使用Spring Security實現方法權限管理
1、技術目標
了解并創建Security框架所需數據表
為項目添加Spring Security框架
掌握Security框架配置
應用Security框架為項目的CRUD操作綁定權限
2、權限管理需求描述
為系統中的每個操作定義權限,如定義4個權限:
1)超級權限,可以使用所有操作
2)添加影片權限
3)修改影片權限
?4)刪除影片權限
為系統設置管理員帳號、密碼
為系統創建權限組,每個權限組可以配置多個操作權限,如創建2個權限組:
1)"Administrator"權限組,具有超級權限
?2)"影片維護"權限組,具有添加影片、修改影片權限
可將管理員加入權限組,管理員登錄后具備權限組所對應操作權限
管理員可不屬于某權限組,可為管理員直接分配權限
3、使用準備
3.1)在數據庫中創建6張表
t_admin? ? ? ??管理員帳號表
t_role權限表
t_group? ? ? ??權限組表
t_group_role權限組對應權限表
t_group_user管理員所屬權限組表
t_user_role管理員對應權限表
建表SQL語句如下:
Sql代碼
SET?FOREIGN_KEY_CHECKS=0;?
--?創建管理員帳號表t_admin?
CREATE?TABLE?`t_admin`?(??
`id`bigint(20)?unsigned?NOT?NULL?AUTO_INCREMENT,??
`passwd`varchar(12)?NOT?NULL?DEFAULT?''?COMMENT?'用戶密碼',??
`nickname`varchar(20)?NOT?NULL?DEFAULT?''?COMMENT?'用戶名字',??
`phoneno`varchar(32)?NOT?NULL?DEFAULT?''?COMMENT?'電話號碼',??
PRIMARY?KEY?(`id`)??
)?ENGINE=InnoDB?AUTO_INCREMENT=6DEFAULT?CHARSET=utf8;?
--?添加3個管理帳號??
INSERT?INTO?`t_admin`?VALUES?('1',?'admin',?'admin',?'');??
INSERT?INTO?`t_admin`?VALUES?('4',?'123456',?'test',?'');??
INSERT?INTO?`t_admin`?VALUES?('5',?'111111',?'111111',?'');?
--?創建權限表t_role?
CREATE?TABLE?`t_role`?(??
`id`bigint(20)?unsigned?NOT?NULL?AUTO_INCREMENT,??
`role`varchar(40)?NOT?NULL?DEFAULT?'',??
`descpt`varchar(40)?NOT?NULL?DEFAULT?''?COMMENT?'角色描述',??
`category`varchar(40)?NOT?NULL?DEFAULT?''?COMMENT?'分類',??
PRIMARY?KEY?(`id`)??
)?ENGINE=InnoDB?AUTO_INCREMENT=60DEFAULT?CHARSET=utf8;?
--?加入4個操作權限?
INSERT?INTO?`t_role`?VALUES?('1',?'ROLE_ADMIN',?'系統管理員',?'系統管理員');??
INSERT?INTO?`t_role`?VALUES?('2',?'ROLE_UPDATE_FILM',?'修改',?'影片管理');??
INSERT?INTO?`t_role`?VALUES?('3',?'ROLE_DELETE_FILM',?'刪除',?'影片管理');??
INSERT?INTO?`t_role`?VALUES?('4',?'ROLE_ADD_FILM',?'添加',?'影片管理');?
--?創建權限組表?
CREATE?TABLE?`t_group`?(??
`id`bigint(20)?unsigned?NOT?NULL?AUTO_INCREMENT,??
`groupname`varchar(50)?NOT?NULL?DEFAULT?'',??
PRIMARY?KEY?(`id`)??
)?ENGINE=InnoDB?AUTO_INCREMENT=7DEFAULT?CHARSET=utf8;?
--?添加2個權限組?
INSERT?INTO?`t_group`?VALUES?('1',?'Administrator');??
INSERT?INTO?`t_group`?VALUES?('2',?'影片維護');?
--?創建權限組對應權限表t_group_role?
CREATE?TABLE?`t_group_role`?(??
`id`bigint(20)?unsigned?NOT?NULL?AUTO_INCREMENT,??
`groupid`bigint(20)?unsigned?NOT?NULL,??
`roleid`bigint(20)?unsigned?NOT?NULL,??
PRIMARY?KEY?(`id`),??
UNIQUE?KEY?`groupid2`?(`groupid`,`roleid`),??
KEY?`roleid`?(`roleid`),??
CONSTRAINT?`t_group_role_ibfk_1`?FOREIGN?KEY?(`groupid`)?REFERENCES?`t_group`?(`id`),??
CONSTRAINT?`t_group_role_ibfk_2`?FOREIGN?KEY?(`roleid`)?REFERENCES?`t_role`?(`id`)??
)?ENGINE=InnoDB?AUTO_INCREMENT=83DEFAULT?CHARSET=utf8;??
--?加入權限組與權限的對應關系?
INSERT?INTO?`t_group_role`?VALUES?('1',?'1',?'1');??
INSERT?INTO?`t_group_role`?VALUES?('2',?'2',?'2');??
INSERT?INTO?`t_group_role`?VALUES?('4',?'2',?'4');??
--?創建管理員所屬權限組表t_group_user?
CREATE?TABLE?`t_group_user`?(??
`id`bigint(20)?unsigned?NOT?NULL?AUTO_INCREMENT,??
`userid`bigint(20)?unsigned?NOT?NULL,??
`groupid`bigint(20)?unsigned?NOT?NULL,??
PRIMARY?KEY?(`id`),??
KEY?`userid`?(`userid`),??
KEY?`groupid`?(`groupid`),??
CONSTRAINT?`t_group_user_ibfk_2`?FOREIGN?KEY?(`groupid`)?REFERENCES?`t_group`?(`id`),??
CONSTRAINT?`t_group_user_ibfk_3`?FOREIGN?KEY?(`userid`)?REFERENCES?`t_admin`?(`id`)??
)?ENGINE=InnoDB?AUTO_INCREMENT=18DEFAULT?CHARSET=utf8;?
--?將管理員加入權限組?
INSERT?INTO?`t_group_user`?VALUES?('1',?'1',?'1');??
INSERT?INTO?`t_group_user`?VALUES?('2',?'4',?'2');?
--?創建管理員對應權限表t_user_role??
--?設置該表可跳過權限組,為管理員直接分配權限?
CREATE?TABLE?`t_user_role`?(??
`id`bigint(20)?unsigned?NOT?NULL?AUTO_INCREMENT,??
`userid`bigint(20)?unsigned?NOT?NULL,??
`roleid`bigint(20)?unsigned?NOT?NULL,??
PRIMARY?KEY?(`id`),??
KEY?`userid`?(`userid`),??
KEY?`roleid`?(`roleid`),??
CONSTRAINT?`t_user_role_ibfk_1`?FOREIGN?KEY?(`userid`)?REFERENCES?`t_admin`?(`id`),??
CONSTRAINT?`t_user_role_ibfk_2`?FOREIGN?KEY?(`roleid`)?REFERENCES?`t_role`?(`id`)??
)?ENGINE=InnoDB?AUTO_INCREMENT=5DEFAULT?CHARSET=utf8;?
3.2)在項目中新增如下jar包(security框架所需jar包):
spring-security-config-3.1.0.RC2.jar
spring-security-core-3.1.0.RC2.jar
spring-security-taglibs-3.1.0.RC2.jar
spring-security-web-3.1.0.RC2.jar
3.3)創建如下包,放置登錄驗證過濾器代碼:
com.xxx.security
3.4)在src下創建Spring配置文件applicationContext-security.xml,內容如下:
Xml代碼
xmlns:b="http://www.springframework.org/schema/beans"?xmlns:beans="http://www.springframework.org/schema/beans"??
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"??
xsi:schemaLocation="http://www.springframework.org/schema/beans?http://www.springframework.org/schema/beans/spring-beans-3.0.xsd??
http://www.springframework.org/schema/security?http://www.springframework.org/schema/security/spring-security-3.1.xsd">?
3.5)在web.xml中加入security配置,如下:
Xml代碼
xmlns="http://java.sun.com/xml/ns/javaee"???
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"???
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee???
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">??
contextConfigLocation??
/WEB-INF/applicationContext-*.xml,classpath*:applicationContext-*.xml?
springSecurityFilterChain??
org.springframework.web.filter.DelegatingFilterProxy?
springSecurityFilterChain?
org.springframework.web.context.ContextLoaderListener?
7、在com.xxx.security包下創建登錄驗證過濾器,該過濾器可用于在管理員登錄時進行日志記錄等相關操作,包括兩個類:
LoginUsernamePasswordAuthenticationFilter
LoginSuccessHandler
7.1)LoginUsernamePasswordAuthenticationFilter代碼如下:
Java代碼
package?com.xxx.security;??
import?org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;?
public?class?LoginUsernamePasswordAuthenticationFilter?extends??
????????UsernamePasswordAuthenticationFilter?{?
}?
7.2)LoginSuccessHandler代碼如下:
Java代碼
package?com.xxx.security;?
import?java.io.IOException;??
import?javax.servlet.ServletException;??
import?javax.servlet.http.HttpServletRequest;??
import?javax.servlet.http.HttpServletResponse;??
import?org.springframework.security.core.Authentication;??
import?org.springframework.security.core.userdetails.UserDetails;??
import?org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;?
/**
?*?處理管理員登錄日志
?*
?*/??
public?class?LoginSuccessHandler?extends?SavedRequestAwareAuthenticationSuccessHandler{?
@Override??
public?void?onAuthenticationSuccess(HttpServletRequest?request,??
HttpServletResponse?response,?Authentication?authentication)throws?IOException,??
????????????ServletException?{?
????????UserDetails?userDetails?=?(UserDetails)authentication.getPrincipal();?
?????? //輸出登錄提示信息?
?????? super.onAuthenticationSuccess(request,?response,?authentication);??
????}?
}?
8、在applicationContext-security.xml中加入權限管理配置,如下:
Xml代碼
xmlns:b="http://www.springframework.org/schema/beans"?xmlns:beans="http://www.springframework.org/schema/beans"??
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"??
xsi:schemaLocation="http://www.springframework.org/schema/beans?http://www.springframework.org/schema/beans/spring-beans-3.0.xsd??
http://www.springframework.org/schema/security?http://www.springframework.org/schema/security/spring-security-3.1.xsd">?
default-target-url="/manager/films.jsp"??
authentication-failure-url="/login.jsp?error=true"?/>?
delete-cookies="JSESSIONID"?/>?
????????????????直接使用SQL語句查詢登錄帳號對應權限,??
????????????????users-by-username-query:查詢登錄用戶是否存在??
????????????????authorities-by-username-query:查詢登錄用戶權限(登錄用戶可以不屬于任何組,從t_user_role表中獲取權限)??
????????????????group-authorities-by-username-query:查詢登錄用戶所在組的權限?
group-authorities-by-username-query="SELECT?g.id,g.groupname,role.role??
?????????????????????????????FROM?t_group?AS?g???
LEFT?OUTER?JOIN?t_group_role?AS?grouprole?ON?(g.id?=?grouprole.groupid)??
LEFT?OUTER?JOIN?t_role?AS?role?ON?(role.id?=?grouprole.roleid)??
LEFT?OUTER?JOIN?t_group_user?AS?groupuser?on?(g.id?=?groupuser.groupid)??
LEFT?OUTER?JOIN?t_admin?ON?(t_admin.id?=?groupuser.userid)??
WHEREt_admin.nickname?=??"??
users-by-username-query="SELECT?t_admin.nickname?AS?username,t_admin.passwd?as?password,'true'?AS?enabled??
?????????????????????????????FROM?t_admin??
WHEREt_admin.nickname?=??"??
authorities-by-username-query="SELECT?t_admin.nickname?AS?username,role.role?as?authorities??
???????????????????????????????FROM?t_admin???
LEFT?OUTER?JOIN?t_user_role?AS?userrole?ON(t_admin.id?=?userrole.userid)??
LEFT?OUTER?JOIN?t_role?AS?role?ON?(userrole.roleid?=?role.id)??
WHEREt_admin.nickname?=??"?/>?
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">??
value="classpath:org/springframework/security/messages"?/>???
/manager/films.jsp?
/login.jsp?error=true???
9、為影片頁面films.jsp定制操作權限,定制后,不同的帳號登錄會看到不同的操作,
比如,帳號"admin"屬于權限組"Administrator",具備權限"ROLE_ADMIN",登錄后
可以看到所有操作,帳號"test"屬于權限組"影片維護",具備權限"ROLE_UPDATE_FILM"
和"ROLE_ADD_FILM",登錄后只能看到"添加影片信息"和"修改"操作