Spring Security（二）登入與安全控制

Admin_lee發表於2018-09-22

1、在pom.xml中新增依賴

<!-- Spring Security -->
   <dependency>
	   <groupId>org.springframework.security</groupId>
	   <artifactId>spring-security-web</artifactId>
   </dependency>

   <dependency>
	   <groupId>org.springframework.security</groupId>
	   <artifactId>spring-security-config</artifactId>
   </dependency>

2、web.xml新增

<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath:spring/spring-security.xml</param-value>
	</context-param>
	<listener>
		<listener-class>
			org.springframework.web.context.ContextLoaderListener
		</listener-class>
	</listener>

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

3、新增spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd">

    <!-- 以下頁面不被攔截 -->
    <http pattern="/*.html" security="none"></http>
    <http pattern="/css/**" security="none"></http>
    <http pattern="/img/**" security="none"></http>
    <http pattern="/js/**" security="none"></http>
    <http pattern="/plugins/**" security="none"></http>
    <http pattern="/seller/add.do" security="none"></http>

    <!-- 頁面攔截規則 -->
    <http use-expressions="false">
        <intercept-url pattern="/**" access="ROLE_SELLER"/>
        <form-login login-page="/shoplogin.html" default-target-url="/admin/index.html"
                    authentication-failure-url="/shoplogin.html" always-use-default-target="true"/>
        <csrf disabled="true"/>
        <headers>
            <frame-options policy="SAMEORIGIN"/>
        </headers>
        <logout/>
    </http>

    <!-- 認證管理器 -->
    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService">
        </authentication-provider>
    </authentication-manager>

    <!-- 引用dubbo 服務 -->
    <dubbo:application name="pinyougou-shop-web" />
    <dubbo:registry address="zookeeper://123.207.255.168:2181"/>
    <dubbo:reference id="sellerService"  interface="com.pinyougou.sellergoods.service.SellerService" >
    </dubbo:reference>
    <beans:bean id="userDetailsService" class="com.pinyougou.shop.service.UserDetailsServiceImpl">
        <beans:property name="sellerService" ref="sellerService"></beans:property>
    </beans:bean>
</beans:beans>

4、自定義認證類

/**
 * @author 麥客子
 * @title: UserDetailsServiceImpl
 * @desc 認證類
 * @date 11:03 2018/9/21
 */
public class UserDetailsServiceImpl implements UserDetailsService {
    private SellerService sellerService;
    public void setSellerService(SellerService sellerService) {
        this.sellerService = sellerService;
    }
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        System.out.println("經過了UserDetailsServiceImpl");
        //構建角色列表
        List<GrantedAuthority> grantAuths=new ArrayList();
        grantAuths.add(new SimpleGrantedAuthority("ROLE_SELLER"));
        //得到商家物件
        TbSeller seller = sellerService.findOne(username);
        if(seller!=null){
            if(seller.getStatus().equals("1")){
                return new User(username,seller.getPassword(),grantAuths);
            }else{
                return null;
            }
        }else{
            return null;
        }
    }
}

5、修改登入頁面

在這裡插入圖片描述

6、BCrypt加密演算法

使用者表的密碼通常使用MD5等不可逆演算法加密後儲存，為防止彩虹表破解更會先使用一個特定的字串（如域名）加密，然後再使用一個隨機的salt（鹽值）加密。特定字串是程式程式碼中固定的，salt是每個密碼單獨隨機，一般給使用者表加一個欄位單獨儲存，比較麻煩。 BCrypt演算法將salt隨機並混入最終加密後的密碼，驗證時也無需單獨提供之前的salt，從而無需單獨處理salt問題。
（1）程式碼中應用

/**
	 * 增加
	 * @param seller
	 * @return
	 */
	@RequestMapping("/add")
	public Result add(@RequestBody TbSeller seller){

		//密碼加密
		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
		String password = passwordEncoder.encode(seller.getPassword());
		seller.setPassword(password);

		try {
			sellerService.add(seller);
			return new Result(true, "增加成功");
		} catch (Exception e) {
			e.printStackTrace();
			return new Result(false, "增加失敗");
		}
	}

（2）修改spring-security配置

<!-- 認證管理器 -->
    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService">
            <password-encoder ref="bcryptEncoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>

    <!-- 引用dubbo 服務 -->
    <dubbo:application name="pinyougou-shop-web" />
    <dubbo:registry address="zookeeper://123.207.255.168:2181"/>
    <dubbo:reference id="sellerService"  interface="com.pinyougou.sellergoods.service.SellerService" >
    </dubbo:reference>
    <beans:bean id="userDetailsService" class="com.pinyougou.shop.service.UserDetailsServiceImpl">
        <beans:property name="sellerService" ref="sellerService"></beans:property>
    </beans:bean>

    <beans:bean id="bcryptEncoder"
                class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
    </beans:beans>

Spring Security使用(二) 非同步登入
2020-11-29
Spring非同步
Spring Security實現統一登入與許可權控制
2022-03-23
Spring
Spring Security入門（3-1）Spring Security的登入頁面定製
2017-06-13
Spring
Spring Security 之 rememberMe 自動登入
2020-06-26
SpringREM
spring security 自定義認證登入
2017-12-21
Spring
Spring Security原始碼分析五：Spring Security實現簡訊登入
2018-01-15
Spring原始碼
Spring Cloud實戰系列(十) - 單點登入JWT與Spring Security OAuth
2019-02-09
SpringCloudJWTOAuth
Spring Security OAuth2 單點登入
2021-11-08
SpringOAuth
實戰開發，使用 Spring Session 與 Spring security 完成網站登入改造！！
2020-08-19
SpringSession網站
Spring Security原始碼分析十四：Spring Social社交登入繫結與解綁
2019-03-01
Spring原始碼
Spring Security系列之Spring Social社交登入的繫結與解綁(十五)
2018-12-28
Spring
Spring Security 一鍵接入驗證碼登入和小程式登入
2022-04-03
Spring
Spring Security（二）
2019-01-11
Spring
Spring Security系列之入門應用(二)
2018-12-10
Spring
Spring Security 安全框架
2015-06-29
Spring框架
[譯] 學習 Spring Security（八）：使用 Spring Security OAuth2 實現單點登入
2018-04-08
SpringOAuth
詳解Spring Security的HttpBasic登入驗證模式
2019-11-15
SpringHTTP模式
Spring Security系列之實現簡訊登入(十)
2018-12-21
Spring
01-Spring Security框架學習--入門（二）
2021-09-09
Spring框架
Spring Cloud Security：Oauth2實現單點登入
2019-11-11
SpringCloudOAuth
Spring Security 實戰乾貨：玩轉自定義登入
2019-10-17
Spring
Spring Security 整合微信小程式登入的思路探討
2021-03-05
Spring微信小程式
spring security之預設登入頁原始碼跟蹤
2021-11-07
Spring原始碼
Spring Security原始碼分析六：Spring Social社交登入原始碼解析
2019-02-27
Spring原始碼
Spring Security原始碼分析三：Spring Social實現QQ社交登入
2018-01-09
Spring原始碼
使用Spring Security控制會話
2019-05-21
Spring會話
Spring Security原始碼分析十二：Spring Security OAuth2基於JWT實現單點登入
2018-01-26
Spring原始碼OAuthJWT
基於Spring Security Oauth2的SSO單點登入+JWT許可權控制實踐
2019-05-06
SpringOAuthJWT
二、Spring Security的使用
2018-03-23
Spring
小米安全Dayeh：《Spring Security入坑指南1》
2019-03-15
Spring
小米安全Dayeh：《Spring Security入坑指南2》
2019-03-15
Spring
Spring Security 實戰乾貨：實現自定義退出登入
2019-10-23
Spring
spring security 之自定義表單登入原始碼跟蹤
2021-11-11
Spring原始碼
Spring Security原始碼分析二：Spring Security授權過程
2018-01-05
Spring原始碼
Java安全框架（一）Spring Security
2020-11-03
Java框架Spring
Spring Security安全綜合大全指南
2024-04-15
Spring
Spring Security 快速入門
2019-03-02
Spring
Spring Security 入門篇
2021-05-10
Spring