企业项目中的Spring Security操作
面的章节从内置数据入手开始介绍Spring Security的入门案例。在实际的企业级开发中,一般不会把用户名和密码固定在代码或者配置文件中,而是直接在数据库中查询用户的账号和密码,再将其和用户输入的账号和密码进行对比并认证,最终完成用户的认证和授权查询。下面使用国内目前常用的两个数据库操作框架(Spring Data JPA和MyBatis)完成对SpringSecurity的查询和认证,读者只需要掌握其中的一个框架即可,建议优先选用自己熟悉的框架。
实战:基于JPA的Spring Boot Security操作
新建一个spring-security-db-demo项目,具体步骤如下:
(1)在pom.xml中添加Spring Security和JPA,即MySQL和Web开发所需要的依赖,代码如下:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.10.RELEASE</version>
<relativePath/>
</parent>
<groupId>com.example</groupId>
<artifactId>spring-security-db-demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>spring-security-db-demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--spring data jpa-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<!--spring security-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--thymeleaf模板-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!--thymeleaf中使用的Spring Security标签-->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<!-- <version>3.0.3.RELEASE</version>-->
</dependency>
<dependency>
<groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.5.7</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
(2)为了让项目开发具有多样性,本次使用的配置文件格式是yml,在application.yml中添加项目配置,用来配置数据库的连接信息。使用sys数据库的配置信息如下:
server:
port: 8080
spring:
datasource:
username: root
password: 123456
url: jdbc:mysql://127.0.0.1:3306/sys
driver-class-name: com.mysql.cj.jdbc.Driver
jpa:
hibernate: ddl-auto: update
database-platform: org.hibernate.dialect.MySQL5InnoDBDialect
open-in-view: false
(3)开始编写项目代码,新建Security的配置文件WebSecurityConfig.java:
package com.example.springsecuritydbdemo.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.Authentication
Provider;
import
org.springframework.security.authentication.dao.DaoAuthentication
Provider;
import org.springframework.security.config.annotation.authentication.
builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.
configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.
HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.
WebSecurityConfigurerAdapter;
import
org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.factory.PasswordEncoder
Factories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.rememberme.
JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.
PersistentTokenRepository;
import javax.sql.DataSource;/**
* 开启security注解
*/
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PersistentTokenRepository persistentTokenRepository;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws
Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//关闭csrf
http.csrf().disable();
// 自定义登录页面
http.formLogin()
.loginPage("/loginPage") // 登录页面的
URL
// 登录访问路径,不用自己处理逻辑,只需要定义URL即可
.loginProcessingUrl("/login")
.failureUrl("/exception") // 登录失败时跳
转的路径
.defaultSuccessUrl("/index", true); // 登录成功后跳
转的路径
// URL的拦截与放行,除//loginPage、/hello、/exception和/*.jpg之外的
路径都会被拦截
http.authorizeRequests()
.antMatchers("/loginPage", "/hello", "/exception",
"/*.jpg").permitAll()
.anyRequest().authenticated();
// 注销用户
http.logout().logoutUrl("/logout");
// 记住密码(自动登录) http.rememberMe().tokenRepository(persistentTokenRepository).
tokenValiditySeconds(60 * 60).userDetailsService(userDetailsService);
}
/**
* 登录提示
*/
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new
DaoAuthenticationProvider();
// 显示用户找不到异常,默认不论用户名和密码哪个错误,都提示密码错误
provider.setHideUserNotFoundExceptions(false);
provider.setPasswordEncoder(passwordEncoder());
provider.setUserDetailsService(userDetailsService);
return provider;
}
/**
* 密码加密器
*/
@Bean
public PasswordEncoder passwordEncoder() {
return
PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
/**
* 记住密码,并存储Token
*/
@Bean
public PersistentTokenRepository
persistentTokenRepository(DataSourcedataSource) {
// 数据存储在数据库中
JdbcTokenRepositoryImpl jdbcTokenRepository = new
JdbcTokenRepositoryImpl();
jdbcTokenRepository.setDataSource(dataSource);
return jdbcTokenRepository;
}
}
(4)新建Web请求的UserControllerjava入口文件,并定义其访问的URL:
package com.example.springsecuritydbdemo.controller;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.util.WebUtils;
import javax.servlet.http.HttpServletRequest;
@Controller
@Slf4j
public class UserController {
@ResponseBody
@RequestMapping("/hello")
public String hello() {
return "hello";
}
/**
* 登录页面
*/
@GetMapping("/loginPage")
public String login() {
return "login";
}
/**
* Security 认证异常处理
*/
@GetMapping("/exception")
public String error(HttpServletRequest request) {
// 获取Spring Security的AuthenticationException异常并抛出,由全局异
常统一处理
AuthenticationException exception = (AuthenticationException)
WebUtils.getSessionAttribute(request,
"SPRING_SECURITY_LAST_EXCEPTION");
if (exception != null) {
throw exception;
}
return "redirect:/loginPage";
}
@GetMapping({"/index", "/"})
public String index() {
return "index";
}
@ResponseBody
@GetMapping("/role/teacher")
@Secured({"ROLE_teacher", "ROLE_admin"})
public String teacher() {
return "模拟获取老师数据";
}
@ResponseBody
@GetMapping("/role/admin")
@Secured({"ROLE_admin"})
public String admin() {
return "模拟获取管理员数据";
}
@ResponseBody
@GetMapping("/role/student")
@Secured({"ROLE_student", "ROLE_admin"})
public String student() {
return "模拟获取学生数据";
}
}
(5)新建UserDao.java文件和AuthoritiesDao.java文件进行数据库的操作。
UserDao.java文件的内容如下:
package com.example.springsecuritydbdemo.dao;
import com.example.springsecuritydbdemo.entity.Authorities;
import org.springframework.data.jpa.repository.JpaRepository;
import
org.springframework.data.jpa.repository.JpaSpecificationExecutor;
public interface AuthoritiesDao extends
JpaRepository<Authorities, Integer>, JpaSpecificationExecutor
<Authorities> {
}
AuthoritiesDao.java文件的内容如下:
package com.example.springsecuritydbdemo.dao;
import com.example.springsecuritydbdemo.entity.Users;
import org.springframework.data.jpa.repository.JpaRepository;
import
org.springframework.data.jpa.repository.JpaSpecificationExecutor;
public interface UsersDao extends
JpaRepository<Users, Integer>, JpaSpecificationExecutor<Users>
{
Users findByUsername(String username);
}
(6)新建数据库的表对应的实体类Authorities、PersistentLogins和Users。Authorities类如下:
package com.example.springsecuritydbdemo.entity;
import lombok.Getter;
import lombok.Setter;
import javax.persistence.*;
import java.util.HashSet;
import java.util.Set;
@Getter
@Setter
@Entity
@Table(name = "authorities")
public class Authorities {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
private String authority;
@ManyToMany(mappedBy = "authorities", cascade = CascadeType.ALL)
private Set<Users> users = new HashSet<>();
}
PersistentLogins类的内容如下:
package com.example.springsecuritydbdemo.entity;
import lombok.Getter;
import lombok.Setter;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Table;
import java.util.Date;@Getter
@Setter
@Entity
@Table(name = "persistent_logins")
public class PersistentLogins {
@Id
private String series;
private String username;
private String token;
private Date last_used;
}
Users类的内容如下:
package com.example.springsecuritydbdemo.entity;
import lombok.Getter;
import lombok.Setter;
import javax.persistence.*;
import java.util.HashSet;
import java.util.Set;
@Getter
@Setter
@Entity
@Table(name = "users")
public class Users {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
private String username;
private String password;
@ManyToMany(targetEntity = Authorities.class, cascade =
CascadeType.ALL)
@JoinTable(name = "users_authorities", joinColumns = @JoinColumn(name = "users_id",
referencedColumnName = "id"),
inverseJoinColumns = @JoinColumn(name =
"authorities_id",referencedColumnName = "id"))
private Set<Authorities> authorities = new HashSet<>();
}
(7)设置项目的全局异常处理:
package com.example.springsecuritydbdemo.exception;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.BadCredentials
Exception;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.servlet.ModelAndView;
/**
* 全局异常处理
*/
@ControllerAdvice
@Slf4j
public class GlobalExceptionHandler {
@ExceptionHandler(RuntimeException.class)
public ModelAndView exception(Exception e) {
log.info(e.toString());
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("error");
if (e instanceof BadCredentialsException) {
// 密码错误
modelAndView.addObject("msg", "密码错误");
} else if (e instanceof AccessDeniedException) {
// 权限不足
modelAndView.addObject("msg", e.getMessage());
} else { // 其他
modelAndView.addObject("msg", "系统错误");
}
return modelAndView;
}
}
(8)设置用户的服务类,代码如下:
package com.example.springsecuritydbdemo.service;
import com.example.springsecuritydbdemo.dao.UsersDao;
import com.example.springsecuritydbdemo.entity.Authorities;
import com.example.springsecuritydbdemo.entity.Users;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGranted
Authority;
import org.springframework.security.core.userdetails.*;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.util.ArrayList;
import java.util.Set;
@Service("userDetailsService")
@Slf4j
public class UserDetailService implements UserDetailsService {
@Autowired
private UsersDao usersDao;
@Override
@Transactional
public UserDetails loadUserByUsername(String s) throws
UsernameNotFound
Exception {
Users users = usersDao.findByUsername(s); // 用户不存在
if (users == null) {
log.error("用户名:[{}]不存在", s);
throw new UsernameNotFoundException("用户名不存在");
}
// 获取该用户的角色信息
Set<Authorities> authoritiesSet = users.getAuthorities();
ArrayList<GrantedAuthority> list = new ArrayList<>();
for (Authorities authorities : authoritiesSet) {
list.add(new
SimpleGrantedAuthority(authorities.getAuthority()));
}
return new User(users.getUsername(), users.getPassword(),
list);
}
}
(9)新建Spring Boot项目的启动类:
package com.example.springsecuritydbdemo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import
org.springframework.security.config.annotation.web.configuration.
EnableWebSecurity;
@EnableWebSecurity
@SpringBootApplication
public class SpringSecurityDbDemoApplication {
public static void main(String[] args) {
SpringApplication.run(SpringSecurityDbDemoApplication.class,
args);
}
}
提示:在启动项目之前需要配置好数据库。本书使用MySQL 8。数据库的配置信息保存在application.yml文件中,读者可以根据实际情况修改数据库信息,确认无误后即可启动项目。
访问
http://localhost:8080/loginPage即可可以看到登录页面,如图5.10所示。使用账号admin和密码123456登录后,可以看到admin拥有的权限,如图5.11所示。退出admin后使用账号student和密码123456登录,查看student拥有的权限,如图5.12所示。可以看到,不同的用户拥有不同的权限,从而实现使用JPA控制不同用户权限的目的。
可以看到,不同的账号访问,拥有不同的权限,权限不同看到的数据也不同。
实战:基于MyBatis的Spring Boot Security操作
基于5.3.1小节的代码,全部注释掉UserDao.java文件和AuthoritiesDao.java文件,修改后缀名为UserDao.java.bak和AuthoritiesDao.java.bak,再修改entity包中的实体类。
主要步骤如下:
(1)移除pom.xml中的JPA依赖,在pom.xml中添加MyBatis的依赖:
<!--spring data jpa-->
<!--<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>-->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.1</version>
</dependency>
(2)修改
SpringSecurityDbDemoApplication.java文件,增加一个MyBatis的配置注解:
@MapperScan("com.example.springsecuritydbdemo.dao")
(3)修改entity包中所有的实体类,去除所有的JPA注解。
Authorities类的文件内容如下:
package com.example.springsecuritydbdemo.entity;
import lombok.Data;
@Data
public class Authorities {
private Integer id;
private String authority;
}
PersistentLogins类的文件内容如下:
package com.example.springsecuritydbdemo.entity;
import lombok.Data;
import java.util.Date;
@Data
public class PersistentLogins {
private String series;
private String username;
private String token;
private Date last_used;
}
Users类的文件内容如下:
package com.example.springsecuritydbdemo.entity;
import lombok.Data;
import java.util.HashSet;
import java.util.Set;
@Data
public class Users {
private Integer id;
private String username;
private String password;
private Set<Authorities> authorities = new HashSet<>();
}
(4)修改Dao包中的数据库操作接口,添加查询用户的方法:
package com.example.springsecuritydbdemo.dao;
import com.example.springsecuritydbdemo.entity.Authorities;
import org.apache.ibatis.annotations.Mapper;
import org.apache.ibatis.annotations.Param;
import org.apache.ibatis.annotations.ResultType;
import org.apache.ibatis.annotations.Select;
import java.util.Set;
@Mapper
public interface AuthoritiesDao {
@Select("select a.* from authorities a LEFT JOIN users_authorities
b " +
"on a.id=b.authorities_id where b.users_id=#{userId}")
@ResultType(Set.class)
Set<Authorities> findByUserId(@Param("userId") Integer userId);
}
(5)添加查询用户和保存用户的方法:
package com.example.springsecuritydbdemo.dao;
import com.example.springsecuritydbdemo.entity.Users;
import org.apache.ibatis.annotations.Mapper;
import org.apache.ibatis.annotations.Param;
import org.apache.ibatis.annotations.Select;
@Mapper
public interface UsersDao {
@Select("select * from users where username=#{username}")
Users findByUsername(@Param("username") String username);
void save(Users users);
}
(6)在sys数据库中执行SQL语句,用来创建3张表,代码如下:
CREATE TABLE `authorities` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`authority` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `persistent_logins` (
`series` varchar(100) NOT NULL,
`username` varchar(255) DEFAULT NULL,
`token` varchar(255) DEFAULT NULL,
`last_used` datetime DEFAULT NULL,
PRIMARY KEY (`series`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `users` (
`id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(255) DEFAULT NULL,
`password` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
修改完成后启动项目,再次访问http://localhost:8080,如同5.3.1小节的例子一样登录不同的账号,确认不同的用户拥有不同的权限。通过以上开发实践可以看到,在一些简单的数据库操作中,JPA不需要编写SQL语句,这样会明显地提高开发效率,使用起来也非常方便。