SpringSecurity学习一----------最简单的权限控制系统

© 版权声明：本文为博主原创文章，转载请注明出处

1.项目结构

2.pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
	
	<modelVersion>4.0.0</modelVersion>
	
	<groupId>org.springsecurity</groupId>
	<artifactId>SpringSecurity</artifactId>
	<packaging>war</packaging>
	<version>0.0.1-SNAPSHOT</version>
	<name>SpringSecurity Maven Webapp</name>
	<url>http://maven.apache.org</url>
	
	<!-- 统一版本 -->
	<properties>
		<jdk.version>1.7</jdk.version>
		<spring.version>4.3.5.RELEASE</spring.version>
		<spring.security.version>4.2.1.RELEASE</spring.security.version>
	</properties>
	
	<dependencies>
		<!-- junit依赖 -->
		<dependency>
			<groupId>junit</groupId>
			<artifactId>junit</artifactId>
			<version>4.12</version>
			<scope>test</scope>
		</dependency>
		<!-- spring依赖 -->
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-core</artifactId>
		    <version>${spring.version}</version>
		</dependency>
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-web</artifactId>
		    <version>${spring.version}</version>
		</dependency>
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-webmvc</artifactId>
		    <version>${spring.version}</version>
		</dependency>
		<!-- spring security依赖 -->
		<dependency>
		    <groupId>org.springframework.security</groupId>
		    <artifactId>spring-security-web</artifactId>
		    <version>${spring.security.version}</version>
		</dependency>
		<dependency>
		    <groupId>org.springframework.security</groupId>
		    <artifactId>spring-security-config</artifactId>
		    <version>${spring.security.version}</version>
		</dependency>
		<!-- jsp、servlet依赖 -->
		<dependency>
		    <groupId>jstl</groupId>
		    <artifactId>jstl</artifactId>
		    <version>1.2</version>
		</dependency>
		<dependency>
		    <groupId>taglibs</groupId>
		    <artifactId>standard</artifactId>
		    <version>1.1.2</version>
		</dependency>
		<dependency>
		    <groupId>javax.servlet</groupId>
		    <artifactId>javax.servlet-api</artifactId>
		    <version>3.1.0</version>
		</dependency>
	</dependencies>
	<build>
	  <finalName>SpringSecurity</finalName>
	</build>
</project>

3.mvc-dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd">

	<!-- 开启包扫描 -->
	<context:component-scan base-package="org.springsecurity.*"/>
	
	<!-- 定义视图解析器 -->
	<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
		<property name="prefix">
			<value>/WEB-INF/pages/</value>
		</property>
		<property name="suffix">
			<value>.jsp</value>
		</property>
	</bean>
        
</beans>

4.spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">
        
    <security:http auto-config="true">
    	<!-- 指定需要拦截的URL，并设置访问所需的角色 -->
    	<security:intercept-url pattern="/admin**" access="hasRole('ROLE_USER')"/>
    	<!-- csrf:跨域请求伪造，攻击方通过伪造用户请求访问受信任站点
    		使用spring-security自定义的退出方法需关闭csrf -->
    	<security:csrf disabled="true"/>
    </security:http>
    
    <security:authentication-manager>
    	<security:authentication-provider>
			<security:user-service>
				<!-- 设置用户的密码和角色 -->
				<security:user name="admin" password="123456" authorities="ROLE_USER" />
			</security:user-service>    	
    	</security:authentication-provider>
    </security:authentication-manager>
    
</beans>

5.web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
  	version="3.0" metadata-complete="true">
  	
  	<!-- Spring MVC -->
  	<servlet>
  		<servlet-name>mvc-dispatcher</servlet-name>
  		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  		<init-param>
  			<param-name>contextConfigLocation</param-name>
  			<param-value>classpath:mvc-dispatcher-servlet.xml</param-value>
  		</init-param>
  	</servlet>
  	<servlet-mapping>
  		<servlet-name>mvc-dispatcher</servlet-name>
  		<url-pattern>/</url-pattern>
  	</servlet-mapping>
  	
  	<listener>
  		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  	</listener>
  	
  	<!-- 加载spring-security配置文件 -->
  	<context-param>
  		<param-name>contextConfigLocation</param-name>
  		<param-value>classpath:spring-security.xml</param-value>
  	</context-param>
  	
  	<!-- spring security -->
  	<filter>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  	</filter>
  	<filter-mapping>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<url-pattern>/*</url-pattern>
  	</filter-mapping>
  	
</web-app>

6.HelloController.java

package org.springsecurity.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {

	@RequestMapping(value = {"/", "/welcome**"}, method = RequestMethod.GET)
	public ModelAndView welcomePage() {
		
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is welcome page!");
		model.setViewName("hello");
		return model;
		
	}
	
	@RequestMapping(value = "/admin**", method = RequestMethod.GET)
	public ModelAndView adminPage() {
		
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is protected page!");
		model.setViewName("admin");
		return model;
		
	}
	
}

7.hello.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
	<h1>标题：${title }</h1>
	<h2>消息：${message }</h2>
</body>
</html>

8.admin.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
	<h1>标题：${title }</h1>
	<h2>消息：${message }</h2>
	<c:if test="${pageContext.request.userPrincipal.name != null }">
		<h2>欢迎：${pageContext.request.userPrincipal.name } 
		| <a href="<c:url value='/logout' />">Logout</a></h2>
		<!-- spring-security3.x版本默认的注销拦截url为/j_spring_security_logout；
			4.x版本默认的注销拦截url为/logout。
			若使用默认的注销拦截url需关闭csrf，否则报错404 -->
	</c:if>
</body>
</html>

9.效果预览

　　9.1 无需访问权限

　　

　　9.2 需要访问权限(spring-security会自动生成一个简易的登录界面)

　　

　　9.3 登录失败

　　

　　9.4 登录成功

　　

　　9.5 注销

　　

 　　参考：http://www.yiibai.com/spring-security/spring-security-hello-world-example.html