zoukankan      html  css  js  c++  java
  • spring security 简单入门

    spring security 简单入门示例

    一、概述

    Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架 。

    其中最主要的安全操作有两个。

    认证:是为用户建立一个他所声明的主体 ,就是完成用户的登录

    授权:指的是一个用户能否在应用中执行某个操作。在进行授权之前已经完成了用户的认证。

    二、快速入门案例

    1.新建一个java web工程

    使用idea+maven创建一个java web工程,目录如下

    并创建好登录的页面,登录失败的页面,和登录成功的页面,login.html,success.html,failed.html,还有工程的首页index.jsp

    2.导入依赖

    pom文件的内容如下

    <?xml version="1.0" encoding="UTF-8"?>
    
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
      <modelVersion>4.0.0</modelVersion>
    
      <groupId>com.lyy</groupId>
      <artifactId>web_03_security_quicklystart</artifactId>
      <version>1.0-SNAPSHOT</version>
      <packaging>war</packaging>
    
      <name>web_03_security_quicklystart Maven Webapp</name>
      <!-- FIXME change it to the project's website -->
      <url>http://www.example.com</url>
    
      <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <spring.version>5.0.2.RELEASE</spring.version>
        <spring.security.version>5.0.1.RELEASE</spring.security.version>
      </properties>
    
      <dependencies>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-core</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-web</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-webmvc</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-context-support</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-test</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-jdbc</artifactId>
          <version>${spring.version}</version>
        </dependency>
    
        <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-web</artifactId>
          <version>${spring.security.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-config</artifactId>
          <version>${spring.security.version}</version>
        </dependency>
        <dependency>
          <groupId>javax.servlet</groupId>
          <artifactId>javax.servlet-api</artifactId>
          <version>3.1.0</version>
          <scope>provided</scope>
        </dependency>
      </dependencies>
    
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.tomcat.maven</groupId>
              <artifactId>tomcat7-maven-plugin</artifactId>
                <version>2.1</version>
                  <configuration>
                    <port>80</port>
                    <path>/</path>
                    <uriEncoding>UTF-8</uriEncoding>
                    <server>tomcat7</server>
                  </configuration>
          </plugin>
    
        </plugins>
      </build>
    </project>
    
    

    3.创建spring security的配置文件

    spring-security.xml的内容如下

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:security="http://www.springframework.org/schema/security"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans.xsd
              http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security.xsd">
    
        <!--spring-security的入门配置-->
    
        <!--配置哪些资源不会被拦截 /xxx表示根路径下的某个资源-->
        <security:http security="none" pattern="/login.html"/>
        <security:http security="none" pattern="/failed.html"/>
    
        <security:http auto-config="true" use-expressions="false">
            <!-- 配置链接地址,表示任意路径都需要ROLE_USER权限 -->
            <security:intercept-url pattern="/**" access="ROLE_USER"/>
    
            <!--自定义登录页面-->
            <security:form-login login-page="/login.html" login-processing-url="/login"
                                 username-parameter="username" password-parameter="password"
                                 authentication-failure-forward-url="/failed.html"
                                 default-target-url="/success.html" authentication-success-forward-url="/success.html"
    
            />
            <!--关闭csrf,默认是开启的-->
            <security:csrf disabled="true"/>
        </security:http>
        <security:authentication-manager>
            <security:authentication-provider>
                <!--这里配置了两个用户,分别具有USER和ADMIN的权限-->
                <security:user-service>
                    <security:user name="user" password="{noop}user"
                                   authorities="ROLE_USER"/>
                    <security:user name="admin" password="{noop}admin"
                                   authorities="ROLE_ADMIN"/>
                </security:user-service>
            </security:authentication-provider>
        </security:authentication-manager>
    </beans>
    

    这个配置文件中的主要内容如下:

    (1) 配置security不进行权限控制的资源,如登录和失败页面

    <!--配置哪些资源不会被拦截 /xxx表示根路径下的某个资源-->
    <security:http security="none" pattern="/login.html"/>
    <security:http security="none" pattern="/failed.html"/>
    

    (2) 配置任意路径都需要ROLE_USER权限

    (3) 配置使用自定义的登录页面

    (4) 配置两个用户,分别具有USER和ADMIN的权限

    注意配置路径的访问权限时必须带上ROLE_前缀

    4. 在web.xml中配置spring security的过滤器

    <web-app xmlns="http://java.sun.com/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
             version="3.0">
      <display-name>Archetype Created Web Application</display-name>
    
      <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring-security.xml</param-value>
      </context-param>
      <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
      </welcome-file-list>
    </web-app>
    
    

    注意springSecurityFilterChain这个过滤器的名称不能更改

    5.启动工程

    启动工程,输入localhost进行访问,会出现如下的登录页面

    使用user:user和admin:admin这两个账户都可以完成登录,登录成功后会跳转到登录成功页面

    需要注意的是:

    配置文件中配置的是所有资源都要ROLE_USER权限才能访问,所以如果使用user登录成功后,可以访问到工程中的其他资源,比如首页;但使用admin登录后,因为只有ROLE_ADMIN权限,所以不能访问工程中的其他资源

  • 相关阅读:
    BNUOJ 12756 Social Holidaying(二分匹配)
    HDU 1114 Piggy-Bank(完全背包)
    HDU 2844 Coins (多重背包)
    HDU 2602 Bone Collector(01背包)
    HDU 1171 Big Event in HDU(01背包)
    HDU 2571 命运 (入门dp)
    HDU 1069 Monkey and Banana(最长递减子序列)
    HDU 1160 FatMouse's Speed (最长上升子序列)
    HDU 2594 KMP
    POJ 3783 Balls --扔鸡蛋问题 经典DP
  • 原文地址:https://www.cnblogs.com/chengxuxiaoyuan/p/11875969.html
Copyright © 2011-2022 走看看