1、权限既然写在配置文件中,香港服务器,那么数据库中只需要三个表即可。
1)t_user 用户表
2)t_role 角色表
3)t_user_role 用户角色表
2、对应的领域实体
1)用户
package cn.luxh.app.domain;/** * 用户 * @author Luxh User {private Integer id; String account; String password;@Overridepublic int hashCode() {return account.hashCode();}@Overridepublic boolean equals(Object obj) {User user = (User) obj;return this.account.equals(user.getAccount());}//getter setter//…}
2)角色
package cn.luxh.app.domain;/** * 角色 * @author Luxh Role {private Integer id; String name;//getter setter//…}
3)用户-角色
package cn.luxh.app.domain;/** * 用户角色 * @author Luxh UserRole {private Integer id; Integer userId; Integer roleId;//getter setter//…}
3、配置文件
在web.xml文件中加上如下内容:
springSecurityFilterChainorg.springframework.web.filter.DelegatingFilterProxyspringSecurityFilterChain/*org.springframework.security.web.session.HttpSessionEventPublisher
当然配置spring监听器的时候得把springsecurity的权限配置文件给加载进去:
org.springframework.web.context.ContextLoaderListenercontextConfigLocationclasspath:applicationContext.xml,classpath:application-security.xml
权限配置文件内容如下:
xmlns:beans=”http://www.springframework.org/schema/beans”xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”xsi:schemaLocation=”http://www.springframework.org/schema/beans” default-target-url 指定了从登录页面登录后进行跳转的页面 always-use-default-target true表示登录成功后强制跳转authentication-failure-url 表示验证失败后进入的页面 login-processing-url 设置验证登录验证地址,如果不设置,美国服务器,默认是j_spring_security_checkusername-parameter,password-parameter 设置登录用户名和密码的请求name,服务器空间,默认:j_username,j_passworddefault-target-url=”/user/home” always-use-default-target=”true”authentication-success-handler-ref=”successHandler”authentication-failure-handler-ref error-if-maximum-exceeded 后登陆的账号会挤掉第一次登陆的账号session-fixation-protection防止伪造sessionid攻击. 用户登录成功后会销毁用户当前的session.创建新的session,并把用户信息复制到新session中. session-fixation-protectionerror-if-maximum-exceededclass
4、权限配置文件中用到的类
1)UserDetailsServiceImpl
package cn.luxh.app.security;import java.util.Collection;import java.util.HashSet;import java.util.List;import java.util.Set;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;import cn.luxh.app.domain.Role;import cn.luxh.app.domain.User;import cn.luxh.app.persistence.RoleMapper;import cn.luxh.app.persistence.UserMapper;public class UserDetailsServiceImpl implements UserDetailsService{private static Logger log = LoggerFactory.getLogger(UserDetailsServiceImpl.class);@Autowiredprivate UserMapper userMapper;@Autowiredprivate RoleMapper roleMapper;/*** @param account 登录帐号*/public UserDetails loadUserByUsername(String account)throws UsernameNotFoundException {log.info(“登录账号:”+account);org.springframework.security.core.userdetails.User userDetails = null;User user = userMapper.selectByAccount(account);//账号密码错误,可以在这里手动抛出异常,让验证失败处理器AuthenticationFailureHandler进行处理Collection<GrantedAuthority> grantedAuthorities = getGrantedAuthorities(user);boolean enables = true;boolean accountNonExpired = true;boolean credentialsNonExpired = true;boolean accountNonLocked = true;userDetails = new org.springframework.security.core.userdetails.User(user.getAccount(), user.getPassword(), enables, accountNonExpired, credentialsNonExpired, accountNonLocked, grantedAuthorities);return userDetails;}/*** 根据用户获取该用户拥有的角色* @param user* Set<GrantedAuthority> getGrantedAuthorities(User user) {Set<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>();List<Role> roles = roleMapper.selectByUserId(user.getId());if(roles != null) {for(Role role : roles) {grantedAuthorities.add(new SimpleGrantedAuthority(role.getName()));}}return grantedAuthorities;}}
UserMapper和RoleMapper是我使用MyBatis访问数据库的接口。
2)LoginAuthenticationSuccessHandler
获得幸福的二法门是珍惜你所拥有的、遗忘你所没有的
