1 添加security标签库
2 添加servlet filter
<filter> <filter-name>springSecurityFilterChain</filter-name>//spring security会创建一个id为springSecurityFilterChain的filter bean <filter-class> org.springframework.web.filter.DelegatingFilterProxy//所有对此class的调用会委托给相应的filter </filter-class> </filter>
3 构建filter
<http auto-config="true">//自动创建filterbean <intercept-urlpattern="/**"access="ROLE_SPITTER"/ requires-channel="https"/>//针对所有url,and restrict access to only authenticated users who have the ROLE_SPITTER role,可有多个此标签, requires-channel="https"可以将所有请求转换为https <form-login login-processing-url="/static/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>//创建登陆页面filter,http://localhost: 8080/Spitter/spring_security_login. <logout logout-url="/static/j_spring_security_logout"/> </http>
Spring Security 在jsp中的标签
<security:accesscontrollist>这个标签纸在使用Spring Security ACL 模块时才可以使用。它检测一个用逗号分隔的特
定领域对象的需要权限列表。如果当前用户拥有这些权限的任何一个,标签内容就会被执行。
否则,就会被略过。
<sec:accesscontrollist hasPermission="1,2" domainObject="${someObject}"> This will be shown if the user has either of the permissions represented by the values "1" or "2" on the given object. </sec:accesscontrollist>
<security:authentication> 这个标签允许访问当前的Authentication 对象, 保存在安全上下文中。
<security:authorize> 这个标签用来决定它的内容是否会被显示
<sec:authorize access="hasRole('supervisor')"> This content will only be visible to users who have the "supervisor" authority in their list of GrantedAuthoritys. </sec:authorize>
用户验证
1 直接写在配置文件中
<user-serviceid="userService"> <user name="habuma"password="letmein" authorities="ROLE_SPITTER,ROLE_ADMIN"/> <user name="twoqubed"password="longhorns" authorities="ROLE_SPITTER"/> <user name="admin"password="admin" authorities="ROLE_ADMIN"/> </user-service>
<authentication-manager> //registers an authentication manager.
<authentication-provideruser-service-ref="userService"/>
</authentication-manager>
2. 从数据库中读取
<jdbc-user-serviceid="userService" data-source-ref="dataSource" users-by-username-query= "select username,password,truefromspitterwhereusername=?" authorities-by-username-query= "select username,'ROLE_SPITTER'fromspitterwhereusername=?"/> <authentication-manager> <authentication-provideruser-service-ref="userService"/> </authentication-manager>
remember me
保存一个token(由 用户名,密码,privatekey,过期时间经md5算法生成)在cookie中
<http auto-config="true"use-expressions="true"> ... <remember-me key="spitterKey" token-validity-seconds="2419200"/>//4个礼拜 </http>
Securing methods
<global-method-securitysecured-annotations="enabled"/> //启动注解
1 @Secured :
@Secured("ROLE_SPITTER") //创建一个pointcut,除非验证的用户的权限为ROLE_SPITTER
//@Secured({"ROLE_SPITTER","ROLE_ADMIN"}) 权限为其中一个
public voidaddSpittle(Spittle spittle){
// ...
} //如果权限不够,抛出Spring Security’s exceptions,如果是http请求,则被Spring Security’s filters捕获,否则要自己处理
2 pre-post-annotations
<global-method-security pre-post-annotations="enabled"/>
@PreAuthorize("hasRole('ROLE_SPITTER')")
public voidaddSpittle(Spittlespittle){
// ...
}
其他资料:http://lengyun3566.iteye.com/category/153689