springSecurity的配置文件为spring-Secuity.xml spingmvc核心配置文件为spirngmvc.xml
其原理是在web.xml中配置了监听器或DispatcherServlet控制器,由它们产生容器加载配置文件创建对象,
级别上,spring容器为父容器,springmvc容器为子容器,尤其需要注意的是,子容器可以调用父容器创建的对象,
但父容器无法调用子容器创建的对象,
关系如下:
所以,实际上我们也可以直接通过springmvc创建spring对象:
sping-security.xml配置:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 以下页面不被拦截 --> <!--**目录所有资源都会被拦截--> <http pattern="/shoplogin.html" security="none"></http> <http pattern="/shoplogin_error.html" security="none"></http> <http pattern="/register.html" security="none"></http> <http pattern="/css/**" security="none"></http> <http pattern="/img/**" security="none"></http> <http pattern="/js/**" security="none"></http> <http pattern="/plugins/**" security="none"></http> <!-- 页面拦截规则 --> <http use-expressions="false"> <!--要求有当前登录人 并且要求当前登录人有一个 ROLE_ADMIN 角色 开头必须大写的ROLE_--> <intercept-url pattern="/**" access="ROLE_ADMIN"/> <form-login login-page="/shoplogin.html" default-target-url="/admin/index.html" authentication-failure-url="/shoplogin_error.html" always-use-default-target="true"/> <logout logout-success-url="/shoplogin.html"></logout> <!--login-page登录页面--> <!--default-target-url登录成功后默认跳转的页面--> <!-- authentication-failure-url登录失败后默认跳转的页面--> <!--always-use-default-target:是否每次登录都跳转到default-target-url设置的页面--> <csrf disabled="true"/> <!--跨站请求伪造--> <!-- iframe策略 --><!--一个页面嵌套着另外一个页面--> <headers> <frame-options policy="SAMEORIGIN"/> </headers> </http> <!--自定义认证类-->
//加载自定用对象 <beans:bean id="userdetailsService" class="com.pyg.shop.user.UserdetailsServiceImp"> <!--<beans:property name="sellerService" ref="sellerService"></beans:property>--> </beans:bean> //因为在生成对象时有配置加密,所有在此加载加密器 <beans:bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> <!-- 认证管理器 --> <authentication-manager>
//引用自定义用户对象 <authentication-provider user-service-ref="userdetailsService">
//引用加密器 <password-encoder ref="bCryptPasswordEncoder"/> <!--<user-service> <user name="admin" password="123456" authorities="ROLE_ADMIN"/> <user name="sunwukong" password="dasheng" authorities="ROLE_ADMIN"/> </user-service>--> </authentication-provider> </authentication-manager> </beans:beans>
spingmvc.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:dubbo="http://code.alibabatech.com/schema/dubbo" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://code.alibabatech.com/schema/dubbo http://code.alibabatech.com/schema/dubbo/dubbo.xsd"> <!--引用外部资源文件--> <context:property-placeholder location="classpath:config/application.properties"/> <mvc:annotation-driven> <mvc:message-converters> <bean class="com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter"> <property name="supportedMediaTypes" value="application/json"/> <property name="features"> <array> <value>WriteMapNullValue</value> <value>WriteDateUseDateFormat</value> </array> </property> </bean> </mvc:message-converters> </mvc:annotation-driven> <!--引用douub服务--> <dubbo:application name="pyg-shop-web"/> <dubbo:registry address="zookeeper://192.168.25.61:2181"/>
//注意更改包扫描的范围,因为是新增了UserDetailsServiImp对象 <dubbo:annotation package="com.pyg.shop"/> <mvc:default-servlet-handler/> </beans>
由于是用的自定义账号对象,所有,要从数据库中查找账号对象:package com.pyg.shop.user;
import com.alibaba.dubbo.config.annotation.Reference; import com.pyg.pojo.TbSeller; import com.pyg.sellergoods.service.SellerService; import com.sun.org.apache.xerces.internal.impl.xs.util.StringListImpl; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import java.util.ArrayList; import java.util.Collection; import java.util.List; public class UserdetailsServiceImp implements UserDetailsService {
//远程注入sellerService @Reference private SellerService sellerService; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//调用sellerService的findOne方法根据用户id查找对象 TbSeller seller = sellerService.findOne(username);
//判断用户是否为空 if (null == seller) { return null; } else {
UserDetails
web.xml配置为:
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <!-- 解决post乱码 --> <filter> <filter-name>CharacterEncodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>utf-8</param-value> </init-param> <init-param> <param-name>forceEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>CharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>springmvc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <!-- 指定加载的配置文件 ,通过参数contextConfigLocation加载--> <init-param> <param-name>contextConfigLocation</param-name>
//加载资源spring目录下所有.xml格式的配置文件,目的是为了让DispatcherServlet加载springSecurity.xml文件 <param-value>classpath:spring/*.xml</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>springmvc</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> //不加载监听器,使springSecurity.xml文件经由DispatcherServlet控制器加载 <!-- <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring/spring-security.xml</param-value> </context-param> --> </web-app>