spring-security3.1 + spring mvc + Hibernate 控制系统权限
第一步
加入applicationContext.xml与spring-mvc.xml到src目录
spring-mvc.xml
第六步
admin.jsp
向数据库中添加测试数据。
向index.jsp中添加两个链接
需要配置一个LoginUrlAuthenticationEntryPoint bean
配置过滤器bean
将 <http> 中的auto-config 属性删除。加上 entry-point-ref="authenticationProcessingFilterEntryPoint" 属性
下载spring-security3.1
解压后进入dist目录,里面有两个war文件,解压其中一个。
然后将里面的jar包全部复制到项目中。
官方中文文档下载地址:http://www.asdtiang.org/wp-content/uploads/2011/09/Spring-Security-3.0.1-%E4%B8%AD%E6%96%87%E5%AE%98%E6%96%B9%E6%96%87%E6%A1%A3.pdf
第二步
配置web.xml spring的监听器, 以及spring-mvc的监听器
- <?xml version="1.0" encoding="UTF-8"?>
- <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
- http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
- <display-name></display-name>
- <welcome-file-list>
- <welcome-file>index.jsp</welcome-file>
- </welcome-file-list>
- <context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>
- classpath*:applicationContext.xml,
- </param-value>
- </context-param>
- <listener>
- <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
- </listener>
- <servlet>
- <servlet-name>springmvc</servlet-name>
- <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
- <init-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>classpath*:spring-mvc.xml</param-value>
- </init-param>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>springmvc</servlet-name>
- <url-pattern>*.action</url-pattern>
- </servlet-mapping>
- </web-app>
加入applicationContext.xml与spring-mvc.xml到src目录
applicationContext.xml
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
- xmlns:mvc="http://www.springframework.org/schema/mvc"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context-3.0.xsd
- http://www.springframework.org/schema/mvc
- http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
- <!-- 启用注解方式 -->
- <context:annotation-config />
- <context:component-scan base-package="com.zf" />
- <!-- 启用mvc注解 -->
- <mvc:annotation-driven />
- </beans>
spring-mvc.xml
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
- <!-- 视图解析器 -->
- <bean id="viewResolver"
- class="org.springframework.web.servlet.view.InternalResourceViewResolver"
- p:prefix="/WEB-INF/jsp/" p:suffix=".jsp" />
- </beans>
加入spring-security.xml配置文件
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:security="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面 -->
- <security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
- </security:http>
- <!-- 配置一个认证管理器 -->
- <security:authentication-manager>
- <security:authentication-provider>
- <security:user-service>
- <!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
- <security:user name="admin" password="admin" authorities="ROLE_USER"/>
- </security:user-service>
- </security:authentication-provider>
- </security:authentication-manager>
- </beans>
第四步
在web.xml中配置SpringSecurity拦截器(如果不先进行第三步的配置,下面配置完之后,tomcat启动会报错)
- <!-- 配置SpringSecurity -->
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
好了,现在已经配置完成,tomcat已经可以启动了。但是还没有配置具体的权限策略。
第五步
配置Hibernate
在applicationContext.xml中配置JPA
- <span> </span><!-- 开启注解事物 -->
- <span> </span> <tx:annotation-driven transaction-manager="transactionManager" proxy-target-class="true" />
- <span> </span>
- <span> </span><!-- 配置hibernate -->
- <span> </span><bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
- <!-- 指定连接数据库的驱动 -->
- <property name="driverClass" value="com.mysql.jdbc.Driver"/>
- <!-- 指定连接数据库的URL -->
- <property name="jdbcUrl" value="jdbc:mysql:///spring-scurity"/>
- <!-- 指定连接数据库的用户名 -->
- <property name="user" value="root"/>
- <!-- 指定连接数据库的密码 -->
- <property name="password" value="root"/>
- <!-- 指定连接数据库连接池的最大连接数 -->
- <property name="maxPoolSize" value="20"/>
- <!-- 指定连接数据库连接池的最小连接数 -->
- <property name="minPoolSize" value="1"/>
- <!-- 指定连接数据库连接池的初始化连接数 -->
- <property name="initialPoolSize" value="1"/>
- <!-- 指定连接数据库连接池的连接的最大空闲时间 -->
- <property name="maxIdleTime" value="20"/>
- </bean>
- <bean id="sessionFactory" class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean" >
- <property name="dataSource" ref="dataSource"></property>
- <property name="hibernateProperties">
- <props>
- <prop key="hibernate.dialect">org.hibernate.dialect.MySQL5InnoDBDialect</prop>
- <prop key="hibernate.show_sql">true</prop>
- <prop key="hibernate.query.substitutions">true 1,false 0</prop>
- <prop key="hibernate.hbm2ddl.auto">update</prop>
- </props>
- </property>
- <property name="packagesToScan">
- <list>
- <value>com.zf.pojo</value>
- </list>
- </property>
- </bean>
- <!-- 事务管理器 -->
- <bean id="transactionManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager">
- <property name="sessionFactory" ref="sessionFactory"></property>
- </bean>
第六步
编写实体类与DAO
- package com.zf.pojo;
- import java.util.ArrayList;
- import java.util.Date;
- import java.util.List;
- import javax.persistence.Entity;
- import javax.persistence.GeneratedValue;
- import javax.persistence.GenerationType;
- import javax.persistence.Id;
- import javax.persistence.JoinColumn;
- import javax.persistence.JoinTable;
- import javax.persistence.ManyToMany;
- import javax.persistence.Table;
- import javax.persistence.Temporal;
- import javax.persistence.TemporalType;
- @Entity
- @Table(name = "etuser")
- public class ETUser {
- @Id
- @GeneratedValue(strategy = GenerationType.AUTO)
- private int id ;
- private String username ;
- private String password ;
- private int age ;
- @ManyToMany
- @JoinTable(name="user_role" , joinColumns = {
- @JoinColumn(name = "userid")
- }, inverseJoinColumns = {@JoinColumn(name="roleid")})
- private List<ETRole> roles = new ArrayList<ETRole>();
- @Temporal(TemporalType.DATE)
- private Date regDate ;
- public int getId() {
- return id;
- }
- public void setId(int id) {
- this.id = id;
- }
- public String getUsername() {
- return username;
- }
- public void setUsername(String username) {
- this.username = username;
- }
- public String getPassword() {
- return password;
- }
- public void setPassword(String password) {
- this.password = password;
- }
- public int getAge() {
- return age;
- }
- public void setAge(int age) {
- this.age = age;
- }
- public Date getRegDate() {
- return regDate;
- }
- public void setRegDate(Date regDate) {
- this.regDate = regDate;
- }
- public List<ETRole> getRoles() {
- return roles;
- }
- public void setRoles(List<ETRole> roles) {
- this.roles = roles;
- }
- }
- package com.zf.pojo;
- import java.util.ArrayList;
- import java.util.List;
- import javax.persistence.Entity;
- import javax.persistence.GeneratedValue;
- import javax.persistence.GenerationType;
- import javax.persistence.Id;
- import javax.persistence.JoinColumn;
- import javax.persistence.JoinTable;
- import javax.persistence.ManyToMany;
- import javax.persistence.Table;
- @Entity
- @Table(name = "etrole")
- public class ETRole {
- @Id
- @GeneratedValue(strategy = GenerationType.AUTO)
- private int id;
- private String roleCode ;
- private String despripe ;
- @ManyToMany
- @JoinTable(name="user_role" , joinColumns = {
- @JoinColumn(name = "roleid")
- }, inverseJoinColumns = {@JoinColumn(name="userid")})
- private List<ETUser> users = new ArrayList<ETUser>();
- public int getId() {
- return id;
- }
- public void setId(int id) {
- this.id = id;
- }
- public String getRoleCode() {
- return roleCode;
- }
- public void setRoleCode(String roleCode) {
- this.roleCode = roleCode;
- }
- public String getDespripe() {
- return despripe;
- }
- public void setDespripe(String despripe) {
- this.despripe = despripe;
- }
- public List<ETUser> getUsers() {
- return users;
- }
- public void setUsers(List<ETUser> users) {
- this.users = users;
- }
- }
- package com.zf.dao;
- import java.util.List;
- import javax.annotation.Resource;
- import org.hibernate.SessionFactory;
- import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
- import org.springframework.stereotype.Service;
- import org.springframework.transaction.annotation.Propagation;
- import org.springframework.transaction.annotation.Transactional;
- import com.zf.pojo.ETUser;
- @Service("UserDao")
- @Transactional(propagation = Propagation.REQUIRED)
- public class UserDao extends HibernateDaoSupport{
- /**
- * 根据用户名查询用户
- * @param username
- * @return
- */
- @SuppressWarnings("unchecked")
- public ETUser findUserByUserName(String username){
- List<ETUser> result = getHibernateTemplate().find("from ETUser e where e.username = ?"
- , username );
- if(result != null && !result.isEmpty())
- return result.get(0);
- return null ;
- }
- /**
- * 根据用户名和密码查询用户
- * @param username
- * @param password
- * @return
- */
- @SuppressWarnings("unchecked")
- public ETUser findUserBuNameAndPwd(String username , String password){
- List<ETUser> result = getHibernateTemplate().find("from ETUser e where e.username = ? and e.password = ?"
- , username , password);
- if(result != null && !result.isEmpty())
- return result.get(0);
- return null ;
- }
- @Resource(name = "sessionFactory")
- public void setMySessionFactory(SessionFactory sessionFactory){
- super.setSessionFactory(sessionFactory);
- }
- }
下面来配置使用数据库中的用户。.
编写处理用户信息的UserDetailsService实现类
- package com.zf.service;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.List;
- import javax.annotation.Resource;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.GrantedAuthorityImpl;
- import org.springframework.security.core.userdetails.User;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.core.userdetails.UsernameNotFoundException;
- import org.springframework.stereotype.Repository;
- import com.zf.dao.UserDao;
- import com.zf.pojo.ETRole;
- import com.zf.pojo.ETUser;
- /**
- * 该类用户从数据库获取用户信息和用户权限信息 提供给spring-security使用
- * @author Administrator
- *
- */
- @Repository("ETUserDetailService")
- public class ETUserDetailService implements UserDetailsService{
- @Resource(name = "UserDao")
- private UserDao userdao ;
- public UserDetails loadUserByUsername(String username)
- throws UsernameNotFoundException {
- ETUser etuser = userdao.findUserByUserName(username);
- UserDetails user = null ;
- if(etuser != null){
- user = new User(username, etuser.getPassword(), true,
- true ,
- true,
- true,findUserAuthorities(etuser) );
- }
- return user;
- }
- /**
- * 获取用户的权限
- * @param user
- * @return
- */
- @SuppressWarnings("deprecation")
- public Collection<GrantedAuthority> findUserAuthorities(ETUser user){
- List<GrantedAuthority> autthorities = new ArrayList<GrantedAuthority>();
- List<ETRole> roles = user.getRoles();
- System.out.println(roles.size());
- for (ETRole etRole : roles) {
- autthorities.add(new GrantedAuthorityImpl(etRole.getRoleCode()));
- }
- return autthorities ;
- }
- }
配置spring-security.xml 。
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:security="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面 -->
- <security:http auto-config="true" use-expressions="true" access-denied-page="/powermiss.jsp" >
- <!-- 对登录页面,所有的用户都可以访问 -->
- <security:intercept-url pattern="/login.jsp" access="permitAll" />
- <!-- 对所有的资源,都必须要有ROLE_USER角色的用户 才可以访问 -->
- <security:intercept-url pattern="/*" access="hasRole('ADMIN')" />
- <!-- 配置登录页面为login.jsp ,登录成功默认跳转到index.jsp,登录失败返回login.jsp并携带参数error=true -->
- <security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />
- </security:http>
- <!-- 配置一个认证管理器 -->
- <security:authentication-manager>
- <!-- 使用自定义的UserDetailService -->
- <security:authentication-provider user-service-ref="ETUserDetailService">
- <!-- 下面的内容就可注释掉了 -->
- <!-- <security:user-service> -->
- <!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
- <!-- <security:user name="admin" password="admin" authorities="ROLE_USER"/> -->
- <!-- </security:user-service> -->
- </security:authentication-provider>
- </security:authentication-manager>
- </beans>
web.mvc 中配置openSessionInView
- <filter>
- <filter-name>openSessionInView</filter-name>
- <filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
- <init-param>
- <param-name>singleSession</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>openSessionInView</filter-name>
- <url-pattern>*.action</url-pattern>
- </filter-mapping>
- <!-- 如果配置opensessionInView ,别忘了给login的action也加上 -->
- <filter-mapping>
- <filter-name>openSessionInView</filter-name>
- <url-pattern>/j_spring_security_check</url-pattern>
- </filter-mapping>
spring-mvc.xml 中配置OpenSessionInView
- <!-- 处理在类级别上的@RequestMapping注解 -->
- <bean
- class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
- <property name="interceptors"> <!-- 配置过滤器 -->
- <list>
- <ref bean="openSessionInView" />
- </list>
- </property>
- </bean>
- <!-- 将OpenSessionInView 打开 -->
- <bean id="openSessionInView"
- class="org.springframework.orm.hibernate3.support.OpenSessionInViewInterceptor">
- <property name="sessionFactory" ref="sessionFactory"></property>
- </bean>
编写测试用的页面。
login.jsp
- <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
- %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <base href="<%=basePath%>">
- <title>My JSP 'index.jsp' starting page</title>
- <meta http-equiv="pragma" content="no-cache">
- <meta http-equiv="cache-control" content="no-cache">
- <meta http-equiv="expires" content="0">
- <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
- <meta http-equiv="description" content="This is my page">
- <!--
- <link rel="stylesheet" type="text/css" href="styles.css">
- -->
- </head>
- <body>
- <h3>用户登录</h3>
- <!-- from的action地址,以及用户名密码的name 。都是spring-security固定的。 -->
- <form action="<%=basePath %>j_spring_security_check" method="post">
- <p>
- <label for="j_username">Username</label> <input id="j_username"
- name="j_username" type="text" />
- </p>
- <p>
- <label for="j_password">Password</label> <input id="j_password"
- name="j_password" type="password" />
- </p>
- <input type="submit" value="Login" />
- </form>
- </body>
- </html>
index.jsp
- <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
- <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
- %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <base href="<%=basePath%>">
- <title>My JSP 'index.jsp' starting page</title>
- <meta http-equiv="pragma" content="no-cache">
- <meta http-equiv="cache-control" content="no-cache">
- <meta http-equiv="expires" content="0">
- <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
- <meta http-equiv="description" content="This is my page">
- <!--
- <link rel="stylesheet" type="text/css" href="styles.css">
- -->
- </head>
- <body>
- <h3>登录成功,欢迎您:<sec:authentication property="name" /></h3>
- <a href="<%=basePath%>admin.jsp">进入管理员页面</a>
- <a href="<%=basePath%>vip.jsp">进入会员页面</a>
- <a href="<%=basePath%>auth/logout">注销</a>
- </body>
- </html>
admin.jsp
- <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
- %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <base href="<%=basePath%>">
- <title>My JSP 'index.jsp' starting page</title>
- <meta http-equiv="pragma" content="no-cache">
- <meta http-equiv="cache-control" content="no-cache">
- <meta http-equiv="expires" content="0">
- <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
- <meta http-equiv="description" content="This is my page">
- <!--
- <link rel="stylesheet" type="text/css" href="styles.css">
- -->
- </head>
- <body>
- <h3>管理员页面</h3>
- </body>
- </html>
- <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
- %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <base href="<%=basePath%>">
- <title>My JSP 'index.jsp' starting page</title>
- <meta http-equiv="pragma" content="no-cache">
- <meta http-equiv="cache-control" content="no-cache">
- <meta http-equiv="expires" content="0">
- <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
- <meta http-equiv="description" content="This is my page">
- <!--
- <link rel="stylesheet" type="text/css" href="styles.css">
- -->
- </head>
- <body>
- <h3>会员页面</h3>
- </body>
- </html>
powermiss.jsp
- <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
- %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <base href="<%=basePath%>">
- <title>My JSP 'powermiss.jsp' starting page</title>
- <meta http-equiv="pragma" content="no-cache">
- <meta http-equiv="cache-control" content="no-cache">
- <meta http-equiv="expires" content="0">
- <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
- <meta http-equiv="description" content="This is my page">
- <!--
- <link rel="stylesheet" type="text/css" href="styles.css">
- -->
- </head>
- <body>
- <h1 style="color: red;">对不起,您无权访问该资源!</h1>
- </body>
- </html>
重新配置spring-security.xml 中各资源的权限
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:security="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面 -->
- <security:http auto-config="true" use-expressions="true" access-denied-page="/powermiss.jsp" >
- <!-- 对登录页面,所有的用户都可以访问 -->
- <security:intercept-url pattern="/login.jsp*" access="permitAll" />
- <security:intercept-url pattern="/vip.jsp*" access="hasRole('VIP')" />
- <security:intercept-url pattern="/admin.jsp*" access="hasRole('ADMIN')" />
- <!-- 对所有的资源,都必须要有COMM权限 才可以访问 -->
- <security:intercept-url pattern="/*" access="hasRole('COMM')" />
- <!-- 配置登录页面为login.jsp ,登录成功默认跳转到index.jsp,登录失败返回login.jsp并携带参数error=true -->
- <security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />
- <!-- 退出配置 -->
- <security:logout invalidate-session="true" logout-success-url="/login.jsp" logout-url="/auth/logout"/>
- </security:http>
- <!-- 配置一个认证管理器 -->
- <security:authentication-manager>
- <!-- 使用自定义的UserDetailService -->
- <security:authentication-provider user-service-ref="ETUserDetailService">
- <!-- 下面的内容就可注释掉了 -->
- <!-- <security:user-service> -->
- <!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
- <!-- <security:user name="admin" password="admin" authorities="ROLE_USER"/> -->
- <!-- </security:user-service> -->
- </security:authentication-provider>
- </security:authentication-manager>
- </beans>
向数据库中添加测试数据。
然后就可以测试访问了。
使用注解方式对指定的方法进行权限控制
AdminService.java
- package com.zf.service;
- import javax.annotation.security.RolesAllowed;
- import org.springframework.security.access.prepost.PreAuthorize;
- public interface AdminService {
- /* 拥有 Admin 权限才能的方法 ,必须定义在接口上面*/
- @PreAuthorize("hasRole('ADMIN')")
- public String test01() ;
- @RolesAllowed({"ADMIN"})
- public String test02();
- /* 上面的两种注解都可以 */
- }
- package com.zf.service;
- import org.springframework.stereotype.Service;
- @Service("AdminServiceImpl")
- public class AdminServiceImpl implements AdminService{
- public String test01(){
- System.out.println("方法test01被Admin用户调用");
- return "success";
- }
- public String test02() {
- System.out.println("方法test02被Admin用户调用");
- return "success";
- }
- }
- package com.zf.control;
- import javax.annotation.Resource;
- import org.springframework.context.annotation.Scope;
- import org.springframework.stereotype.Controller;
- import org.springframework.web.bind.annotation.RequestMapping;
- import org.springframework.web.servlet.ModelAndView;
- import com.zf.service.AdminService;
- @Controller
- @RequestMapping("/admin/")
- @Scope("request")
- public class AdminController {
- @Resource(name = "AdminServiceImpl")
- private AdminService adminService;
- @RequestMapping(value = "test01")
- public ModelAndView test01(){
- ModelAndView mav = new ModelAndView("admin");
- System.out.println(adminService.test01());
- return mav ;
- }
- @RequestMapping(value = "test02")
- public ModelAndView test02(){
- ModelAndView mav = new ModelAndView("admin");
- System.out.println(adminService.test01());
- return mav ;
- }
- }
向index.jsp中添加两个链接
<a href="<%=basePath%>admin/test01.action">/admin/test01</a>
<a href="<%=basePath%>admin/test02.action">/admin/test02</a>
现在就可以测试了。
在jsp页面使用security标签需要引入<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>库
如果是使用freemarker ,配置方法见 http://blog.sina.com.cn/s/blog_55bba7c10100h5bz.html
其他功能
在http标签内配置
- <!-- 配置session失效之后跳转到的页面 session-authentication-error-url指向的是登录被限制后跳转到的页面 -->
- <span style="white-space:pre"> </span><security:session-management invalid-session-url="/sessiontimeout.jsp" session-authentication-error-url="/loginerror.jsp">
- <span style="white-space:pre"> </span><!-- 配置一个帐号同时只能有一个会话,这样当有第二个用户登录的时候,第一个用户就会失效 -->
- <span style="white-space:pre"> </span><security:concurrency-control max-sessions="1" />
- <span style="white-space:pre"> </span><!-- 配置一个帐号同时智能有一个会话 ,并且第第二个尝试登录的账户不能让他登录,然后跳转到session-authentication-error-url指向的页面-->
- <span style="white-space:pre"> </span><security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
- <span style="white-space:pre"> </span></security:session-management>
配置登录验证码实例:
写一个VolidateAuthCodeUsernamePasswordAuthenticationFilter继承UsernamePasswordAuthenticationFilter用于验证用户登录
- package com.zf.myfilter;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.AuthenticationException;
- import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
- /**
- * 扩展UsernamePasswordAuthenticationFilter加上验证码的功能
- *
- * @author Administrator
- *
- */
- public class VolidateAuthCodeUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{
- @Override
- public Authentication attemptAuthentication(HttpServletRequest request,
- HttpServletResponse response) throws AuthenticationException {
- System.out.println("进入了VolidateAuthCodeUsernamePasswordAuthenticationFilter" + request.getParameter("j_username"));
- //这里可以进行验证验证码的操作
- return super.attemptAuthentication(request, response);
- }
- }
需要配置一个LoginUrlAuthenticationEntryPoint bean
- <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
- <property name="loginFormUrl" value="/login.jsp"></property>
- </bean>
配置过滤器bean
- <!-- 验证码过滤器 -->
- <bean id="validateCodeAuthenticationFilter"
- class="com.zf.myfilter.VolidateAuthCodeUsernamePasswordAuthenticationFilter">
- <property name="authenticationSuccessHandler"
- ref="loginLogAuthenticationSuccessHandler"></property>
- <property name="authenticationFailureHandler"
- ref="simpleUrlAuthenticationFailureHandler"></property>
- <property name="authenticationManager" ref="authenticationManager"></property>
- </bean>
- <!-- 登录成功 -->
- <bean id="loginLogAuthenticationSuccessHandler"
- class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
- <property name="defaultTargetUrl" value="/index.jsp"></property>
- </bean>
- <!-- 登录失败 -->
- <bean id="simpleUrlAuthenticationFailureHandler"
- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
- <property name="defaultFailureUrl" value="/index.jsp?error=true"></property>
- </bean>
将 <http> 中的auto-config 属性删除。加上 entry-point-ref="authenticationProcessingFilterEntryPoint" 属性
并将<form-login> 删除,使用<security:custom-filter
ref="validateCodeAuthenticationFilter" position="FORM_LOGIN_FILTER"
/> 替代 FORM_LOGIN_FILTER拦截器
完整的spring-security.xml 配置如下:
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!-- 启用注解方式对方法的权限控制 -->
- <security:global-method-security
- pre-post-annotations="enabled" secured-annotations="enabled"
- jsr250-annotations="enabled" proxy-target-class="true">
- <security:protect-pointcut access="VIP"
- expression="execution(* com.zf.service.VipService.*(..))" />
- </security:global-method-security>
- <!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面 -->
- <security:http use-expressions="true" access-denied-page="/powermiss.jsp" entry-point-ref="authenticationProcessingFilterEntryPoint">
- <!-- 对登录页面,所有的用户都可以访问 -->
- <security:intercept-url pattern="/login.jsp*"
- access="permitAll" />
- <security:intercept-url pattern="/vip.jsp*"
- access="hasRole('VIP')" />
- <security:intercept-url pattern="/admin.jsp*"
- access="hasRole('ADMIN')" />
- <!-- 对所有的资源,都必须要有COMM权限 才可以访问 -->
- <security:intercept-url pattern="/*"
- access="hasRole('COMM')" />
- <!-- 使用自己的过滤器 -->
- <!-- 下面的配置表示将自己的过滤器放在FORM_LOGIN_FILTER过滤链的最前面(可以这样来验证登录验证码) -->
- <security:custom-filter
- ref="validateCodeAuthenticationFilter" position="FORM_LOGIN_FILTER"
- />
- <!-- 配置登录页面为login.jsp ,登录成功默认跳转到index.jsp,登录失败返回login.jsp并携带参数error=true -->
- <!-- <security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" /> -->
- <!-- 退出配置 -->
- <security:logout invalidate-session="true"
- logout-success-url="/login.jsp" logout-url="/auth/logout" />
- </security:http>
- <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
- <property name="loginFormUrl" value="/login.jsp"></property>
- </bean>
- <!-- 验证码过滤器 -->
- <bean id="validateCodeAuthenticationFilter"
- class="com.zf.myfilter.VolidateAuthCodeUsernamePasswordAuthenticationFilter">
- <property name="authenticationSuccessHandler"
- ref="loginLogAuthenticationSuccessHandler"></property>
- <property name="authenticationFailureHandler"
- ref="simpleUrlAuthenticationFailureHandler"></property>
- <property name="authenticationManager" ref="authenticationManager"></property>
- </bean>
- <!-- 登录成功 -->
- <bean id="loginLogAuthenticationSuccessHandler"
- class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
- <property name="defaultTargetUrl" value="/index.jsp"></property>
- </bean>
- <!-- 登录失败 -->
- <bean id="simpleUrlAuthenticationFailureHandler"
- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
- <property name="defaultFailureUrl" value="/index.jsp?error=true"></property>
- </bean>
- <!-- 配置一个认证管理器 -->
- <security:authentication-manager alias="authenticationManager">
- <!-- 使用自定义的UserDetailService -->
- <security:authentication-provider
- user-service-ref="ETUserDetailService">
- <!-- 下面的内容就可注释掉了 -->
- <!-- <security:user-service> -->
- <!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
- <!-- <security:user name="admin" password="admin" authorities="ROLE_USER"/> -->
- <!-- </security:user-service> -->
- </security:authentication-provider>
- </security:authentication-manager>
- </beans>
SPEL 表达式
- //拥有DISUSER_PUBLISH_ROOM一个权限就可以访问
- / @PreAuthorize("hasRole('DISUSER_PUBLISH_ROOM')")
- //拥有DISUSER_PUBLISH_ROOM、DISUSER_MODIFY_ROOM中任意一个权限即可访问
- @PreAuthorize("hasAnyRole('DISUSER_PUBLISH_ROOM','DISUSER_ADMIN')")
- // or
- / @PreAuthorize("hasRole('DISUSER_PUBLISH_ROOM') or hasRole('DISUSER_MODIFY_ROOM')")
- //必须同时拥有DISUSER_PUBLISH_ROOM、DISUSER_MODIFY_ROOM两个权限才可以访问
- //@PreAuthorize("hasRole('DISUSER_PUBLISH_ROOM') and hasRole('DISUSER_MODIFY_ROOM')")
原文地址:http://blog.csdn.net/is_zhoufeng/article/details/8495310