现在的位置: 首页 > 综合 > 正文

spring security 3.x 多页面登录配置入门教程

2014年09月05日 ⁄ 综合 ⁄ 共 5164字 ⁄ 字号 评论关闭

spring security 是一个权限控制的框架。可以很方便地实现权限的控制,不需要我们手动地写拦截器去对于请求进行拦截,然后对于权限进行判断。这可以大大地减少工作量,并且,spring security提供了很可靠的安全保障。

废话不多说,以下为正文:

1、加入spring security的jar包,我是能过maven配合nexus进行jar包管理的。纯jar包也是可以的,下载相应的jar包添加到WEB-INF下的lib目录下即可。以下为pom.xml加入的依赖(来处官网http://projects.spring.io/spring-security/):

<dependencies>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>3.2.3.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>3.2.3.RELEASE</version>
    </dependency>
</dependencies>

2、在web.xml里面加入spring security的拦截器,当然配置文件也要加载,不过是通过正则表达式一次把spring的配置文件都加载完成的:

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			classpath:spring*.xml
		</param-value>
	</context-param>

	<!-- spring security -->
 	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

3、配置spring-security.xml文件:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.2.xsd


http://www.springframework.org/schema/security

    http://www.springframework.org/schema/security/spring-security-3.2.xsd">
	
	<!-- 不需要进行认证的资源,3.0之后才改为这样配置 -->  
	<!-- <http security="none" pattern="/**/index" /> -->
	<http security="none" pattern="/**/login" />
	<http security="none" pattern="/**/*.jpg" />
	<http security="none" pattern="/**/*.png" />
	<http security="none" pattern="/**/*.gif" />
	<http security="none" pattern="/**/*.css" />
	<http security="none" pattern="/**/*.js" />

	<!--设置匹配学生用户url,登录页面和所拥有的权限,以及引用studentAuthManager验证管理 -->
	<http auto-config="true" pattern="/student/**" use-expressions="true" authentication-manager-ref="studentAuthManager">
		<form-login login-processing-url="/student/j_spring_security_check"
			login-page="/student/login" authentication-failure-url="/student/login" default-target-url="/student/index"/>
		<logout logout-success-url="/student/login" logout-url="/student/j_spring_security_logout" />
		<intercept-url pattern="/student/**" access="hasRole('ROLE_STUDENT')" />
	</http>
	
	<!--设置匹配管理员用户url,登录页面和所拥有的权限,以及引用adminAuthManager验证管理 -->
 	<http auto-config="true" pattern="/admin/**" use-expressions="true" authentication-manager-ref="adminAuthManager">
		<form-login login-processing-url="/admin/j_spring_security_check"
			login-page="/admin/login" authentication-failure-url="/admin/login"  default-target-url="/admin/index"/>
		<logout logout-url="/admin/j_spring_security_logout" logout-success-url="/admin/index" />
		<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
	</http>
	
	<!--前台用户验证管理bean -->
	<authentication-manager id="studentAuthManager">
		<authentication-provider user-service-ref="studentDetailService">
			<password-encoder hash="md5"></password-encoder>
		</authentication-provider>        
	</authentication-manager>
	
	<!--后台管理用户验证管理bean -->
	<authentication-manager id="adminAuthManager">
		<authentication-provider user-service-ref="adminDetailService">
			<password-encoder hash="md5"></password-encoder>
		</authentication-provider>
	</authentication-manager>
</beans:beans>

4、重写实现UserDetailsService的接口(由于student的实现方式,跟admin的实现方式是一模一样的,所以此处只列出admin的例子):

/**   
 * @Description:
 *
 * @author ICE
 *
 * @date 2014-4-26 上午10:24:00 
 */
@Service
public class AdminDetailService implements UserDetailsService{

	@Resource
	private AdminMapper adminMapper;
	
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
		Admin admin = adminMapper.selectByUsername(username);
		return admin;
	}

}

5、在Admin的实体实现UserDetails接口(由于仅为demo所以权限是写死了的,可以从数据库取出),student实现也是实现UserDetails接口,不重复贴代码了。

/**   
 * @Description:
 *
 * @author ICE
 *
 * @date 2014-4-26 上午10:25:29 
 */
public class Admin implements UserDetails{
	private static final long serialVersionUID = 1557391641237960295L;

	private Integer id;

    private String username;

    private String password;

    public Integer getId() {
        return id;
    }

    public void setId(Integer id) {
        this.id = id;
    }
  
    //此部分的权限应该由数据库取出,此处不作取出操作
	public Collection<? extends GrantedAuthority> getAuthorities() {
		List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
		authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
		return authorities;
	}

	public void setPassword(String password){
		this.password = password;
	}
	
	public void setUsername(String username){
		this.username = password;
	}
	
	public String getPassword() {
		return password;
	}

	public String getUsername() {
		return username;
	}

	public boolean isAccountNonExpired() {
		return true;
	}

	public boolean isAccountNonLocked() {
		return true;
	}

	public boolean isCredentialsNonExpired() {
		return true;
	}

	public boolean isEnabled() {
		return true;
	}
}

6、如果不写页面的话,spring security会使用它默认的页面,十分的丑陋,不过所幸可以自己写,以下为自己写的页面(也十分地丑陋):

  <body>
  	<form action="j_spring_security_check" method="post">
	  	username:<input type="text" name="j_username"/><br/>
	  	password:<input type="password" name="j_password"/><br/>
	  	Remember Me:<input name="_spring_security_remember_me" type="checkbox" value="true"/><br/>
	  	<input type="submit" value="提交"/>
  	</form>
  </body>

7、访问,登录,大功告成,由于此部分的代码由项目代码改的,所以没有demo不好意思!!!(有机会一定补上= =||)

抱歉!评论已关闭.