javassmsession_基于session的认证授权方式SSM

基于session的认证授权方式-SSM

具体流程&＃xff1a;当用户登陆成功后&＃xff0c;会在服务端将用户的相关信息保存到session中&＃xff0c;而将发给客户端的session_id保存到COOKIE中&＃xff0c;这样下次请求时带上session_id来校验服务端是否存在session数据&＃xff0c;如果存在就校验通过&＃xff0c;如果不存在就校验失败。当用户退出登录或session数据过期&＃xff0c;就需要重新登录。

本案例工程使用maven进行构建&＃xff0c;使用SpringMVC、Servlet3.0实现。

导入spring-webmvc&＃xff0c;javax.servlet-api依赖

war

UTF-8

1.8

1.8

org.springframework

spring-webmvc

5.1.5.RELEASE

javax.servlet

javax.servlet-api

3.0.1

provided

org.apache.tomcat.maven

tomcat7-maven-plugin

2.2

localhost

8080

/

UTF-8

定义spring容器配置类

//spring容器配置 相当于applicationContext.xml

&＃64;Configuration

//组件扫描springmvc包 排除controller包

&＃64;ComponentScan(basePackages &＃61; "com.gyf.security.springmvc"

,excludeFilters &＃61; {&＃64;ComponentScan.Filter(type &＃61; FilterType.ANNOTATION,value &＃61; Controller.class)})

public class ApplicationConfig {

//将配置文件中的配置拿到类中来配置

//配置除了Controller的其他bean&＃xff0c;如数据库连接池&＃xff0c;事务管理器&＃xff0c;业务bean等

}

定义springmvc配置类

//servletContext配置 /相当于springvc.xml文件

//该类实现WebMvcConfigurer接口进行配置

//组件扫描springmvc包&＃xff0c;包含Controller包

&＃64;Configuration

&＃64;EnableWebMvc

&＃64;ComponentScan(basePackages &＃61; "com.gyf.security.springmvc"

,includeFilters &＃61; &＃64;ComponentScan.Filter(type &＃61; FilterType.ANNOTATION,value &＃61; Controller.class))

public class WebConfig implements WebMvcConfigurer {

//视图解析器

&＃64;Bean

public InternalResourceViewResolver viewResolver(){

InternalResourceViewResolver internalResourceViewResolver &＃61; new InternalResourceViewResolver();

internalResourceViewResolver.setPrefix("/WEB-INF/view/");

internalResourceViewResolver.setSuffix(".jsp");

return internalResourceViewResolver;

}

//添加视图控制器

&＃64;Override

public void addViewControllers(ViewControllerRegistry registry) {

registry.addViewController("/").setViewName("login");

}

&＃64;Autowired

private SimpleAuthenticationInterceptor simpleAuthenticationInterceptor;

//添加拦截器

&＃64;Override

public void addInterceptors(InterceptorRegistry registry) {

//对指定的url进行拦截

registry.addInterceptor(simpleAuthenticationInterceptor).addPathPatterns("/r/**");

}

}

手动加载spring配置文件

//手动加载spring配置类

//该类继承AbstractAnnotationConfigDispatcherServletInitializer&＃xff0c;此类实现WebApplicationInitializer接口&＃xff0c;Spring容器启动时加载WebApplicationInitializer接口的所有实现类

public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

//加载spring容器 加载ApplicationContext.xml

&＃64;Override

protected Class>[] getRootConfigClasses() {

return new Class[]{ApplicationConfig.class};

}

//servletContext 加载springmvc.xml

&＃64;Override

protected Class>[] getServletConfigClasses() {

return new Class[]{WebConfig.class};

}

//url-mapping

&＃64;Override

protected String[] getServletMappings() {

return new String[]{"/"};

}

}

自定义认证页面 lgoin.jsp

用户名:

密   码:

创建两个实体类 UserDto,AuthenticationRequest并添加get、set方法&＃xff0c;构造方法

//用户表

public class AuthenticationRequest {

//用户名

private String username;

//密码

private String password;

}

//用户具体信息表

public class UserDto {

public static final String SESSION_USER_KEY &＃61;"_user";

//用户身份信息

private String id;

private String username;

private String password;

private String fullname;

private String mobile;

/**

* 用户的权限

*/

private Set authorities;

}

业务层Service 自定义认证服务用于用户的身份认证

public interface AuthenticationService {

//用户认证

UserDto authentication(AuthenticationRequest request);

}

&＃64;Service

public class AuthenticationServiceImpl implements AuthenticationService {

/**

* 用户认证

* &＃64;param request

* &＃64;return

*/

&＃64;Override

public UserDto authentication(AuthenticationRequest request) {

//校验参数是否为空

if (request&＃61;&＃61;null || StringUtils.isEmpty(request.getUsername()) || StringUtils.isEmpty(request.getPassword())){

throw new RuntimeException("账号或密码为空");

}

//根据用户和密码去查询数据库 模拟数据库

UserDto userDto &＃61; this.getUserDto(request.getUsername());

//判断用户是否为空

if (userDto&＃61;&＃61;null){

throw new RuntimeException("查询不到该用户");

}

//校验密码

if (!request.getPassword().equals(userDto.getPassword())){

throw new RuntimeException("密码错误");

}

//认证通过 返回用户的身份信息

return userDto;

}

//用户信息 假装到数据库获取数据

private Map map &＃61; new HashMap<>();

//代码块

{

Set authorities1 &＃61; new HashSet<>();

authorities1.add("p1");

Set authorities2 &＃61; new HashSet<>();

authorities2.add("p2");

map.put("zhangsan",new UserDto("1010","zhangsan","123456","张三","123456",authorities1));

map.put("lisi",new UserDto("1001","lisi","123","李四","789456",authorities2));

}

//根据账号查询用户信息

private UserDto getUserDto(String username){

UserDto userDto &＃61; map.get(username);

return userDto;

}

}

表现层Controller 仅测试用

//&＃64;Controller&＃43;&＃64;ResponseBody

&＃64;RestController

public class LoginController {

&＃64;Autowired

private AuthenticationService authenticationService;

//produces 存文本类型

&＃64;RequestMapping(value &＃61; "/login",produces &＃61; "text/plain;charset&＃61;utf-8")

public String login(AuthenticationRequest request, HttpSession httpSession){

UserDto userDto &＃61; authenticationService.authentication(request);

//将用户信息存入session

httpSession.setAttribute(UserDto.SESSION_USER_KEY,userDto);

return userDto.getUsername()&＃43;"登陆成功";

}

/**

* 删除session中的数据

* &＃64;param session

* &＃64;return

*/

&＃64;GetMapping(value &＃61; "/logout",produces &＃61; "text/plain;charset&＃61;utf-8")

public String logout(HttpSession session){

//删除session中的数据

session.invalidate();

return "退出成功";

}

/**

* 判断session中是否有数据

* &＃64;param session

* &＃64;return

*/

&＃64;GetMapping(value &＃61; "/r/r1",produces &＃61; "text/plain;charset&＃61;utf-8")

public String r1(HttpSession session){

String fullname &＃61; null;

//到session中获取数据

Object attribute &＃61; session.getAttribute(UserDto.SESSION_USER_KEY);

if (attribute&＃61;&＃61;null){

fullname&＃61;"匿名";

}else {

fullname&＃61;((UserDto)attribute).getFullname();

}

return fullname&＃43;"访问r1";

}

&＃64;GetMapping(value &＃61; "/r/r2",produces &＃61; "text/plain;charset&＃61;utf-8")

public String r2(HttpSession session){

String fullname &＃61; null;

//到session中获取数据

Object attribute &＃61; session.getAttribute(UserDto.SESSION_USER_KEY);

if (attribute&＃61;&＃61;null){

fullname&＃61;"匿名";

}else {

fullname&＃61;((UserDto)attribute).getFullname();

}

return fullname&＃43;"访问r2";

}

}

自定义拦截器 用于用户的授权

//spring中的组件

&＃64;Component

//实现 HandlerInterceptor接口

public class SimpleAuthenticationInterceptor implements HandlerInterceptor {

//校验用户请求的url是否在用户的权限范围内

//preHandle方法是在调用方法之前来调用这个方法

&＃64;Override

public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

/**

* 校验用户请求的url是否有权限访问

*/

//获取session中的用户信息

Object attribute &＃61; request.getSession().getAttribute(UserDto.SESSION_USER_KEY);

//校验是否登录

if (attribute&＃61;&＃61;null){//代表session没有信息 提示登录

writContext(response,"请登录");

return false;

}

UserDto userDto &＃61; (UserDto) attribute;

//获取请求url

String requestURI &＃61; request.getRequestURI();

if (userDto.getAuthorities().contains("p1")&&requestURI.contains("r/r1")){

return true;

}

if (userDto.getAuthorities().contains("p2")&&requestURI.contains("r/r2")){

return true;

}

writContext(response,"没有权限访问");

return false;

}

//响应信息给前端

private void writContext(HttpServletResponse response, String msg) throws IOException {

//谁知响应格式

response.setContentType("text/application;charset&＃61;utf-8");

PrintWriter writer &＃61; response.getWriter();

//向前端返回数据

writer.print(msg);

writer.close();

}

}