springSecurity第一个入门Demo

转自http://www.cnblogs.com/jaylon/p/4905769.html
http://wiki.jikexueyuan.com/project/spring-security/first-experience.html

先说说有什么用

Spring
Security是基于spring的应用程序提供声明式安全保护的安全性框架，它提供了完整的安全性解决方案，能够在web请求级别和方法调用级别
处理身份证验证和授权．它充分使用了依赖注入和面向切面的技术．

1. web请求级别：使用servlet过滤器保护web请求并限制URL级别的访问 方法调用级别：使用Spring
2. AOP保护方法调用，确保具有适当权限的用户采用访问安全保护的方法．

1 搭建maven web项目

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">  <modelVersion>4.0.0</modelVersion>  <groupId>com.lzh</groupId>  <artifactId>springSecurity</artifactId>  <version>0.0.1-SNAPSHOT</version>  <packaging>war</packaging>  <build/>  <dependencies>      <!-- JUnit配置 -->    <dependency>      <groupId>junit</groupId>      <artifactId>junit</artifactId>      <version>3.8.1</version>      <scope>test</scope>    </dependency>    <!-- 添加Servlet -->      <dependency>            <groupId>javax.servlet</groupId>            <artifactId>servlet-api</artifactId>            <version>2.5</version>            <scope>provided</scope>        </dependency>     <!-- 添加jsp ,不然在jsp页面写el表达式会报错-->      <dependency>            <groupId>javax.servlet.jsp</groupId>            <artifactId>jsp-api</artifactId>            <version>2.1.3-b06</version>            <scope>provided</scope>        </dependency>     <dependency>        <groupId>org.springframework.security</groupId>        <artifactId>spring-security-web</artifactId>        <version>4.1.1.RELEASE</version>    </dependency>    <dependency>        <groupId>org.springframework.security</groupId>        <artifactId>spring-security-config</artifactId>        <version>4.1.1.RELEASE</version>    </dependency>    <dependency>        <groupId>commons-logging</groupId>        <artifactId>commons-logging</artifactId>        <version>1.2</version>    </dependency>  </dependencies></project>

web.xml

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">  <display-name>springSecurity</display-name>  <welcome-file-list>    <welcome-file>index.html</welcome-file>    <welcome-file>index.htm</welcome-file>    <welcome-file>index.jsp</welcome-file>    <welcome-file>default.html</welcome-file>    <welcome-file>default.htm</welcome-file>    <welcome-file>default.jsp</welcome-file>  </welcome-file-list>    <context-param>        //这个是加载springsecurity文件的路径，我写在classpath下了，写在webinf下也可以，只要能加载到就ok        <param-name>contextConfigLocation</param-name>        <param-value>classpath:spring-security.xml</param-value>    </context-param>    <listener>        <listener-class>            org.springframework.web.context.ContextLoaderListener        </listener-class>    </listener>     <filter>        <filter-name>springSecurityFilterChain</filter-name>        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>    </filter>    <filter-mapping>        <filter-name>springSecurityFilterChain</filter-name>        <url-pattern>/*</url-pattern>    </filter-mapping></web-app>

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?><beans:beans xmlns="http://www.springframework.org/schema/security"    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xsi:schemaLocation="http://www.springframework.org/schema/beans      http://www.springframework.org/schema/beans/spring-beans-3.2.xsd      http://www.springframework.org/schema/security      http://www.springframework.org/schema/security/spring-security-4.1.xsd ">    <!-- 不需要进行安全认证的资源 -->    <http pattern="/resources/**" security="none" />    <!-- 资源所需要的权限 -->    <http use-expressions="true" auto-config="true">        <intercept-url pattern="/index.jsp*" access="permitAll" />        <intercept-url pattern="/user.jsp*" access="hasRole('ROLE_USER')" />        <intercept-url pattern="/admin.jsp*" access="hasRole('ROLE_ADMIN')" />        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />    </http>    <!-- 配置用户和相应的权限 -->    <authentication-manager>        <authentication-provider>            <user-service>                <user name="test" password="test" authorities="ROLE_USER" />                <user name="admin" password="admin" authorities="ROLE_ADMIN" />            </user-service>        </authentication-provider>    </authentication-manager></beans:beans>

写jsp就行了，index.jsp user.jsp admin.jsp 没有权限的会让自动跳转到springSecurity默认的登录页。自己试试吧

可能你会奇怪，我们没有建立上面的登录页面，为什么 Spring Security 会跳到上面的登录页面呢？这是我们设置 http 的 auto-config=”true” 时 Spring Security 自动为我们生成的。

当指定 http 元素的 auto-config=”true” 时，就相当于如下内容的简写。

  <security:http>      <security:form-login/>      <security:http-basic/>      <security:logout/>   </security:http>

这些元素负责建立表单登录、基本的认证和登出处理。它们都可以通过指定对应的属性来改变它们的行为。