spring security 之用户和权限用数据库存储

本项目是根据http://www.blogjava.net/SpartaYew/archive/2011/05/19/SpingSecurity3.html 第二种方法实现的，并将之改成spring security3.1版本

本项目基于spring security3.1+oracle 10

使用到的两个表，用户表和权限表的SQL语句。将用户和权限以数据库进行存储。

create table USERS(
  USERNAME   VARCHAR2(50) not null,
  PASSWORD   VARCHAR2(50) not null,
  ENABLED    NUMBER(1) not null,
  USERNAMECN VARCHAR2(50),
  primary key( username )
)

create table AUTHORITIES(
  USERNAME  VARCHAR2(50) not null,
  AUTHORITY VARCHAR2(50) not null
)

相关配置

将权限及资源(URL或Action)的关系配置在xml文件中，并且配置与Spring Security3相关的其他配置：

1.applicationContext-security.xml代码：

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<!-- 不要过滤图片等静态资源，其中**代表可以跨越目录，*不可以跨越目录。 -->
<http pattern="/**/*.jpg" security="none" />
<http pattern="/**/*.png" security="none" />
<http pattern="/**/*.gif" security="none" />
<http pattern="/**/*.css" security="none" />
<http pattern="/**/*.js" security="none" />
<http pattern="/login.jsp" security="none" />
<http pattern="/jsp/forgotpassword.jsp" security="none" />

 <http auto-config="true" access-denied-page="/accessDenied.jsp">
  
  <!-- spring security3.1 security 不支持filter="none"
  <intercept-url pattern="/**/*.jpg" filters="none" />
  <intercept-url pattern="/**/*.png" filters="none" />
  <intercept-url pattern="/**/*.gif" filters="none" />
  <intercept-url pattern="/**/*.css" filters="none" />
  <intercept-url pattern="/**/*.js" filters="none" />
  登录页面和忘记密码页面不过滤
  <intercept-url pattern="/login.html" filters="none" />
  <intercept-url pattern="/jsp/forgotpassword.jsp"   filters="none" />  --> 

   <!-- 下面是对Action配置。表示具有访问/unitsManager资源的用户必须具有ROLE_PLATFORMADMIN的权限。
                      当用户登录时，SS3将用户的所有权限从数据库中提取出来，形成列表。 当用户访问该资源时，SS3将
                      登录用户的权限列表提出来跟下面配置的权限进行比对，若有，则允许访问，若没有，则给出AccessDeniedException。-->
  <intercept-url pattern="/admin/*.jsp"   access="ROLE_ADMIN" />
  <intercept-url pattern="/lxb/*.jsp"  access="ROLE_LXB" />

  <intercept-url pattern="/user/*.jsp"  access="ROLE_USER" />
  
  <form-login login-page="/login.jsp"  authentication-failure-url="/login.html?error=true"  />

  <!-- "记住我"功能，采用持久化策略（将用户的登录信息存放在数据库表中） -->
  <remember-me data-source-ref="dataSource" />
  
  <!-- 检测失效的sessionId,超时时定位到另外一个URL -->
  <session-management invalid-session-url="/sessionTimeout.jsp" />
  
 </http>

 <!-- 注意能够为authentication-manager 设置alias别名  -->
 <authentication-manager alias="authenticationManager">
      <authentication-provider user-service-ref="userDetailsManager">
          
      </authentication-provider>
  
 </authentication-manager>

</b:beans>

2.applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:util="http://www.springframework.org/schema/util"
 xmlns:jee="http://www.springframework.org/schema/jee" 
 xmlns:aop="http://www.springframework.org/schema/aop"
 xmlns:tx="http://www.springframework.org/schema/tx" 
 xmlns:context="http://www.springframework.org/schema/context"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
   http://www.springframework.org/schema/aop 
   http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
   http://www.springframework.org/schema/tx
   http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
   http://www.springframework.org/schema/jee
   http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
   http://www.springframework.org/schema/context
   http://www.springframework.org/schema/context/spring-context-3.0.xsd
   http://www.springframework.org/schema/util 
   http://www.springframework.org/schema/util/spring-util-3.0.xsd">
 
 
    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
           <property name="driverClassName"><value>oracle.jdbc.driver.OracleDriver</value></property> 
           <property name="url"><value>jdbc:oracle:thin:@127.0.0.1:1521:ORCL</value></property> 
           <property name="username"><value>scott</value></property> 
           <property name="password"><value>scott</value></property> 
     </bean>
     

 <!--   事件监听:实现了 ApplicationListener监听接口，包括AuthenticationCredentialsNotFoundEvent 事件，
  AuthorizationFailureEvent事件，AuthorizedEvent事件， PublicInvocationEvent事件 -->
 <bean  class="org.springframework.security.authentication.event.LoggerListener" />

 <!-- 用户的密码加密或解密 -->
 <!-- <bean id="passwordEncoder"
  class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
 -->

 <!-- 用户详细信息管理 : 数据源、用户缓存、启用用户组功能。  -->
 <bean id="userDetailsManager"
  class="org.springframework.security.provisioning.JdbcUserDetailsManager">
  <property name="dataSource" ref="dataSource" />
  <!-- <property name="userCache" ref="userCache" /> -->
 </bean> 

 <!--spring security自带的与权限有关的数据读写Jdbc模板-->
 <bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
  <property name="dataSource" ref="dataSource" />
 </bean> 
</beans>

3.web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns="http://java.sun.com/xml/ns/javaee" 
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" 
id="WebApp_ID" 
version="3.0">
  <display-name>springsecurity</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  
  <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:applicationContext.xml
            classpath:applicationContext-security.xml
        </param-value>
    </context-param>
  <!-- 定义spring security代理Filter -->
   <filter>
           <filter-name>springSecurityFilterChain</filter-name>
           <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <!-- 拦截所有的请求 -->
   <filter-mapping>
           <filter-name>springSecurityFilterChain</filter-name>
           <url-pattern>/*</url-pattern>
   </filter-mapping>
   
    <!--
      - Loads the root application context of this web app at startup.
    -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

没有对任何的资源和权限之间的对应关系进行配置的，spring security3就会认为根本不需要对任何的URL或Action进行检测

主要内容大概是这些，剩下的参考上传的项目，添加缺省的内容，

启动服务，打开浏览器，输入http://localhost:8080/SpringSecurity/user/user.jsp，由于有权限限制，会跳转到登录页面，输入user账号和密码（没有采用密文）登录后就可以到user.jsp页面，如果将url改为http://localhost:8080/SpringSecurity/admin/admin.jsp,会跳转到权限不足的界面。

posted @ 2013-09-23 22:42 世间安得两全法阅读(1415) 评论(0) 收藏举报

刷新页面返回顶部

慢慢需找

spring security 之用户和权限用数据库存储

公告