Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
本章是根据前面Spring Security系列实现一个基于角色的权限管理系统。
127.0.0.1 www.merryyou.cn
)
$.ajax({ url: "${re.contextPath}/connect", type: "get", async: true, dataType: "json", success: function (data) { if (data.code === 0) { if (data.data.qq) { //解绑 $("#bindingQq").attr("title", "解绑") $(".fa-qq").addClass("social_title"); } else { //绑定 $("#bindingQq").attr("title", "绑定") $(".fa-qq").removeClass("social_title"); } if (data.data.weixin) { //解绑 $("#bindingWeixin").attr("title", "解绑") $(".fa-weixin").addClass("social_title"); } else { //绑定 $("#bindingWeixin").attr("title", "绑定") $(".fa-weixin").removeClass("social_title"); } if (data.data.weibo) { //解绑 $("#bindingWeibo").attr("title", "解绑") $(".fa-weibo").addClass("social_title"); } else { //绑定 $("#bindingWeibo").attr("title", "绑定") $(".fa-weibo").removeClass("social_title"); } } }, error: function (XMLHttpRequest, textStatus, errorThrown) { alert(XMLHttpRequest.status); alert(XMLHttpRequest.readyState); alert(textStatus); // paser error; } });
$.ajax({ url: "${re.contextPath}/role/" + data.id, cache: false, success: function (text) { var o = mini.decode(text); //设置数的选中状态 console.log(o.menuIds); var nodes = tree.getAllChildNodes(tree.getRootNode()); for(var i=0;i<nodes.length;i++){ if(o.menuIds.indexOf(nodes[i]['id'])>=0){ tree.checkNode(nodes[i]); }else{ tree.uncheckNode(nodes[i]); } } form.setData(o); form.setChanged(false); } });
@Override public List<MenuDto> getMenusList() { return repository.findAll().stream() .map(e ->new MenuDto(e.getId(), e.getPId(), e.getName(), e.getUrl())) .collect(Collectors.toList()); } @Override public Set<String> getUrlByname(String username) { Set<SysMenu> mesnus = new HashSet<>(); userRepository.findByUsername(username) .getRoles() .forEach(e->mesnus.addAll(e.getMenus())); return mesnus.stream().map(e->e.getUrl()).collect(Collectors.toSet()); }
protected void configure(HttpSecurity http) throws Exception { // http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class) http.headers().frameOptions().disable().and() .formLogin()//使用表单登录,不再使用默认httpBasic方式 .loginPage(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)//如果请求的URL需要认证则跳转的URL .loginProcessingUrl(SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM)//处理表单中自定义的登录URL .successHandler(merryyouLoginSuccessHandler)//登录成功处理器,返回JSON .failureHandler(merryyouAuthenticationfailureHandler)//登录失败处理器 .and() .apply(validateCodeSecurityConfig)//验证码拦截 .and() .apply(smsCodeAuthenticationSecurityConfig) .and() .apply(merryyouSpringSocialConfigurer)//社交登录 .and() .rememberMe() .tokenRepository(persistentTokenRepository()) .tokenValiditySeconds(securityProperties.getRememberMeSeconds()) .userDetailsService(userDetailsService) .and() .sessionManagement() // .invalidSessionStrategy(invalidSessionStrategy) .invalidSessionUrl("/session/invalid") .maximumSessions(securityProperties.getSession().getMaximumSessions())//最大session并发数量1 .maxSessionsPreventsLogin(securityProperties.getSession().isMaxSessionsPreventsLogin())//之后的登录踢掉之前的登录 .expiredSessionStrategy(sessionInformationExpiredStrategy) .and() .and() .logout() .logoutUrl("/signOut")//默认退出地址/logout .logoutSuccessUrl("/")//退出之后跳转到注册页面 .deleteCookies("JSESSIONID") .and() .authorizeRequests().antMatchers(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL, SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM, SecurityConstants.DEFAULT_REGISTER_URL, SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_MOBILE, SecurityConstants.DEFAULT_SIGN_IN_URL_MOBILE_PAGE, "/register", "/socialRegister",//社交账号注册和绑定页面 "/user/register",//处理社交注册请求 "/social/info",//获取当前社交用户信息 "/session/invalid", "/**/*.js", "/**/*.css", "/**/*.jpg", "/**/*.png", "/**/*.woff2", "/code/*") .permitAll()//以上的请求都不需要认证 //.antMatchers("/").access("hasRole('USER')") .and() .csrf().disable()//关闭csrd拦截 ; //安全模块单独配置 authorizeConfigProvider.config(http.authorizeRequests()); }
@PreAuthorize("hasAnyAuthority('user:select','user:update')") @PostMapping(value = "/user/saveUser") @ResponseBody public Result saveUser(@RequestParam String data) { log.info(data); return sysUserService.save(data); }
<td style="width:100%;"> <@sec.authorize access="hasAuthority('role:add')"> <a class="mini-button" iconCls="icon-add" onclick="add()">增加</a> </@sec.authorize> <@sec.authorize access="hasAuthority('role:update')"> <a class="mini-button" iconCls="icon-add" onclick="edit()">编辑</a> <@sec.authorize access="hasAuthority('role:del')"> </@sec.authorize> <a class="mini-button" iconCls="icon-remove" onclick="remove()">删除</a> </@sec.authorize> </td>
127.0.0.1 www.merryyou.cn
微信 appid
已过期