[Spring实战系列]
来源:互联网 发布:贝叶斯分类算法原理 编辑:程序博客网 时间:2024/06/06 05:43
这篇文章开始,我们会进入Spring Security部分。大概会有三到四篇文章来介绍Security部分,在这篇文章中,我们会使用XML配置的方式来配置一个简单的Spring Security登录的例子,感受一下什么是Spring Security,我们怎么使用Spring Security。
1. 什么是Spring Security?
Spring Security是为基于Spring的应用程序提供声明式安全保护的安全性框架。Spring Security提供了完整的安全性解决方案,它能够在Web请求级别和方法调用级别处理身份认证和授权。什么叫Web请求级别和方法调用级别呢?就会当我们通过Controller发送一个请求或者我们的DispatcherSevlet接受到一个请求的时候,我们使用Spring Security 事先声明好的filter,来拦截所有的请求,判断用户是否有权访问该资源。所以,我们会在Spring Security中用到依赖注入和切面编程(AspectJ)的技术。
Spring Security借助一系列Servlet Filter来提供各种安全性功能。我们只需在web.xml配置一个Filter就可以了。DelegatingFilterProxy是一个特殊的Servlet Filter,它本身所做的工作并不多。只是将工作委托给一个javax.servlet.Filter实现类,这个实现类作为一个<bean>注册在Spring应用的上下文中
2. 一个简单的Spring Security登录例子:
首先我们新建Maven项目,过程和前面文章相同,新建后的项目结构如下:
完善你的pom.xml中的依赖:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.example</groupId> <artifactId>SpringSecurity</artifactId> <packaging>war</packaging> <version>1.0-SNAPSHOT</version> <name>SpringSecurity Maven Webapp</name> <url>http://maven.apache.org</url> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> <!-- ... other dependency elements ... --> <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core --> <!-- https://mvnrepository.com/artifact/org.springframework/spring-core --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>4.3.3.RELEASE</version> </dependency> <!-- https://mvnrepository.com/artifact/org.springframework/spring-webmvc --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>4.3.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>4.0.4.RELEASE</version> </dependency> <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>4.1.3.RELEASE</version> </dependency> <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>4.0.3.RELEASE</version> </dependency> <!-- https://mvnrepository.com/artifact/javax.servlet/jstl --> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> </dependencies> <build> <finalName>SpringSecurity</finalName> </build></project>
作为Spring项目,首先就要有一个DispatcherServlet对吧?配置你的DispatcherServlet.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd"> <context:component-scan base-package="Hello" /> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix"> <value>/WEB-INF/</value> </property> <property name="suffix"> <value>.jsp</value> </property> </bean></beans>我们将Spring Security的配置均放在security.xml中:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans-4.0.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security-4.0.xsd"> <http auto-config="true"> <intercept-url pattern="/admin**" access="hasRole('ROLE_USER')" /> <logout logout-url="/logout" logout-success-url="/logoutPage" invalidate-session="true"/> <csrf disabled="true" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="yanming" password="123" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager></beans:beans>我们来解释一下这段代码:
1.http auto-config:默认的策略进行访问控制,包括一个默认的访问登录界面(我们在这个项目中并没有提供登陆的界面,稍后会说到)
2.authentication-manager:认证管理器负责确定用户的身份,认证管理器由AuthenticationManager接口定义,这里我们就用了缓存的用户信息
3.intercept-url pattern :通过pattern指定当前intercept-url定义应当作用于哪些url。
4.logout:匹配我们退出登录的url 在我们的Spring Security4.x中,我们需要关闭csrf才能够使用/logout。
web.xml中配置filter以及servlet:
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <display-name>Spring MVC Application</display-name> <!-- Spring MVC --> <servlet> <servlet-name>DispatcherServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet </servlet-class> <init-param> <!--Sources标注的文件夹下需要新建一个spring文件夹--> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/DispatcherServlet.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>DispatcherServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <!-- Loads Spring Security config file --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/security.xml </param-value> </context-param> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping></web-app>在Hello包中定义HelloController:
package Hello;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestMethod;import org.springframework.web.servlet.ModelAndView;/** * Created by YanMing on 2017/3/15. */@Controllerpublic class HelloController { @RequestMapping(value = {"/" ,"/welcome"},method = RequestMethod.GET) public ModelAndView homePage(){ ModelAndView modelAndView = new ModelAndView(); modelAndView.addObject("title","Hello world"); modelAndView.setViewName("home"); return modelAndView; } @RequestMapping(value = {"/logoutPage"},method = RequestMethod.GET) public ModelAndView logoutPage(){ ModelAndView modelAndView = new ModelAndView(); modelAndView.setViewName("logout"); return modelAndView; } @RequestMapping(value = "/admin",method = RequestMethod.GET) public ModelAndView adminPage(){ ModelAndView modelAndView = new ModelAndView(); modelAndView.addObject("title","Please log in"); modelAndView.setViewName("admin"); return modelAndView; }}三个映射很简单,返回三个modelandview对象,匹配对应url同时返回相应的jsp文件。
在WEB-INF中定义jsp文件:
admin.jsp:
<%-- Created by IntelliJ IDEA. User: YanMing Date: 2017/3/14 Time: 21:31 To change this template use File | Settings | File Templates.--%><%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><%@page session="true"%><html><body><h1>Title:${title}</h1><c:if test="${pageContext.request.userPrincipal.name != null}"> <h2>Welcome:${pageContext.request.userPrincipal.name} |<a href="<c:url value="/logout" />" > Logout</a></h2></c:if></body></html>home.jsp:
<%-- Created by IntelliJ IDEA. User: YanMing Date: 2017/3/15 Time: 14:51 To change this template use File | Settings | File Templates.--%><%@page session="false"%><%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><html><body><h1>Title:${title}</h1><a href="<c:url value="/admin" />" >Login</a></h2></body></html>logout.jsp(对应退出成功以后的页面):
<%-- Created by IntelliJ IDEA. User: YanMing Date: 2017/3/15 Time: 15:43 To change this template use File | Settings | File Templates.--%><%@ page contentType="text/html;charset=UTF-8" language="java" %><html><head> <h1>Logout Successfully!</h1></head><body></body></html>
配置Tomcat,不会配置的同学点击之前文章
然后在页面中输入localhost:8080
点击Login:
输入 yaming 123 登录
点击Logout
至此,一个简单的Spring Security的登录例子就写完了。在下一篇文章中,我们会开始使用数据库来存储我们的用户名密码。所以,我会重新使用Java 来配置Spring Security。不过,xml的配置过程显得很清晰,理解起来也很简单。同时下篇文章我也会详细的讲解Spring Security的核心部分以及具体过程。
本文Github源码下载
P.S. 文章不妥之处还望指正
- Spring实战系列
- [Spring实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring Boot实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring实战系列]
- [Spring Boot实战系列]
- [Spring Boot实战系列]
- [Spring Boot实战系列]
- Spring Boot实战系列教程
- 【Spring Security实战系列】Spring Security实战(一)
- ASTableNode+MJRefresh教程
- ch5 link analysis
- 深入嵌入式系统的bootloader
- iOS NSObject中forwardInvocation消息重定向
- Node.js简介
- [Spring实战系列]
- Unit 4-Lecture 5: Expectation
- Android属性动画完全解析(上),初识属性动画的基本用法
- noi-8175-将字符串中的小写字母转换成大写字母
- 下载网页视频
- jQuery的加法运算
- MyBatis参数传入集合之foreach动态sql
- ThinkPHP5 select出来的结果是个对象?居然还可以以数组形式访问数据?
- 手写数字识别系统编程技巧