第一次接触spring security,第一个例子是最简单,实现的功能也仅仅是权限控制一些最基本的功能;
首先是web.xml文件:
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app version="2.5" 3 xmlns="http://java.sun.com/xml/ns/javaee" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 6 http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> 7 <display-name></display-name> 8 <!-- 获取application-security.xml的位置 --> 9 <context-param> 10 <param-name>contextConfigLocation</param-name> 11 <param-value> 12 classpath:application*.xml 13 </param-value> 14 </context-param> 15 <!-- 对spring容器进行实例化(监听) --> 16 <listener> 17 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 18 </listener> 19 <listener> 20 <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> 21 </listener> 22 <!-- SpringSecurity必须的filter --> 23 <filter> 24 <filter-name>springSecurityFilterChain</filter-name> 25 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 26 </filter> 27 <filter-mapping> 28 <filter-name>springSecurityFilterChain</filter-name> 29 <url-pattern>/*</url-pattern> 30 </filter-mapping> 31 <!-- 设置session时间 --> 32 <session-config> 33 <session-timeout>30</session-timeout> 34 </session-config> 35 </web-app>
web.xml的配置比较熟悉,所有没有什么太难的。
接下来是核心applicationContext-security.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xmlns:security="http://www.springframework.org/schema/security" 5 xsi:schemaLocation="http://www.springframework.org/schema/beans 6 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 7 http://www.springframework.org/schema/security 8 http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 9 <!-- 配置保护资源 --> 10 <security:http auto-config="true" access-denied-page="/deniedpage.jsp"> 11 <!-- 设置同步会话控制 --> 12 <security:session-management invalid-session-url="/login.jsp" session-fixation-protection="none"> 13 <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTimeout.jsp"/> 14 </security:session-management> 15 <!-- http表达验证 --> 16 <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/success.jsp"/> 17 <security:logout/> 18 <security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/> 19 <security:intercept-url pattern="/index.jsp" access="ROLE_USER,ROLE_ADMIN"/> 20 <security:intercept-url pattern="/**" access="ROLE_USER"/> 21 22 </security:http> 23 <!-- 配置用户 --> 24 <security:authentication-manager> 25 <security:authentication-provider> 26 <security:jdbc-user-service data-source-ref="dataSource"/> 27 </security:authentication-provider> 28 </security:authentication-manager> 29 <!-- 配置数据库信息 --> 30 <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"> 31 <property name="driverClass" value="${db.driverClass}"/> 32 <property name="jdbcUrl" value="${db.jdbcUrl}"/> 33 <property name="user" value="${db.user}"/> 34 <property name="password" value="${db.password}"/> 35 </bean> 36 <!-- 读取资源文件 --> 37 <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> 38 <property name="locations"> 39 <list> 40 <value>classpath:constants.properties</value> 41 </list> 42 </property> 43 </bean> 44 </beans>
注解:
1、从session缓存中获取当前session信息,如果发现过期了,就跳转到expired-url配置的url或者响应session失效提示信息。当前session有哪些情况会导致session失效呢?这里的失效并不是指在web容器中session的失效,而是spring security把登录成功的session封装为SessionInformation并放到注册类缓存中,如果SessionInformation的expired变量为true,则表示session已失效。所以,ConcurrentSessionFilter过滤器主要检查SessionInformation的expired变量的值。
2、如果concurrency-control标签配置了error-if-maximum-exceeded="true",max-sessions="1",那么第二次登录时,是登录不了的。如果error-if-maximum-exceeded="false",那么第二次是能够登录到系统的,但是第一个登录的账号再次发起请求时,会跳转到expired-url配置的url中(如果没有配置,则显示This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).提示信息)
然后是连接数据库的constants.properties:
db.driverClass=com.mysql,jdbc.Driver db.jdbcUrl=jdbc:mysql://localhost:3306/springsecurity db.user=root db.password=luwenhu
最后就是jsp文件,这个没有什么特别的,比如login.jsp:
1 <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%> 2 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 3 <% 4 String path = request.getContextPath(); 5 String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; 6 %> 7 8 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 9 <html> 10 <head> 11 <base href="<%=basePath%>"> 12 <title>登录界面</title> 13 </head> 14 <body onload="document.f.j_username.focus();"> 15 <c:if test="${not empty param.login_error }"> 16 <font color="red"> 17 登录失败,请重试!<br/> 18 原因:<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message }"></c:out> 19 </font> 20 </c:if> 21 <form action="/acegi1/j_spring_security_check" method="post"> 22 username:<input type="text" name="j_username"/><br/> 23 password:<input type="password" name="j_password"/></br> 24 <input type="checkbox" name="_spring_security_remember_me">两周内自动登录 25 <input type="submit" value="用户登录"> 26 </form> 27 </body> 28 </html>
今天就学了这些,明天继续深入spring security,加入自己的filter。