Spring security dynamically loads user role permissions to realize login and authentication functions
Many people find it difficult to implement login verification with spring security, and I felt the same when I first learned. Because I haven't understood how to use the controller I wrote to receive user names and passwords with spring security for a long time, which is a preconceived misunderstanding. Later I understood: you don't have to write it yourself.
You just need to tell spring security user information, role information, permission information and what is the login page? What is the login success page? Or any other information about logging in. Specific login verification logic to help you implement it.
1、 Fundamentals of dynamic data login verification
In the previous articles of this number, we have introduced the formlogin login authentication mode of spring security, the RBAC permission control management model, and analyzed the login authentication logic source code of spring security. All our user, role and permission information are written in the configuration file. However, in the actual business system, this information is usually stored in the database table of RBAC permission model. Let's review the core concepts:
The above is a summary of some core basic knowledge. If you are not clear about these knowledge, I suggest you read this article first. If you still have difficulty understanding after reading this article, I suggest you read the articles before this number.
2、 Userdetails and userdetailsservice interfaces
Let's take a look at the methods of the userdetails interface.
public interface UserDetails extends Serializable {
//获取用户的权限集合
Collection<? extends GrantedAuthority> getAuthorities();
//获取密码
String getpassword();
//获取用户名
String getUsername();
//账号是否没过期
boolean isAccountNonExpired();
//账号是否没被锁定
boolean isAccountNonLocked();
//密码是否没过期
boolean isCredentialsNonExpired();
//账户是否可用
boolean isEnabled();
}
Now, we understand that as long as we provide this information to spring security, spring security will know how to do login verification. We don't need to write our own controller to implement login verification logic.
3、 Implement the userdetails interface
public class SysUser implements UserDetails{
String password(); //密码
String username(); //用户名
boolean accountNonExpired; //是否没过期
boolean accountNonLocked; //是否没被锁定
boolean credentialsNonExpired; //是否没过期
boolean enabled; //账号是否可用
Collection<? extends GrantedAuthority> authorities; //用户的权限集合
//省略构造方法
//省略set方法
//省略get方法(即接口UserDetails的方法)
}
We just wrote a Java POJO class suitable for userdetails. The so-called userdetails interface implementation is some get methods. The get method is called by spring security. We provide userdetails data for spring security through the set method or constructor.
4、 Implement the userdetailsservice interface
@Component
public class MyUserDetailsService implements UserDetailsService{
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//这里从数据库sys_user表里面查询实体类对象。loadUser方法可使用Mybatis或JDBC或JPA自行实现。
SysUser sysUser = loadUser(username);
// 判断用户是否存在
if(user == null) { throw new UsernameNotFoundException("用户名不存在"); }
//从数据库该用户所有的角色信息,所有的权限标志
//遍历所有的ROLE角色及所有的Authority权限(菜单、按钮)。
//用逗号分隔他们的唯一标志,具体过程自行实现。
sysUser.setAuthorities( AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_AMIN,system:user:delete"));
//sysUser.setAccountNonLocked(true或false);
return sysUser;
}
}
5、 Final description
So far, we have informed spring security of all users, roles and permissions in the system through userdetailsservice and userdetails. However, most friends may still not know how to realize the login function. In fact, the rest is very simple:
Then inform spring security of this information through the configuration method, and the above configuration information names can be modified flexibly. If you do not know how to configure, please refer to the article formlogin login authentication mode before this number.
summary
The above is what Xiaobian introduced to you. Spring security dynamically loads user role permissions to realize login and authentication functions. I hope it will be helpful to you. If you have any questions, please leave me a message and Xiaobian will reply to you in time. Thank you very much for your support to our website! If you think this article is helpful to you, welcome to reprint, please indicate the source, thank you!