最近学习《Spring 实战》学习到了SpringSecurity,觉得书本上的例子过于复杂,而且不喜欢它基于java配置,更喜欢用xml文件进行配置
于是在极客学院网上学习,感觉挺不错的,由浅入深,推荐,附上网址:http://wiki.jikexueyuan.com/project/spring-security/first-experience.html
我的例子是看上面了,自己在进行了简单的配置。
我的项目是基于maven的,所以添加依赖成为了关键
spring security需要spring-security-config,spring-security-web即可,肯能是例子过于简单,并没有用到spring security的另外两个常用jar包spring-security-taglibs和spring-security-core
另外,还需要加入commons-logging,这是spring需要的jar包,否则将会报错:错误如下
At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
具体的pom.xml文件如下:
1 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 2 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> 3 <modelVersion>4.0.0</modelVersion> 4 <groupId>SpringSecurity</groupId> 5 <artifactId>SpringSecurity</artifactId> 6 <packaging>war</packaging> 7 <version>1.0-SNAPSHOT</version> 8 <name>SpringSecurity Maven Webapp</name> 9 <url>http://maven.apache.org</url> 10 11 <!--classpath--> 12 <build> 13 <resources> 14 <resource> 15 <directory>src/main/java</directory> 16 </resource> 17 <resource> 18 <directory>src/main/resources</directory> 19 <includes> 20 <include>**/*.xml</include> 21 <include>**/*.properties</include> 22 </includes> 23 </resource> 24 </resources> 25 </build> 26 27 <dependencies> 28 29 <dependency> 30 <groupId>org.springframework.security</groupId> 31 <artifactId>spring-security-web</artifactId> 32 <version>3.1.0.RELEASE</version> 33 </dependency> 34 35 <dependency> 36 <groupId>org.springframework.security</groupId> 37 <artifactId>spring-security-config</artifactId> 38 <version>3.1.0.RELEASE</version> 39 </dependency> 40 41 42 <dependency> 43 <groupId>commons-logging</groupId> 44 <artifactId>commons-logging</artifactId> 45 <version>1.1.1</version> 46 </dependency> 47 48 <dependency> 49 <groupId>javax.servlet</groupId> 50 <artifactId>servlet-api</artifactId> 51 <version>2.5</version> 52 </dependency> 53 54 <dependency> 55 <groupId>junit</groupId> 56 <artifactId>junit</artifactId> 57 <version>4.12</version> 58 <scope>test</scope> 59 </dependency> 60 61 62 </dependencies> 63 64 </project>
更重要的还有spring security的配置文件和web.xml
先讲web.xml
spring配置文件需要加载spring security的配置文件,一般是在web.xml中指定它为spring的初始配置文件,通过<context-param/>元素
还需要定义filter用来拦截需要给spring security处理的请求,注意,该filter一定要定义在其他拦截器之前
<listener>用来加载spring的配置文件
完整的web.xml代码如下:
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://xmlns.jcp.org/xml/ns/javaee" 4 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 5 id="WebApp_ID" version="3.1"> 6 <context-param> 7 <param-name>contextConfigLocation</param-name> 8 <param-value>classpath:spring-security.xml</param-value> 9 </context-param> 10 11 <filter> 12 <filter-name>springSecurityFilterChain</filter-name> 13 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 14 </filter> 15 <filter-mapping> 16 <filter-name>springSecurityFilterChain</filter-name> 17 <url-pattern>/*</url-pattern> 18 </filter-mapping> 19 20 <listener> 21 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 22 </listener> 23 </web-app>
在讲一下spring-security.xml配置文件
spring-security配置文件需要配置两样东西
1)配置权限控制的规则
里面的元素简介
security:是用命名空间的一个前缀
intercept-ref:定义权限控制的柜子
pattern:表示对哪些url进行权限控制
access:表示在请求对应url时需要什么权限
role前缀:提示spring是用基于角色的检查的标记
2)配置认证
user-service用于获取用户信息
里面配置一些登陆的用户密码和用户名
具体的spring-security配置文件如下
1 <beans xmlns="http://www.springframework.org/schema/beans" 2 xmlns:security="http://www.springframework.org/schema/security" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://www.springframework.org/schema/beans 5 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 6 http://www.springframework.org/schema/security 7 http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 8 <security:http auto-config="true"> 9 <security:intercept-url pattern="/**" access="ROLE_USER"/> 10 </security:http> 11 12 <security:authentication-manager> 13 <security:authentication-provider> 14 <security:user-service> 15 <security:user name="user" password="user" authorities="ROLE_USER"/> 16 <security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/> 17 </security:user-service> 18 </security:authentication-provider> 19 </security:authentication-manager> 20 21 </beans>
当指定 http 元素的 auto-config=”true” 时,就相当于如下内容的简写:
1 <security:http> 2 <security:form-login/> 3 <security:http-basic/> 4 <security:logout/> 5 </security:http>
<security:form-login/>的优先级高于<security:http-basic/>,所以两者都存在时会采用<security:form-login/>
<security:http-basic/>是弹窗效果的表单验证