springboot-28-security(一)用户角色控制

spring security 使用众多的拦截器实现权限控制的, 其核心有2个重要的概念: 认证(Authentication) 和授权 (Authorization)), 认证就是确认用户可以访问当前系统, 授权即确定用户有相应的权限,

现在先大概过一遍整个流程，用户登陆，会被AuthenticationProcessingFilter拦截，调用AuthenticationManager的实现，而且AuthenticationManager会调用ProviderManager来获取用户验证信息（不同的Provider调用的服务不同，因为这些信息可以是在数据库上，可以是在LDAP服务器上，可以是xml配置文件上等），如果验证通过后会将用户的权限信息封装一个User放到spring的全局缓存SecurityContextHolder中，以备后面访问资源时使用。

访问资源（即授权管理），访问url时，会通过AbstractSecurityInterceptor拦截器拦截，其中会调用FilterInvocationSecurityMetadataSource的方法来获取被拦截url所需的全部权限，在调用授权管理器AccessDecisionManager，这个授权管理器会通过spring的全局缓存SecurityContextHolder获取用户的权限信息，还会获取被拦截的url和被拦截url所需的全部权限，然后根据所配的策略（有：一票决定，一票否定，少数服从多数等），如果权限足够，则返回，权限不够则报错并调用权限不足页面 ( http://blog.csdn.net/u012367513/article/details/38866465)

本例的用户和角色信息存储在mysql, 使用mybatis进行查询:http://www.cnblogs.com/wenbronk/p/7357996.html

项目使用 idea + gradle

dependencies {

    compile("org.springframework.boot:spring-boot-devtools")

    compile("org.springframework.boot:spring-boot-starter")

    compile("org.springframework.boot:spring-boot-starter-web")

    compile("org.springframework.boot:spring-boot-starter-log4j2")

    compile("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml")

    compile("org.codehaus.groovy:groovy-all:2.4.12")

    compile("org.springframework.boot:spring-boot-starter-security")

    compile("org.springframework.boot:spring-boot-starter-thymeleaf")

    compile("org.thymeleaf.extras:thymeleaf-extras-springsecurity4")

    compile ("mysql:mysql-connector-java")

    compile 'com.alibaba:druid-spring-boot-starter:1.1.2'

    compile ("org.mybatis.spring.boot:mybatis-spring-boot-starter:1.1.1")

    compile 'com.alibaba:fastjson:1.1.15'

    compile 'javax.inject:javax.inject:1'

    testCompile group: 'junit', name: 'junit', version: '4.12'

    testCompile("org.springframework.boot:spring-boot-starter-test")

}

1, 导入基础数据, 调试mybatis

1) , 建表

/*

Navicat MySQL Data Transfer

Source Server         : 本地

Source Host           : localhost:3306

Source Database       : test

Target Server Type    : MYSQL

Date: 2017-8-14 22:17:33

*/

SET FOREIGN_KEY_CHECKS=;

-- ----------------------------

-- Table structure for `sys_user`

-- ----------------------------

DROP TABLE IF EXISTS `sys_user`;

CREATE TABLE `sys_user` (

  `id` INT () NOT NULL AUTO_INCREMENT COMMENT '主键id',

  `username` varchar() DEFAULT NULL COMMENT '用户名',

  `password` varchar() DEFAULT NULL COMMENT '密码',

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT= DEFAULT CHARSET=utf8;

-- ----------------------------

-- Table structure for `sys_role`

-- ----------------------------

DROP TABLE IF EXISTS `sys_role`;

CREATE TABLE `sys_role` (

  `id` INT () NOT NULL AUTO_INCREMENT COMMENT '主键id',

  `name` varchar() DEFAULT NULL COMMENT '用户名',

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT= DEFAULT CHARSET=utf8;

-- ----------------------------

-- Table structure for `sys_role_user`

-- ----------------------------

DROP TABLE IF EXISTS `sys_role_user`;

CREATE TABLE `sys_role_user` (

  `id` bigint() NOT NULL AUTO_INCREMENT COMMENT '主键id',

  `sys_user_id` INT() NOT NULL COMMENT 'user_id',

  `sys_role_id` INT() NOT NULL COMMENT 'role_id',

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT= DEFAULT CHARSET=utf8;

ALTER TABLE sys_role_user ADD CONSTRAINT sys_FK1 FOREIGN KEY(sys_user_id) REFERENCES sys_user(id);

ALTER TABLE sys_role_user ADD CONSTRAINT role_FK2 FOREIGN KEY(sys_role_id) REFERENCES sys_role(id);

导入数据

insert into SYS_USER (id,username, password) values (,'vini', '');

insert into SYS_USER (id,username, password) values (,'bronk', '');

insert into SYS_ROLE(id,name) values(,'ROLE_ADMIN');

insert into SYS_ROLE(id,name) values(,'ROLE_USER');

insert into SYS_ROLE_USER(SYS_USER_ID,sys_role_id) values(,);

insert into SYS_ROLE_USER(SYS_USER_ID,sys_role_id) values(,);

在 application.yml中配置如下, 可以在启动程序时自动执行

spring:

  datasource:

    url: jdbc:mysql://localhost:3306/springboot

    username: root

    password: root

#    type: com.alibaba.druid.pool.DruidDataSource

    driver-class-name: com.mysql.jdbc.Driver
　　# 一下2行

    schema: classpath:security.sql

    data: classpath:security-data.sql

2), mapper映射

package com.wenbronk.security.mapper

import com.wenbronk.security.entity.SysUser

/**

 * Created by wenbronk on 2017/8/14.

 */

interface SysUserMapper {

    SysUser findByUserName(String username)

}

在 resources/mybatis/mapper中添加:

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >

<mapper namespace="com.wenbronk.security.mapper.SysUserMapper">

    <resultMap id="sys_user_map" type="SysUser">

        <id property="id" column="id" />

        <result property="username" column="username" />

        <result property="password" column="password" />

        <collection property="roles" ofType="SysRole">

            <result column="name" property="name" />

        </collection>

    </resultMap>

    <select id="findByUserName" parameterType="string" resultMap="sys_user_map">

        select u.id, u.username, u.password, r.name

        from sys_user u

        LEFT JOIN sys_role_user s on u.id = s.sys_user_id

        LEFT JOIN sys_role r on r.id = s.sys_role_id

        WHERE username = #{username}

    </select>

</mapper>

在application.yml中配置

mybatis:

  config-location: classpath:mybatis/SqlMapConfig.xml

  mapper-locations: classpath:mybatis/mapper/*.xml

在main方法上添加mapper扫描:

@SpringBootApplication

@MapperScan("com.wenbronk.security.mapper")

public class SecurityApplication {

    public static void main(String[] args) {

        SpringApplication.run(SecurityApplication.class);

    }

}

3), 实体类

class Msg {

    String title

    String content

    String etraInfo

    Msg() {

    }

    Msg(String title, String content, String etraInfo) {

        this.title = title

        this.content = content

        this.etraInfo = etraInfo

    }

}

SysUser.groovy

package com.wenbronk.security.entity

/**

 * Created by wenbronk on 2017/8/14.

 */

class SysUser {

    int id

    def username

    def password

    List<SysRole> roles

    @Override

    public String toString() {

        return "SysUser{" +

                "id=" + id +

                ", username=" + username +

                ", password=" + password +

                ", roles=" + roles +

                '}';

    }

}

SysRole.groovy

package com.wenbronk.security.entity

/**

 * Created by wenbronk on 2017/8/14.

 */

class SysUser {

    int id

    def username

    def password

    List<SysRole> roles

    @Override

    public String toString() {

        return "SysUser{" +

                "id=" + id +

                ", username=" + username +

                ", password=" + password +

                ", roles=" + roles +

                '}';

    }

}

4) , 测试mybatis

    @Test

    void test2() {

        def name = sysUserMapper.findByUserName('vini')

        println name

    }

2, security相关配置

1), CustomerUserService.groovy

package com.wenbronk.security.security.service

import com.wenbronk.security.entity.SysRole

import com.wenbronk.security.entity.SysUser

import com.wenbronk.security.mapper.SysUserMapper

import org.springframework.security.core.authority.SimpleGrantedAuthority

import org.springframework.security.core.userdetails.User

import org.springframework.security.core.userdetails.UserDetails

import org.springframework.security.core.userdetails.UserDetailsService

import org.springframework.security.core.userdetails.UsernameNotFoundException

import org.springframework.stereotype.Service

import javax.inject.Inject

/**

 * Created by wenbronk on 2017/8/15.

 */

@Service

class CustomUserService implements UserDetailsService {

    @Inject

    SysUserMapper sysUserMapper;

    @Override

    UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {

        def sysUser = sysUserMapper.findByUserName(s) as SysUser

        assert sysUser != null

        List<SimpleGrantedAuthority> authorities = new ArrayList<>()

        for(SysRole role : sysUser.getRoles()) {

            authorities.add(new SimpleGrantedAuthority(role.getName()))

            println role.getName();

        }

        return new User(sysUser.getUsername(), sysUser.getPassword(), authorities)

    }

}

2), WebSecurityConfig.groovy

package com.wenbronk.security.security.config

import com.wenbronk.security.security.service.CustomUserService

import org.springframework.context.annotation.Configuration

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder

import org.springframework.security.config.annotation.web.builders.HttpSecurity

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

import javax.inject.Inject

/**

 * Created by wenbronk on 2017/8/15.

 */

@Configuration

@EnableWebSecurity

class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Inject

    CustomUserService customUserService;

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.userDetailsService(customUserService);

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()

            .anyRequest().authenticated()   // 任何请求都拦截

            .and()

            .formLogin()

            .loginPage("/login")

            .failureUrl("/login?error")

            .permitAll()        // 登陆后可访问任意页面

            .and()

            .logout().permitAll();  // 注销后任意访问

    }

}

3, 页面

1), 页面转向设置

package com.wenbronk.security.config

import org.springframework.context.annotation.Configuration

import org.springframework.web.servlet.config.annotation.ViewControllerRegistry

import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter

/**

 * Created by wenbronk on 2017/8/15.

 */

@Configuration

class WebMvcConfig extends WebMvcConfigurerAdapter{

    @Override

    void addViewControllers(ViewControllerRegistry registry) {

        registry.addViewController("/login").setViewName("login")

    }

}

controller.groovy

package com.wenbronk.security.controller

import com.wenbronk.security.entity.Msg

import org.springframework.stereotype.Controller

import org.springframework.ui.Model

import org.springframework.web.bind.annotation.RequestMapping

/**

 * Created by wenbronk on 2017/8/14.

 */

@Controller

class SecurityController {

    @RequestMapping("/")

    def index(Model model) {

        def msg = new Msg("测试标题", "测试内容", "额外信息, 只对管理员显示")

        model.addAttribute("msg", msg);

        "home"

    }

}

在resources下放入静态资源, bootstramp.min.css, 以及thymeleaf页面

<!DOCTYPE html>

<html xmlns:th="http://www.thymeleaf.org">

<head>

    <meta content="text/html;charset=UTF-8"/>

    <title>登录页面</title>

    <link rel="stylesheet" th:href="@{css/bootstrap.min.css}"/>

    <style type="text/css">

        body {

            padding-top: 50px;

        }

        .starter-template {

            padding: 40px 15px;

            text-align: center;

        }

    </style>

</head>

<body>

<nav class="navbar navbar-inverse navbar-fixed-top">

    <div class="container">

        <div class="navbar-header">

            <a class="navbar-brand" href="#">Spring Security演示</a>

        </div>

        <div id="navbar" class="collapse navbar-collapse">

            <ul class="nav navbar-nav">

                <li><a th:href="@{/}"> 首页 </a></li>

            </ul>

        </div><!--/.nav-collapse -->

    </div>

</nav>

<div class="container">

    <div class="starter-template">

        <p th:if="${param.logout}" class="bg-warning">已成功注销</p><!--  -->

        <p th:if="${param.error}" class="bg-danger">有错误，请重试</p> <!--  -->

        <h2>使用账号密码登录</h2>

        <form name="form" th:action="@{/login}" action="/login" method="POST"> <!--  -->

            <div class="form-group">

                <label for="username">账号</label>

                <input type="text" class="form-control" name="username" value="" placeholder="账号" />

            </div>

            <div class="form-group">

                <label for="password">密码</label>

                <input type="password" class="form-control" name="password" placeholder="密码" />

            </div>

            <input type="submit" id="login" value="Login" class="btn btn-primary" />

        </form>

    </div>

</div>

</body>

</html>

home.html

<!DOCTYPE html>

<html xmlns:th="http://www.thymeleaf.org"

      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

<head>

<meta content="text/html;charset=UTF-8"/>

<title sec:authentication="name"></title>

<link rel="stylesheet" th:href="@{css/bootstrap.min.css}" />

<style type="text/css">

body {

  padding-top: 50px;

}

.starter-template {

  padding: 40px 15px;

  text-align: center;

}

</style>

</head>

<body>

     <nav class="navbar navbar-inverse navbar-fixed-top">

      <div class="container">

        <div class="navbar-header">

          <a class="navbar-brand" href="#">Spring Security演示</a>

        </div>

        <div id="navbar" class="collapse navbar-collapse">

          <ul class="nav navbar-nav">

           <li><a th:href="@{/}"> 首页 </a></li>

          </ul>

        </div><!--/.nav-collapse -->

      </div>

    </nav>

     <div class="container">

      <div class="starter-template">

          <h1 th:text="${msg.title}"></h1>

        <p class="bg-primary" th:text="${msg.content}"></p>

        <div sec:authorize="hasRole('ROLE_ADMIN')"> <!-- 用户类型为ROLE_ADMIN 显示 -->

             <p class="bg-info" th:text="${msg.etraInfo}"></p>

        </div>

        <div sec:authorize="hasRole('ROLE_USER')"> <!-- 用户类型为 ROLE_USER 显示 -->

             <p class="bg-info">无更多信息显示</p>

        </div>

        <form th:action="@{/logout}" method="post">

            <input type="submit" class="btn btn-primary" value="注销"/>

        </form>

      </div>

    </div>

</body>

</html>

参见: JavaEE颠覆者, springboot实战

参考博客:http://blog.csdn.net/u012373815/article/details/54632176