springsecurity第四章——使用数据库的spring security后台认证
package service;import java.util.HashSet;import java.util.Set;import javax.annotation.Resource;import model.Users;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.User;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;import org.springframework.stereotype.Service;import org.springframework.transaction.annotation.Transactional;import dao.BaseCollectionDao;@Service("hibernateUserDetailsService")public class HibernateUserDetailsService implements UserDetailsService {private BaseCollectionDao baseCollectionDao;@Resource(name="baseCollectionDao")public void setBaseCollectionDao(BaseCollectionDao baseCollectionDao){this.baseCollectionDao = baseCollectionDao;}@Transactionalpublic UserDetails loadUserByUsername(String username)throws UsernameNotFoundException{Users users = baseCollectionDao.findUniqueByProperty(Users.class, "username", username);if(users == null) throw new UsernameNotFoundException("用户" + username + " 不存在!!!");String[] roles = users.getRoles().split(",");Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();for(String role : roles){authorities.add(new SimpleGrantedAuthority(role));}return new User(users.getUsername(), users.getPassword(), authorities);}}
?
?从上面的代码可以看到,User是从数据库查找出来的,而基于内存的操作,用户及其用户信息都是放到Map中的。为了方便对比,把InMemoryDaoImpl的实现方法也贴出来:
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return userMap.getUser(username); }
?
从上面两段代码的对比就可以看出,基于内存操作和基于数据库操作的根本区别。
?
接下来,定义好了UserDetailService,那么就应用到security框架中,在之前的篇章中已经说过了怎么配置,这里就简单贴出代码就行了:
<authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="hibernateUserDetailsService"> </authentication-provider> </authentication-manager>
?
因为dao层的操作每个人都不同,而这个问题并不重要,最主要的是把UserDetailService的loadUserByUsername的方法用基于数据库查询的方式实现。所以这里就不关注dao层的实现了。其实这里的变化就是把InMemoryDaoImpl类,换成了HibernateUserDetailService。
?
下面贴出本人的从service层到dao层的实现(security登录不需要controller层),以及配置文件(仅供参考):
hibernateUserDetailService:
package service;import java.util.HashSet;import java.util.Set;import javax.annotation.Resource;import model.Users;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.User;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;import org.springframework.stereotype.Service;import org.springframework.transaction.annotation.Transactional;import dao.BaseCollectionDao;@Service("hibernateUserDetailsService")public class HibernateUserDetailsService implements UserDetailsService {private BaseCollectionDao baseCollectionDao;@Resource(name="baseCollectionDao")public void setBaseCollectionDao(BaseCollectionDao baseCollectionDao){this.baseCollectionDao = baseCollectionDao;}@Transactionalpublic UserDetails loadUserByUsername(String username)throws UsernameNotFoundException{Users users = baseCollectionDao.findUniqueByProperty(Users.class, "username", username);if(users == null) throw new UsernameNotFoundException("用户" + username + " 不存在!!!");String[] roles = users.getRoles().split(",");Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();for(String role : roles){authorities.add(new SimpleGrantedAuthority(role));}return new User(users.getUsername(), users.getPassword(), authorities);}}
?
dao层:
public <T> T findUniqueByProperty(Class<T> entityClass,final String propertyName,final Object value) {Session session = sessionFactory.getCurrentSession();Criteria criteria = session.createCriteria(entityClass) .add( Restrictions.eq(propertyName, value) ); //增加属性相等约束 return (T) criteria.uniqueResult();}
?
model层:
package model;import javax.persistence.Entity;import javax.persistence.GeneratedValue;import javax.persistence.GenerationType;import javax.persistence.Id;import javax.persistence.Table;@Entity@Table(name="users")public class Users { private int id;private String username;private String password;private String roles;@Id@GeneratedValue(strategy=GenerationType.AUTO)public int getId() {return id;}public void setId(int id) {this.id = id;}public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}public String getRoles() {return roles;}public void setRoles(String roles) {this.roles = roles;}}
?
security配置文件:
<?xml version="1.0" encoding="UTF-8"?><beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- 自上而下读取配置文件 --> <!-- 登录页面不过滤 --> <http pattern="/login.jsp*" security="none"/> <http pattern="/logoutsuccess.jsp" security="none" /> <http auto-config="true" use-expressions="true" > <form-login login-page="/login.jsp" always-use-default-target="true" default-target-url="/home.jsp"/> <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/> <logout invalidate-session="true" logout-success-url="/logoutsuccess.jsp" logout-url="/logout"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="hibernateUserDetailsService"> </authentication-provider> </authentication-manager> </beans:beans>
?
数据库配置文件:
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd"><!-- c3p0 dataSource --><bean id="dataSource" value="com.mysql.jdbc.Driver" /><!-- database url --><property name="jdbcUrl" value="jdbc:mysql://localhost/security" /><!-- database username --><property name="user" value="root" /><!-- database password --><property name="password" value="root" /><!-- 连接关闭时默认将所有未提交的操作回滚。默认为false --><property name="autoCommitOnClose" value="false" /><!-- 连接池中保留的最小连接数 --><property name="minPoolSize" value="5" /><!-- 连接池中保留的最大连接数。默认为15 --><property name="maxPoolSize" value="15" /><!-- 初始化时获取的连接数,取值应在minPoolSize与maxPoolSize之间。默认为3 --><property name="initialPoolSize" value="5" /><!-- 最大空闲时间,超过空闲时间的连接将被丢弃。为0或负数则永不丢弃。默认为0秒 --><property name="maxIdleTime" value="0" /><!-- 当连接池中的连接用完时,C3P0一次性创建新连接的数目。默认为3 --><property name="acquireIncrement" value="3" /><!-- 定义在从数据库获取新连接失败后重复尝试获取的次数,默认为30 --><property name="acquireRetryAttempts" value="30" /><!-- 当连接池用完时客户端调用getConnection()后等待获取新连接的时间,超时后将抛出SQLException,如设为0则无限期等待。单位毫秒,默认为0 --><property name="checkoutTimeout" value="0" /></bean> <!-- sessionFactory --> <bean id="sessionFactory" ref="dataSource"/> <property name="hibernateProperties"> <value> hibernate.dialect=org.hibernate.dialect.MySQL5Dialect <!-- cureentSesssion --> hibernate.current_session_context_class=org.springframework.orm.hibernate4.SpringSessionContext <!-- Second-level caching hibernate.cache.region.factory_class=org.hibernate.cache.EhCacheRegionFactory net.sf.ehcache.configurationResourceName=/ehcache.xml hibernate.cache.use_second_level_cache=true hibernate.cache.use_query_cache=true --> <!-- sql --> hibernate.show_sql=true hibernate.format_sql=true hibernate.hbm2ddl.auto=update </value> </property> <property name="packagesToScan"><value>model</value></property> </bean> <!-- 事务管理 --> <bean id="transactionManager" ref="sessionFactory"/> </bean><tx:annotation-driven transaction-manager="transactionManager"/><!-- dao --><context:component-scan base-package="dao.impl"></context:component-scan> </beans>
?
springMvc的配置:
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd"><mvc:annotation-driven/><context:component-scan base-package="controller"/> <bean value="org.springframework.web.servlet.view.JstlView"/> <property name="prefix" value="/"/> <property name="suffix" value=".jsp"/></bean> </beans>
?
上面就是本人的实现代码,由于使用的框架的不同,所以在配置方面会有所不同,仅供参考。
?