存儲 Spring Security默認狀況下須要兩張表，用戶表和權限表。-->
    <authentication-manager>
        <authentication-provider>
           <!-- <user-service>
                <user name="admin" password="123" authorities="ROLE_USER, ROLE_ADMIN" />
                <user name="user" password="123" authorities="ROLE_USER" />
            </user-service>-->
            <jdbc-user-service data-source-ref="mysqlDataSource"
                  users-by-username-query="select username,`password`,`status` as enabled from `user` where username = ?"
                  authorities-by-username-query="select `user`.username,role.`name` from `user`,role,user_role where `user`.id=user_role.user_id and user_role.role_id=role.id and `user`.username = ?" />
 
        </authentication-provider>
    </authentication-manager>

• note1: 默認數據庫對用戶進行存儲 Spring Security默認狀況下須要兩張表，用戶表和權限表
• note2: data-source-ref="mysqlDataSource"，引用數據源，鏈接數據庫
• note3: 數據庫中建立三張表user、role、user_role

- - 角色  
create table role(  
    id bigint,  
    `name` varchar(50),  
    descn varchar(200)  
);  
alter table role add constraint pk_role primary key(id);  
- - alter table role alter column id int generated by default as identity(1, 1); 
  
- - 用戶  
create table `user`(  
    id bigint,  
    username varchar(50),  
    `password` varchar(50),  
    `status` integer,  
    descn varchar(200)  
);  
alter table `user` add constraint pk_user primary key(id);  
- - alter table `user` alter column id bigint generated by default as identity(start with 1);  
  
- - 用戶角色鏈接表  
create table user_role(  
    user_id bigint,  
    role_id bigint  
);  
alter table user_role add constraint pk_user_role primary key(user_id, role_id);  
alter table user_role add constraint fk_user_role_user foreign key(user_id) references `user`(id);  
alter table user_role add constraint fk_user_role_role foreign key(role_id) references role(id);
 
- - 插入數據
insert into user(id,username,password,status,descn) values(1,'admin','admin',1,'管理員');  
insert into user(id,username,password,status,descn) values(2,'user','user',1,'用戶');  
  
insert into role(id,name,descn) values(1,'ROLE_ADMIN','管理員角色');  
insert into role(id,name,descn) values(2,'ROLE_USER','用戶角色');  
  
insert into user_role(user_id,role_id) values(1,1);  
insert into user_role(user_id,role_id) values(1,2);  
insert into user_role(user_id,role_id) values(2,2);

動態加載方式

<!--更改驗證信息加載方式 -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="MyUserDetailsService">
        </authentication-provider>
    </authentication-manager>

    <!-- 自定義類MyUserDetailsService -->
    <beans:bean id="MyUserDetailsService" class="xx.xx.MyUserDetailsService" />

• 自定義權限類

public class MyGrantedAuthority implements GrantedAuthority {
    // 權限信息
    private String authority;

    public MGrantedAuthority(String authority) {
        this.authority = authority;
    }

    public String getAuthority() {
        return authority;
    }
}

• 自定義用戶信息類

public class MyUserDetails implements UserDetails {

    private String username;
    private String password;
    private Set<MGrantedAuthority> authorities;

    public MUserDetails(String username, String password, Set<MGrantedAuthority> authorities) {

        this.username = username;
        this.password = password;
        this.authorities = authorities;
    }

    public Collection<? extends GrantedAuthority> getAuthorities() {
        return authorities;
    }

    public String getPassword() {
        return password;
    }

    public String getUsername() {
        return username;
    }

    // 帳戶是否沒有過時
    public boolean isAccountNonExpired() {
        return true;
    }

    // 帳戶是否沒有被鎖
    public boolean isAccountNonLocked() {
        return true;
    }

    // 資格是否沒有過時
    public boolean isCredentialsNonExpired() {
        return true;
    }

    // 該用戶信息是否可用
    public boolean isEnabled() {
        return true;
    }
}

• 獲取用戶信息

public class MyUserDetailsService implements UserDetailsService {

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // TODO 數據庫查詢用戶信息和數據庫信息

        // 查詢數據庫USE表獲取用戶密碼
        String password = queryUsr(username);
        // 查詢role表獲取用戶權限
        Set<MGrantedAuthority> authorities = queryRole(username));
        
        // 將獲取到的用戶信息放入UserDetails中
        MyUserDetails userDetails = new MyUserDetails(username, password, authorities);

        return userDetails;
    }
}