Spring MVC 项目搭建 -5- spring security 使用数据库进行验证

时间:2022-01-04 03:13:34

Spring MVC 项目搭建 -5- spring security 使用数据库进行验证

1.创建数据表格(这里使用的是mysql)

CREATE TABLE security_role (
  id int NOT NULL auto_increment,
  name varchar(50) DEFAULT NULL,
  description varchar(200) DEFAULT NULL,
  PRIMARY KEY (id)
) ;

CREATE TABLE security_user (
  id int NOT NULL auto_increment,
  username varchar(50) DEFAULT NULL,
  password varchar(50) DEFAULT NULL,
  status int DEFAULT NULL,
  salt VARCHAR(45) NULL,
  description varchar(200) DEFAULT NULL,
  PRIMARY KEY (id)
) ;

CREATE TABLE security_user_role (
  user_id int not NULL,
  role_id int not NULL,
  PRIMARY KEY (user_id,role_id),
  CONSTRAINT security_user_role_ibfk_1 FOREIGN KEY (user_id) REFERENCES security_user (id) ON DELETE CASCADE ON UPDATE CASCADE,
  CONSTRAINT security_user_role_ibfk_2 FOREIGN KEY (role_id) REFERENCES security_role (id) ON DELETE CASCADE ON UPDATE CASCADE
) ;

INSERT INTO security_role (name,description) VALUES ( 'ROLE_ADMIN', 'admin');
INSERT INTO security_role (name,description) VALUES ( 'ROLE_DEV', 'developer');
INSERT INTO security_role (name,description) VALUES ( 'ROLE_TEST', 'tester');

INSERT INTO security_user  (username,password,status,description) VALUES ('admin', 'admin', '1', 'admin');
INSERT INTO security_user  (username,password,status,description) VALUES( 'dev', 'dev', '1', 'developer');
INSERT INTO security_user  (username,password,status,description) VALUES ('test', 'test', '1', 'tester');

INSERT INTO security_user_role (user_id,role_id) VALUES ('1', '1');
INSERT INTO security_user_role (user_id,role_id) VALUES ('1', '2');
INSERT INTO security_user_role (user_id,role_id) VALUES ('1', '3');
INSERT INTO security_user_role (user_id,role_id) VALUES ('2', '2');
INSERT INTO security_user_role (user_id,role_id) VALUES ('3', '3');

2.DAO && VO

//省略get,set方法
public class SecurityRole {
    private int id;
    private String name;
    private String description;
}

public class SecurityUser{
    private int id ;
    private String username;
    private String password;
    private int status;
    private String description;
    private String salt;
    public SecurityUser(){

    }
    public SecurityUser(String username,String password,int status,String description,String salt){
        this.username = username;
        this.password = password;
        this.status = status;
        this.description = description;
        this.salt = salt;
    }
}

public interface ISecurityUserDao {
    /**
     * 根据用户名修改密码
     */
    public int changePassword(String username,String password);
    /**
     * 根据用户名寻找用户
     */
    public SecurityUser findByName(String username) throws SQLException;
    /**
     * 根据用户名获取用户角色
     */
    public Collection<GrantedAuthority> loadUserAuthorityByName(String username);
    /**
     * 根据用户名获取权限列表
     */
    public List<String> loadUserAuthorities(String username);
    /**
     * 获取所有用户
     */
    public List<SecurityUser> findAllUser();
    /**
     * 添加用户
     */
    public int addUser(SecurityUser user);
    /**
     * 添加用户
     */
    public int updateUser(SecurityUser user);
}

@Repository
/**
 * 继承 NamedParameterJdbcDaoSupport 需要注入dataSource属性
 */
public class SecurityUserDao  extends NamedParameterJdbcDaoSupport implements ISecurityUserDao{
    @Autowired
    private JdbcTemplate jdbcTemplate;
    @Autowired
    public void setParentDataSource(
            @Qualifier("dataSource") DataSource dataSource) {
        super.setDataSource(dataSource);
    }
    private static final Log log = LogFactory.getLog(SecurityUserDao.class);
    private final String CHANGE_PASSWORD_SQL = "UPDATE security_user set password = ? WHERE username = ?";
    //private final String GET_USER_LIST = "select * from security_user where username=?";
    public int changePassword(String username,String password){
        return jdbcTemplate.update( CHANGE_PASSWORD_SQL, password, username);
    }
    public SecurityUser findByName(String username) throws SQLException{
        String sql = "select * from security_user where username='" + username + "'";
        RowMapper<SecurityUser> mapper = new RowMapper<SecurityUser>() {
            public SecurityUser mapRow(ResultSet rs, int rowNum) throws SQLException {
                SecurityUser user = new SecurityUser();
                user.setId((int) rs.getLong("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setStatus(rs.getInt("status"));
                user.setDescription(rs.getString("description"));
                user.setSalt(rs.getString("salt"));
                return user;
            }
        };
        SecurityUser user = jdbcTemplate.queryForObject(sql, mapper);
        return user;
    }

    // 通过用户名获得权限集合
    public Collection<GrantedAuthority> loadUserAuthorityByName(String username) {
        try{
            List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();

            List<String> authsList = loadUserAuthorities(username);

            for(String roleName:authsList){
                GrantedAuthorityImpl authority = new GrantedAuthorityImpl(roleName);
                auths.add(authority);
            }
            return auths;
        }catch(RuntimeException re){
            log.error("" + re);
            throw re;
        }
    }

    // 获取权限列表
    public List<String> loadUserAuthorities(String username) {
        try {
            String sql = "select r.name as authority "
                    + "from security_user u join security_user_role ur on u.id= ur.user_id "
                    + "join security_role r on r.id= ur.role_id " + "where u.username='"
                    + username + "'";
            List<Map<String, Object>> list = jdbcTemplate.queryForList(sql);
            List<String> roles = new ArrayList<String>();
            for (Map<String, Object> map : list) {
                roles.add((String) map.get("authority"));
            }
            return roles;
        } catch (RuntimeException re) {
            log.error("find by authorities by username failed." + re);
            throw re;
        }
    }
    public List<SecurityUser> findAllUser(){
        String sql = "select * from security_user";
        RowMapper<SecurityUser> mapper = new RowMapper<SecurityUser>() {
            public SecurityUser mapRow(ResultSet rs, int rowNum) throws SQLException {
                SecurityUser user = new SecurityUser();
                user.setId((int) rs.getLong("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setStatus(rs.getInt("status"));
                user.setDescription(rs.getString("description"));
                user.setSalt(rs.getString("salt"));
                return user;
            }
        };

        List<SecurityUser> user = jdbcTemplate.query(sql, mapper);
        return user;
    }
    private final String INSERT_USER_SQL =
            "INSERT INTO security_user (username,password,status,description,salt) " +
            "VALUES(:username,:password,:status,:description,:salt)";
    @Override
    public int addUser(SecurityUser user) {
        return this.getNamedParameterJdbcTemplate().update(INSERT_USER_SQL,
                new BeanPropertySqlParameterSource(user));
    }

    private final String UPDATE_USER_SQL =
            "UPDATE security_user set status=:status,"+
            "description=:description,salt=:salt " +
            "WHERE username =:username";
    @Override
    public int updateUser(SecurityUser user) {
        return this.getNamedParameterJdbcTemplate().update(UPDATE_USER_SQL,
                new BeanPropertySqlParameterSource(user));
    }
}

3.UserDetailsService的编写

public interface IAppUserDetailsService extends UserDetailsService{
    /**
     * 根据用户名修改密码
     */
    public boolean changePasswordByUserName(String userName, String password);
    /**
     * 根据用户名 加密数据库内原始密码
     * 只用于手动修改了数据库密码进行加密
     */
    public boolean securityPassword(String userName);
    /**
     * 创建新用户
     */
    public boolean createUser(SecurityUser user);
    /**
     * 获取用户列表
     */
    public List<SecurityUser> getUserList();
    /**
     * 修改用户信息
     */
    public boolean updateUser(SecurityUser user);
}

//用于获取用户名密码
@SuppressWarnings("deprecation")
public class AppUserDetailService implements IAppUserDetailsService {
    private static final Log log = LogFactory.getLog(AppUserDetailService.class);
    @Autowired
    private SecurityUserDao securityUserDao;
    @Autowired
    private SaltSource saltSource;
    @Autowired
    private PasswordEncoder passwordEncoder;
    /**
     * UserDetailsService 的 核心方法
     */
    @Override
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {
        System.out.println("username is :" + username);
        SecurityUser user = null;
        try {
            user = this.securityUserDao.findByName(username);
            System.out.println(user);
        } catch (SQLException e) {
            throw new UsernameNotFoundException("用户不存在");
        }
        // 获得用户权限
        Collection<GrantedAuthority> auths = securityUserDao
                .loadUserAuthorityByName(username);
        boolean enables = true;
        // 账户过期否
        boolean accountNonExpired = true;
        // 证书过期否
        boolean credentialsNonExpired = true;
        // 账户锁定否
        boolean accountNonLocked = true;
        // 封装成spring security的user
        AppUser userdetail = new AppUser(username, user.getPassword(), enables,
                accountNonExpired, credentialsNonExpired, accountNonLocked,
                auths,user.getSalt());
        for (GrantedAuthority s : auths) {
            s.getAuthority();
        }
        System.out.println(auths);
        System.out.println(userdetail);
        return userdetail;
    }
    /**
     * 修改用户密码并加密
     */
    @Override
    public boolean changePasswordByUserName(String userName, String password){
        UserDetails userdetail = loadUserByUsername(userName);
        log.info("salt:"+ saltSource.getSalt(userdetail));
        String pw = passwordEncoder.encodePassword(password, saltSource.getSalt(userdetail));
        int result  = securityUserDao.changePassword(userName,pw);
        return result > 0;
    }
    /**
     * 将指定用户没有加密的密码加密
     */
    @Override
    public boolean securityPassword(String userName) {
        UserDetails userdetail = loadUserByUsername(userName);
        String pw = userdetail.getPassword();
        return changePasswordByUserName(userName,pw);
    }

    @Override
    public boolean createUser(SecurityUser user) {
        boolean success = true;
        int i = securityUserDao.addUser(user);
        if(i>0){
            success = securityPassword(user.getUsername());
        }else{
            success = false;
        }
        return success;
    }
    @Override
    public List<SecurityUser> getUserList() {

        List<SecurityUser> result = securityUserDao.findAllUser();
        return result;
    }
    @Override
    public boolean updateUser(SecurityUser user) {
        System.out.println(user.getDescription());
        return securityUserDao.updateUser(user)>0;
    }
}

4.修改security配置(spring-sample-security.xml)

  • 添加注入配置
  • 修改拦截配置
  • 引入passwordEncoder,saltSource实现密码的加密
  • 引入appUserDetailService
  • 修改authenticationManager 引用 appUserDetailService
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd
           http://www.springframework.org/schema/context
           http://www.springframework.org/schema/context/spring-context.xsd">
    <!--配置  security 管理 控制器-->
    <context:component-scan base-package="security" />
    <context:component-scan base-package="security.service.impl" />
    <!-- 去除不需要拦截的url -->
    <http pattern="/libs/**" security="none"/>
    <http pattern="/login.html" security="none" />
    <http pattern="/resources/**" security="none" />
    <!-- 配置一层拦截,需要输入正确用户名密码才能访问网站 -->
    <http auto-config="true" use-expressions="true" >
        <!-- 拦截所有不是ROLE_USER的请求  -->
        <intercept-url pattern="/*" access="hasAnyRole('ROLE_ADMIN','ROLE_DEV','ROLE_TEST')" />
        <!-- 登录配置 -->
        <form-login login-page="/login.html"
            default-target-url="/test/mytest/loginSuccess"
            authentication-failure-url="/test/mytest/loginFaild"/>
        <logout invalidate-session="true"
            logout-success-url="/"
            logout-url="/j_spring_security_logout"/>
    </http>
    <!--默认拦截器  -->
    <authentication-manager alias="authenticationManager">
    <!--验证配置,认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
    <authentication-provider user-service-ref="appUserDetailService">
           <password-encoder ref="passwordEncoder">
                <salt-source ref="saltSource"/>
           </password-encoder>
       </authentication-provider>
    </authentication-manager>
    <!--在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等 -->
    <beans:bean id="appUserDetailService" class="security.service.impl.AppUserDetailService" />
    <!--加密密码  -->
    <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
    <!--为密码添加 saltSource -->
    <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource" >
        <beans:property name="userPropertyToUse" value="salt"/>
    </beans:bean>
</beans:beans> 

5.添加Junit Test方法 运行密码加密方法,将数据库的密码加密

package security;

import junit.framework.Assert;

import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

import security.service.IAppUserDetailsService;
import security.vo.SecurityUser;

//基于junit4的测试框架
@RunWith(SpringJUnit4ClassRunner.class)
//启动spring容器
@ContextConfiguration(locations = {
    "classpath:applicationContext.xml",
    "file:WebContent/WEB-INF/spring-test-servlet.xml",
    "file:WebContent/WEB-INF/config/spring-sample-security.xml"
})
public class SecurityTest {
    @Autowired
    private IAppUserDetailsService userService;
    @Test
    public void securityPassword() {
        Assert.assertTrue(userService.securityPassword("admin"));
        Assert.assertTrue(userService.securityPassword("test"));
        Assert.assertTrue(userService.securityPassword("dev"));
    }
}