Spring Security入门简单小demo，外加结合自己项目中使用

SpringSecurity，这是一种基于Spring AOP和Servlet过滤器的安全框架。它提供全面的安全性解决方案，同时在Web请求级和方法调用级处理身份确认和授权。在Spring Framework基础上，Spring Security充分利用了依赖注入（DI，Dependency Injection）和面向切面技术

---

pom.xml配置

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0modelVersion>
    <groupId>cn.itcast.demogroupId>
    <artifactId>spring-security-demoartifactId>
    <packaging>warpackaging>
    <version>0.0.1-SNAPSHOTversion>
    <properties>
        <spring.version>4.2.4.RELEASEspring.version>
    properties>

    <dependencies>

        <dependency>
            <groupId>org.springframeworkgroupId>
            <artifactId>spring-coreartifactId>
            <version>${spring.version}version>
        dependency>
        <dependency>
            <groupId>org.springframeworkgroupId>
            <artifactId>spring-webartifactId>
            <version>${spring.version}version>
        dependency>

        <dependency>
            <groupId>org.springframeworkgroupId>
            <artifactId>spring-webmvcartifactId>
            <version>${spring.version}version>
        dependency>

        <dependency>
            <groupId>org.springframeworkgroupId>
            <artifactId>spring-context-supportartifactId>
            <version>${spring.version}version>
        dependency>

        <dependency>
            <groupId>org.springframeworkgroupId>
            <artifactId>spring-testartifactId>
            <version>${spring.version}version>
        dependency>

        <dependency>
            <groupId>org.springframeworkgroupId>
            <artifactId>spring-jdbcartifactId>
            <version>${spring.version}version>
        dependency>

        <dependency>
            <groupId>org.springframework.securitygroupId>
            <artifactId>spring-security-webartifactId>
            <version>4.1.0.RELEASEversion>
        dependency>

        <dependency>
            <groupId>org.springframework.securitygroupId>
            <artifactId>spring-security-configartifactId>
            <version>4.1.0.RELEASEversion>
        dependency>

        <dependency>
            <groupId>javax.servletgroupId>
            <artifactId>servlet-apiartifactId>
            <version>2.5version>
            <scope>providedscope>
        dependency>


    dependencies>
    <build>
      <plugins>     
          
          <plugin>
                <groupId>org.apache.maven.pluginsgroupId>
                <artifactId>maven-compiler-pluginartifactId>
                <version>3.2version>
                <configuration>
                    <source>1.7source>
                    <target>1.7target>
                    <encoding>UTF-8encoding>
                configuration>
          plugin>      
          <plugin>
                <groupId>org.apache.tomcat.mavengroupId>
                <artifactId>tomcat7-maven-pluginartifactId>
                <configuration>
                    
                    <port>9090port>
                    
                    <path>/path>
                configuration>
          plugin>
       plugins>  
    build>
project>

---

spring-security配置文件：spring-security.xml配置

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    
    <http pattern="/login.html" security="none">http>
    <http pattern="/error.html" security="none">http>                 


    
    <http use-expressions="false">
        
        <intercept-url pattern="/**" access="ROLE_USER" />
        
        <form-login login-page="/login.html" default-target-url="/index.html" authentication-failure-forward-url="/error.html"/>
        <csrf disabled="true"/>
        
        <logout/>
    http>

    
    <authentication-manager>
        <authentication-provider>
            <user-service>
                
                <user name="admin" password="123456" authorities="ROLE_USER"/>
            user-service>
        authentication-provider>
    authentication-manager>

beans:beans>

---

web.xml配置

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">  

     <context-param>
        <param-name>contextConfigLocationparam-name>
        <param-value>classpath:spring-security.xmlparam-value>
     context-param>
     <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        listener-class>
     listener>

    
     <filter>  
        <filter-name>springSecurityFilterChainfilter-name>  
        <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class>  
     filter>  
     <filter-mapping>  
        <filter-name>springSecurityFilterChainfilter-name>  
        <url-pattern>/*url-pattern>  
     filter-mapping>

web-app>

---

简单登录页编写（不写也可以，spring-security会有默认测试的登录页，直接进入localhost:9090/login 能看到）

-----欢迎登录----
    
    <form action="/login" method="post">
        用户名:<input name="username"> br>
        密码：<input name="password" type="password">br>
        <button>登录button>
    form>

注意：要是需要自己编写的登录页,需要不对页面进行验证拦截，否则会重定向请求死循环而跳不到登录页

解决：
在spring-security.xml配置拦截规则：

    
    <http pattern="/login.html" security="none">http>
    <http pattern="/error.html" security="none">http>

---

在项目中使用

要是需要用到内置的页面框架（那种后台的嵌套框架），则需要在配置文件spring-security.xml的页面拦截规则中加上配置

        <headers>
            <frame-options policy="SAMEORIGIN"/>
        headers>

项目中存在的资源文件也要不进行拦截：

    <http pattern="/css/**" security="none">http>
    <http pattern="/img/**" security="none">http>
    <http pattern="/js/**" security="none">http>
    <http pattern="/plugins/**" security="none">http>

后端Controlller获取成功登陆的用户名，以JSON数据返回给前端页面

@RestController
@RequestMapping("/login")
public class LoginController {

    @RequestMapping("/loginName")
    public Map loginName() {
        String name = SecurityContextHolder.getContext().getAuthentication().getName();
        Map map = new HashMap<>();
        map.put("loginName", name);
        return map;
    }
}

配置退出登陆操作，清理掉登陆的缓存

对应的前端退出/注销操作的代码

<div class="pull-right">
    <a href="../logout" class="btn btn-default btn-flat">注销a>
div>