title: "springmvc整合spring security启用配置文件登录验证"

layout: post

title: "springmvc整合spring security数据库进行验证"

date: 2020-12-04 18:26:43 +0800

tags: java

description:

之前介绍了security最快捷的一种登录方式，配置文件验证。将要登陆的用户、角色信息写在配置文件中，进行登录验证。但是在实际项目中，基本不会这么去使用，对于用户的认证信息是要从数据库中进行查找和验证。

这次要记录的就是通过自定义的用户查询逻辑，对用户进行认证

首先要将之前的security:authentication-manager配置进行修改

{% highlight xml %}

<security:authentication-manager id="demo">

<security:authentication-provider user-service-ref="userService">

<!-- 加密方式 -->

<security:password-encoder ref="passwordEncoder"></security:password-encoder>

</security:authentication-provider>

</security:authentication-manager>

<bean id="userService" class="com.bc.common.security.authc.CustomerUserDetailService"></bean>

<bean id="passwordEncoder" class="com.bc.common.security.password.MD5PasswordEncoder"></bean>

{% endhighlight %}

同时还需要对之前的http配置中增加登录的页面、请求url等。对于登录页面的编写，就不在说明了，就是正常的页面渲染而已

{% highlight xml %}

<security:http auto-config="true" authentication-manager-ref="demo">

<security:headers>

<!-- iframe保护 -->

<security:frame-options policy="SAMEORIGIN"></security:frame-options>

</security:headers>

<!-- 配置需要登录的url -->

<security:intercept-url pattern="/demo/**" access="hasAnyAuthority('ADMIN')" />

<!-- 配置自定义登录 -->

<!--

login-page 登录页url

login-processing-url 提交登录的访问url。

default-target-url 登录后访问页面

-->

<security:form-login

login-page="/backend/enter/login/index"

login-processing-url="/backend/enter/login/ajaxurl"

default-target-url="/demo/data/index"/>

<!-- csrf配置 -->

<security:csrf disabled="true"></security:csrf>

</security:http>

{% endhighlight %}

对于用户验证类，我们要实现security中的UserDetailsService接口中的loadUserByUsername函数。来获取用户的信息

{% highlight java %}

public class CustomerUserDetailService implements UserDetailsService {

@Autowired

private AdminMapper adminMapper;

@Override

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

//自定义用户查询逻辑。通过用户名查询

QueryWrapper<AdminEntity> queryWrapper = new QueryWrapper<>();

queryWrapper.eq("username",username)

.eq("status",1);

AdminEntity adminEntity = adminMapper.selectOne(queryWrapper);

if(adminEntity == null){

throw new UsernameNotFoundException("用户名或密码错误！");

}

//存在请求用户名下的用户信息，赋予默认的权限。创建User对象时权限不能为空

List<GrantedAuthority> a = AuthorityUtils.commaSeparatedStringToAuthorityList("ADMIN");

//这里将用户名，密码，权限传入User中。security会自动把请求密码加密和用户中的密码进行比对

User user = new User(username,adminEntity.getPassword(),a);

return user;

}

}

{% endhighlight %}

密码验证类，实现PasswordEncoder接口中的encode（加密）、matches（比对）函数

{% highlight java %}

public class MD5PasswordEncoder implements PasswordEncoder {

@Override

public String encode(CharSequence charSequence) {

return Md5.encryp((String)charSequence);

}

@Override

public boolean matches(CharSequence charSequence, String s) {

return Md5.verify((String)charSequence,s);

}

}

{% endhighlight %}

上述工作做完之后，再次访问我们的/demo/data/index路径，发现自动跳转到我们自定义的登录页面中

输入数据库中的用户名和密码，成功进入到页面中

springmvc + spring security的登录整合就完成了，对比之前我们自己写的登录验证、跳转的逻辑，省去了大把的时间。降低了工作量和难度

layout: post

title: "spring boot项目练习（一）整合spring security登录"

date: 2020-12-26 17:26:35 +0800

tags: java

description:

最近看了好多spring boot的资料，也一直在学习，准备动手，自己写一个接口测试的系统来使用，正好也有这个需求。

自己会尽量的把开发过程中遇到的问题，或者一些东西记录下来，尽量不太监。。哈哈

对于用户登录，本来想使用之前用过的shiro，但是spring boot已经默认配置好了spring security。索性就直接使用security来管理用户

{% highlight java %}

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-security</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.security</groupId>

<artifactId>spring-security-test</artifactId>

<scope>test</scope>

</dependency>

{% endhighlight %}

控制器

{% highlight java %}

@Controller(value = "loginController")

@RequestMapping(value = "login")

public class LoginController extends BaseController {

@RequestMapping(value = "index")

public ModelAndView index(){

return result("login/index");

}

}

{% endhighlight %}

视图,这里是贴上了form表单和提交js事件,资源文件的引入之类的没有写入,防止无用的东西占用篇幅

{% highlight html %}

<html lang="en" xmlns:th="http://www.thymeleaf.org">

<head>

<title>SB Admin 2 - Login</title>

</head>

<body class="bg-gradient-primary">

<form class="user">

<div class="form-group">

<input type="text" class="form-control form-control-user" name="username" placeholder="用户名">

</div>

<div class="form-group">

<input type="password" class="form-control form-control-user" name="password" placeholder="密码">

</div>

<div class="form-group">

<div class="custom-control custom-checkbox small">

<input type="checkbox" class="custom-control-input" id="customCheck">

<label class="custom-control-label" for="customCheck">Remember Me</label>

</div>

</div>

<button type="button" id="submit" class="btn btn-primary btn-user btn-block">

Login

</button>

</form>

</body>

<script>

$(function () {

$("#submit").click(function () {

submitForm("/login/index",function (message) {

showSuccess(message);

},function (message) {

showWarning(message);

});

});

})

</script>

</html>

{% endhighlight %}

{% highlight java %}

public class UserService implements UserDetailsService {

@Autowired

private AdminMapper adminMapper;

@Override

public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {

//根据用户名查询信息

QueryWrapper<AdminEntity> sql = new QueryWrapper<>();

sql.eq("username",s);

AdminEntity adminEntity = adminMapper.selectOne(sql);

if(adminEntity == null){

throw new UsernameNotFoundException("用户名或密码错误！");

}

//用户验证通过，构建User对象，进行密码验证

//用户权限不能为空，先生成默认权限

List authz = AuthorityUtils.commaSeparatedStringToAuthorityList("admin");

User user = new User(adminEntity.getUsername(), adminEntity.getPassword(), authz);

return user;

}

}

{% endhighlight %}

{% highlight java %}

public class MD5Password implements PasswordEncoder {

@Override

public String encode(CharSequence charSequence) {

return MD5.encode(charSequence.toString());

}

@Override

public boolean matches(CharSequence charSequence, String s) {

return MD5.valid(charSequence.toString(),s);

}

}

{% endhighlight java %}

{% highlight java %}

//成功

public class SuccessHandler implements AuthenticationSuccessHandler {

@Override

public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {

R r = R.ok().message("登录成功！");

//转为jsonobject对象

JsonObject jsonObject = JsonUtil.toJsonObject(r);

//设置返回字符串和返回类型

httpServletResponse.setCharacterEncoding("utf-8");

httpServletResponse.setContentType("application/json;charset=utf-8");

//打印字符串

PrintWriter out = null;

out = httpServletResponse.getWriter();

out.write(jsonObject.toString());

out.close();

}

}

//失败

public class FailureHandler implements AuthenticationFailureHandler {

@Override

public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {

R r = R.error().code(200).message(用户名或密码错误！");

//转为jsonobject对象

JsonObject jsonObject = JsonUtil.toJsonObject(r);

//设置返回字符串和返回类型

httpServletResponse.setCharacterEncoding("utf-8");

httpServletResponse.setContentType("application/json;charset=utf-8");

//打印字符串

PrintWriter out = null;

out = httpServletResponse.getWriter();

out.write(jsonObject.toString());

out.close();

}

}

{% endhighlight %}

{% highlight java %}

public class CustomerConfiguration extends WebSecurityConfigurerAdapter {

@Override

protected void configure(HttpSecurity http) throws Exception {

http.formLogin()

//登录页面

.loginPage("/login/index")

//登录请求url,同页面中ajax请求url

.loginProcessingUrl("/login/index")

//设置自定义成功返回

.successHandler(new SuccessHandler())

//设置自定义失败返回

.failureHandler(new FailureHandler())

.permitAll();

http.authorizeRequests()

//不需要认证就能访问的url

.antMatchers("/login/**","/static/**")

.permitAll()

//其余url都需要经过认证

.anyRequest().authenticated();

//禁用csrf保护

http.csrf().disable();

}

/**

* 配置自定义加密类

* @return

*/

@Bean

public PasswordEncoder passwordEncoder(){

return new MD5Password();

}

}

{% endhighlight %}

配置完成后的使用效果

两次请求的结果都是由security中的自定义配置中返回