文章出處
create-table
insert user/role data
spring-security
HelloController
hello.jsp
403.jsp
admin.jsp
文章列表
在前一節,學習了如何自定義登錄頁,但是用戶名、密碼仍然是配置在xml中的,這樣顯然太非主流,本節將學習如何把用戶名/密碼/角色存儲在db中,通過db來實現用戶認證
一、項目結構
與前面的示例相比,因為要連接db,所以多出了一個spring-database.xml用來定義數據庫連接,此外,為了演示登錄用戶權限不足的場景,加了一個頁面403.jsp,用來統一顯示權限不足的提示信息
二、數據庫表結構(oracle環境)
1 create table T_USERS 2 ( 3 d_username VARCHAR2(50) not null, 4 d_password VARCHAR2(60), 5 d_enabled NUMBER(1) 6 ); 7 alter table T_USERS 8 add constraint PK_USERS_USERNAME primary key (D_USERNAME) ; 9 10 create table T_USER_ROLES 11 ( 12 d_user_role_id NUMBER(10) not null, 13 d_username VARCHAR2(50), 14 d_role VARCHAR2(50) 15 ); 16 alter table T_USER_ROLES 17 add constraint PK_USER_ROLES primary key (D_USER_ROLE_ID); 18 alter table T_USER_ROLES 19 add constraint IDX_UNI_ROLE_USERNAME unique (D_USERNAME, D_ROLE);
這里創建了二張表,一張用來保存用戶名/密碼,另一張用來保存用戶所屬的權限角色,表名和字段名無所謂,可以隨便改,但是用戶表中,必須要有"用戶名/密碼/帳號的有效狀態"這三列信息,權限角色表必須要有“用戶名/權限角色”這二列信息
再insert幾條測試數據
1 insert into T_USERS (D_USERNAME, D_PASSWORD, D_ENABLED) 2 values ('YJMYZZ', '123456', 1); 3 4 insert into T_USERS (D_USERNAME, D_PASSWORD, D_ENABLED) 5 values ('MIKE', 'MIKE123', 1); 6 7 insert into T_USER_ROLES (D_USER_ROLE_ID, D_USERNAME, D_ROLE) 8 values (1, 'MIKE', 'POWER'); 9 10 insert into T_USER_ROLES (D_USER_ROLE_ID, D_USERNAME, D_ROLE) 11 values (2, 'YJMYZZ', 'ADMIN'); 12 13 insert into T_USER_ROLES (D_USER_ROLE_ID, D_USERNAME, D_ROLE) 14 values (3, 'YJMYZZ', 'POWER');
這里插入了二個用戶YJMYZZ/MIKE,而且MIKE屬于POWER組,YJMYZZ同時屬于POWER\ADMIN二個權限組
三、spring-security.xml
1 <beans:beans xmlns="http://www.springframework.org/schema/security" 2 xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xsi:schemaLocation="http://www.springframework.org/schema/beans 4 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 5 http://www.springframework.org/schema/security 6 http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 7 8 <http auto-config="true" use-expressions="true"> 9 <intercept-url pattern="/admin**" access="hasRole('ADMIN')" /> 10 <!-- access denied page --> 11 <access-denied-handler error-page="/403" /> 12 <form-login login-page="/login" default-target-url="/welcome" 13 authentication-failure-url="/login?error" username-parameter="username" 14 password-parameter="password" /> 15 <logout logout-success-url="/login?logout" /> 16 <!-- enable csrf protection --> 17 <csrf /> 18 </http> 19 20 <!-- Select users and user_roles from database --> 21 <authentication-manager> 22 <authentication-provider> 23 <jdbc-user-service data-source-ref="dataSource" 24 users-by-username-query="select d_username username,d_password password, d_enabled enabled from t_users where d_username=?" 25 authorities-by-username-query="select d_username username, d_role role from t_user_roles where d_username=? " /> 26 </authentication-provider> 27 </authentication-manager> 28 29 </beans:beans>
注意第9行,這里使用了一個el表達式,目的是/admin開頭的url,必須有ADMIN角色的登錄用戶才可訪問
第11行,表示如果登錄用戶權限不夠,將跳轉到/403這個url
24,25這二行,指定了查詢用戶/角色的sql語句,注意:雖然前面提到了用戶/角色這二張表的表名/字段名可以隨便寫,但是寫sql時,用戶名的別名必須是username,密碼列的別名必須是password,帳號有效狀態的別名必須是enabled,而權限角色列的別名必須是role
23行指定了db數據源,它的詳細定義在 spring-database.xml中,內容如下:
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://www.springframework.org/schema/beans 5 http://www.springframework.org/schema/beans/spring-beans.xsd"> 6 7 <bean id="dataSource" 8 class="org.springframework.jdbc.datasource.DriverManagerDataSource"> 9 <property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" /> 10 <property name="url" value="jdbc:oracle:thin:@172.21.***.***:1521:orcl" /> 11 <property name="username" value="***" /> 12 <property name="password" value="***" /> 13 </bean> 14 </beans>
本文使用的是oracle數據庫,如果是其它數據庫,請自行調整上面的內容
四、Controller
1 package com.cnblogs.yjmyzz; 2 3 import org.springframework.security.authentication.AnonymousAuthenticationToken; 4 import org.springframework.security.core.Authentication; 5 import org.springframework.security.core.context.SecurityContextHolder; 6 import org.springframework.security.core.userdetails.UserDetails; 7 import org.springframework.stereotype.Controller; 8 import org.springframework.web.bind.annotation.RequestMapping; 9 import org.springframework.web.bind.annotation.RequestMethod; 10 import org.springframework.web.bind.annotation.RequestParam; 11 import org.springframework.web.servlet.ModelAndView; 12 13 @Controller 14 public class HelloController { 15 16 @RequestMapping(value = { "/", "/welcome" }, method = RequestMethod.GET) 17 public ModelAndView welcome() { 18 19 ModelAndView model = new ModelAndView(); 20 model.addObject("title", 21 "Spring Security Login Form - Database Authentication"); 22 model.addObject("message", "This is default page!"); 23 model.setViewName("hello"); 24 return model; 25 26 } 27 28 @RequestMapping(value = "/admin", method = RequestMethod.GET) 29 public ModelAndView admin() { 30 31 ModelAndView model = new ModelAndView(); 32 model.addObject("title", 33 "Spring Security Login Form - Database Authentication"); 34 model.addObject("message", "This page is for ROLE_ADMIN only!"); 35 model.setViewName("admin"); 36 return model; 37 38 } 39 40 @RequestMapping(value = "/login", method = RequestMethod.GET) 41 public ModelAndView login( 42 @RequestParam(value = "error", required = false) String error, 43 @RequestParam(value = "logout", required = false) String logout) { 44 45 ModelAndView model = new ModelAndView(); 46 if (error != null) { 47 model.addObject("error", "Invalid username and password!"); 48 } 49 50 if (logout != null) { 51 model.addObject("msg", "You've been logged out successfully."); 52 } 53 model.setViewName("login"); 54 55 return model; 56 57 } 58 59 // for 403 access denied page 60 @RequestMapping(value = "/403", method = RequestMethod.GET) 61 public ModelAndView accesssDenied() { 62 63 ModelAndView model = new ModelAndView(); 64 65 // check if user is login 66 Authentication auth = SecurityContextHolder.getContext() 67 .getAuthentication(); 68 if (!(auth instanceof AnonymousAuthenticationToken)) { 69 UserDetails userDetail = (UserDetails) auth.getPrincipal(); 70 model.addObject("username", userDetail.getUsername()); 71 } 72 73 model.setViewName("comm/403"); 74 return model; 75 76 } 77 78 }
66-71行演示了如何在服務端判斷一個用戶是否已經登錄
五、視圖頁面
hello.jsp
1 <%@ page language="java" contentType="text/html; charset=UTF-8" 2 pageEncoding="UTF-8"%> 3 <%@taglib prefix="sec" 4 uri="http://www.springframework.org/security/tags"%> 5 <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> 6 <html> 7 <head> 8 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 9 <title>${title}</title> 10 </head> 11 <body> 12 <h1>Title : ${title}</h1> 13 <h1>Message : ${message}</h1> 14 <sec:authorize access="hasRole('POWER')"> 15 <!-- For login user --> 16 <c:url value="/j_spring_security_logout" var="logoutUrl" /> 17 <form action="${logoutUrl}" method="post" id="logoutForm"> 18 <input type="hidden" name="${_csrf.parameterName}" 19 value="${_csrf.token}" /> 20 </form> 21 <script> 22 function formSubmit() { 23 document.getElementById("logoutForm").submit(); 24 } 25 </script> 26 27 <c:if test="${pageContext.request.userPrincipal.name != null}"> 28 <h2> 29 User : ${pageContext.request.userPrincipal.name} | <a 30 href="javascript:formSubmit()"> Logout</a> | <a href="admin">admin</a> 31 </h2> 32 </c:if> 33 </sec:authorize> 34 35 <sec:authorize access="isAnonymous()"> 36 <br /> 37 <h2> 38 <a href="login">login</a> 39 </h2> 40 </sec:authorize> 41 42 </body> 43 </html>
注意一下:14、27、35這三行,它們演示了如何在jsp端判斷用戶具有的角色權限、是否已登錄等用法
403.jsp
1 <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> 2 <html> 3 <body> 4 <h1>HTTP Status 403 - Access is denied</h1> 5 6 <c:choose> 7 <c:when test="${empty username}"> 8 <h2>You do not have permission to access this page!</h2> 9 </c:when> 10 <c:otherwise> 11 <h2> 12 Username : ${username} <br /> You do not have permission to access 13 this page! 14 </h2> 15 </c:otherwise> 16 </c:choose> 17 18 </body> 19 </html>
admin.jsp
1 <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> 2 <%@page session="true"%> 3 <html> 4 <body> 5 <h1>Title : ${title}</h1> 6 <h1>Message : ${message}</h1> 7 8 <c:url value="/j_spring_security_logout" var="logoutUrl" /> 9 <form action="${logoutUrl}" method="post" id="logoutForm"> 10 <input type="hidden" name="${_csrf.parameterName}" 11 value="${_csrf.token}" /> 12 </form> 13 <script> 14 function formSubmit() { 15 document.getElementById("logoutForm").submit(); 16 } 17 </script> 18 19 <c:if test="${pageContext.request.userPrincipal.name != null}"> 20 <h2> 21 Welcome : ${pageContext.request.userPrincipal.name} | <a 22 href="javascript:formSubmit()"> Logout</a> | <a href="welcome">welcome</a> 23 </h2> 24 </c:if> 25 26 </body> 27 </html>
因為在xml中已經配置了/admin開頭的請求url,必須具有ADMIN角色權限,所以admin.jsp端反而不用任何額外的判斷了
文章列表
全站熱搜
留言列表
