泡泡SpringSecurity3.1【授权-注解使用】
在spring-mvc.xml中开启对权限控制注解的支持(有三种)

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd "> <!--组件扫描--> <context:component-scan base-package="com.haifei.controller" /> <!--注解驱动--> <mvc:annotation-driven /> <!-- 开启权限控制注解支持 jsr250-annotations="enabled" 表示支持jsr250-api的注解支持,需要jsr250-api的jar包 pre-post-annotations="enabled" 表示支持Spring的表达式注解 secured-annotations="enabled" 这个才是SpringSecurity提供的注解 --> <security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled" secured-annotations="enabled" /> </beans>
1 jsr250的使用
添加依赖
控制器中通过注解@RoleAllowed设置

package com.haifei.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import javax.annotation.security.RolesAllowed; @Controller @RequestMapping("/user") public class UserController { @RolesAllowed(value = {"ROLE_ADMIN"}) @RequestMapping("/query") public String query(){ System.out.println("用户查询。。。"); return "/home.jsp"; } @RolesAllowed(value = {"ROLE_USER"}) @RequestMapping("/save") public String save(){ System.out.println("用户添加。。。"); return "/home.jsp"; } @RequestMapping("/update") public String update(){ System.out.println("用户更新。。。"); return "/home.jsp"; } }
测试
登录
无权限
有权限
2 Spring表达式的使用

package com.haifei.controller; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import javax.annotation.security.RolesAllowed; @Controller @RequestMapping("/user2") public class UserController2 { @PreAuthorize(value = "hasAnyRole('ROLE_ADMIN')") @RequestMapping("/query") public String query(){ System.out.println("用户查询。。。"); return "/home.jsp"; } @PreAuthorize(value = "hasAnyRole('ROLE_USER')") @RequestMapping("/save") public String save(){ System.out.println("用户添加。。。"); return "/home.jsp"; } @RequestMapping("/update") public String update(){ System.out.println("用户更新。。。"); return "/home.jsp"; } }
3 SpringSecurity提供的注解

package com.haifei.controller; import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller @RequestMapping("/user3") public class UserController3 { @Secured("ROLE_ADMIN") @RequestMapping("/query") public String query(){ System.out.println("用户查询。。。"); return "/home.jsp"; } @Secured("ROLE_USER") @RequestMapping("/save") public String save(){ System.out.println("用户添加。。。"); return "/home.jsp"; } @RequestMapping("/update") public String update(){ System.out.println("用户更新。。。"); return "/home.jsp"; } }
SpringSecurity异常处理