spring security 3.x 多页面登录配置入门教程
最近在最shiro的多入口登录,搞了好久,就把spring security拿出来再炒一下,这是我以前在csdn写过的一篇博客。
spring security 是一个权限控制的框架。可以很方便地实现权限的控制,不需要我们手动地写拦截器去对于请求进行拦截,然后对于权限进行判断。这可以大大地减少工作量,并且,spring security提供了很可靠的安全保障。
废话不多说,以下为正文:
1、加入spring security的jar包,我是能过maven配合nexus进行jar包管理的。纯jar包也是可以的,下载相应的jar包添加到WEB-INF下的lib目录下即可。以下为pom.xml加入的依赖(来处官网http://projects.spring.io/spring-security/):
<dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>3.2.3.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>3.2.3.RELEASE</version> </dependency> </dependencies>
2、在web.xml里面加入spring security的拦截器,当然配置文件也要加载,不过是通过正则表达式一次把spring的配置文件都加载完成的:
<context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:spring*.xml </param-value> </context-param>
<!-- spring security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
3、配置spring-security.xml文件:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <!-- 不需要进行认证的资源,3.0之后才改为这样配置 --> <!-- <http security="none" pattern="/**/index" /> --> <http security="none" pattern="/**/login" /> <http security="none" pattern="/**/*.jpg" /> <http security="none" pattern="/**/*.png" /> <http security="none" pattern="/**/*.gif" /> <http security="none" pattern="/**/*.css" /> <http security="none" pattern="/**/*.js" /> <!--设置匹配学生用户url,登录页面和所拥有的权限,以及引用studentAuthManager验证管理 --> <http auto-config="true" pattern="/student/**" use-expressions="true" authentication-manager-ref="studentAuthManager"> <form-login login-processing-url="/student/j_spring_security_check" login-page="/student/login" authentication-failure-url="/student/login" default-target-url="/student/index"/> <logout logout-success-url="/student/login" logout-url="/student/j_spring_security_logout" /> <intercept-url pattern="/student/**" access="hasRole('ROLE_STUDENT')" /> </http> <!--设置匹配管理员用户url,登录页面和所拥有的权限,以及引用adminAuthManager验证管理 --> <http auto-config="true" pattern="/admin/**" use-expressions="true" authentication-manager-ref="adminAuthManager"> <form-login login-processing-url="/admin/j_spring_security_check" login-page="/admin/login" authentication-failure-url="/admin/login" default-target-url="/admin/index"/> <logout logout-url="/admin/j_spring_security_logout" logout-success-url="/admin/index" /> <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" /> </http> <!--前台用户验证管理bean --> <authentication-manager id="studentAuthManager"> <authentication-provider user-service-ref="studentDetailService"> <password-encoder hash="md5"></password-encoder> </authentication-provider> </authentication-manager> <!--后台管理用户验证管理bean --> <authentication-manager id="adminAuthManager"> <authentication-provider user-service-ref="adminDetailService"> <password-encoder hash="md5"></password-encoder> </authentication-provider> </authentication-manager> </beans:beans>
4、重写实现UserDetailsService的接口(由于student的实现方式,跟admin的实现方式是一模一样的,所以此处只列出admin的例子):
@Service public class AdminDetailService implements UserDetailsService{ @Resource private AdminMapper adminMapper; public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { Admin admin = adminMapper.selectByUsername(username); return admin; } }
5、在Admin的实体实现UserDetails接口(由于仅为demo所以权限是写死了的,可以从数据库取出),student实现也是实现UserDetails接口,不重复贴代码了。
public class Admin implements UserDetails{ private static final long serialVersionUID = 1557391641237960295L; private Integer id; private String username; private String password; public Integer getId() { return id; } public void setId(Integer id) { this.id = id; } //此部分的权限应该由数据库取出,此处不作取出操作 public Collection<? extends GrantedAuthority> getAuthorities() { List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN")); return authorities; } public void setPassword(String password){ this.password = password; } public void setUsername(String username){ this.username = password; } public String getPassword() { return password; } public String getUsername() { return username; } public boolean isAccountNonExpired() { return true; } public boolean isAccountNonLocked() { return true; } public boolean isCredentialsNonExpired() { return true; } public boolean isEnabled() { return true; } }
6、如果不写页面的话,spring security会使用它默认的页面,十分的丑陋,不过所幸可以自己写,以下为自己写的页面(也十分地丑陋):
<body> <form action="j_spring_security_check" method="post"> username:<input type="text" name="j_username"/><br/> password:<input type="password" name="j_password"/><br/> Remember Me:<input name="_spring_security_remember_me" type="checkbox" value="true"/><br/> <input type="submit" value="提交"/> </form> </body>
7、访问,登录,大功告成,由于此部分的代码由项目代码改的,所以没有demo不好意思!!!(有机会一定补上= =||,估计是补不上了)