歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux編程 >> Linux編程

Spring Security 學習筆記

第一次接觸spring security,第一個例子是最簡單,實現的功能也僅僅是權限控制一些最基本的功能;

首先是web.xml文件:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <display-name></display-name>   
  <!-- 獲取application-security.xml的位置 -->
  <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
  classpath:application*.xml
  </param-value>
  </context-param>
  <!-- 對spring容器進行實例化(監聽) -->
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
  <listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
  </listener>
  <!-- SpringSecurity必須的filter -->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <!-- 設置session時間 -->
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
</web-app>

web.xml的配置比較熟悉,所有沒有什麼太難的。

接下來是核心applicationContext-security.xml

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
            http://www.springframework.org/schema/security 
            http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- 配置保護資源 -->
<security:http auto-config="true" access-denied-page="/deniedpage.jsp">
<!-- 設置同步會話控制 -->
<security:session-management  invalid-session-url="/login.jsp" session-fixation-protection="none">
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTimeout.jsp"/>
</security:session-management>
<!-- http表達驗證 -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/success.jsp"/>
<security:logout/>
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/index.jsp" access="ROLE_USER,ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>

</security:http>
<!-- 配置用戶 -->
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置數據庫信息 -->
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
<property name="driverClass" value="${db.driverClass}"/>
<property name="jdbcUrl" value="${db.jdbcUrl}"/>
<property name="user" value="${db.user}"/>
<property name="password" value="${db.password}"/>
</bean>
<!-- 讀取資源文件 -->
<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:constants.properties</value>
</list>
</property>
</bean>
</beans>

注解:

1、從session緩存中獲取當前session信息,如果發現過期了,就跳轉到expired-url配置的url或者響應session失效提示信息。當前session有哪些情況會導致session失效呢?這裡的失效並不是指在web容器中session的失效,而是spring security把登錄成功的session封裝為SessionInformation並放到注冊類緩存中,如果SessionInformation的expired變量為true,則表示session已失效。所以,ConcurrentSessionFilter過濾器主要檢查SessionInformation的expired變量的值。

2、如果concurrency-control標簽配置了error-if-maximum-exceeded="true",max-sessions="1",那麼第二次登錄時,是登錄不了的。如果error-if-maximum-exceeded="false",那麼第二次是能夠登錄到系統的,但是第一個登錄的賬號再次發起請求時,會跳轉到expired-url配置的url中(如果沒有配置,則顯示This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).提示信息)

Spring Security3.1高級詳細開發指南 PDF http://www.linuxidc.com/Linux/2016-05/131482.htm

Spring Security 學習之數據庫認證 http://www.linuxidc.com/Linux/2014-02/97407.htm

Spring Security 學習之LDAP認證 http://www.linuxidc.com/Linux/2014-02/97406.htm

Spring Security 學習之OpenID認證 http://www.linuxidc.com/Linux/2014-02/97405.htm

Spring Security 學習之X.509認證 http://www.linuxidc.com/Linux/2014-02/97404.htm

Spring Security 學習之HTTP基本認證和HTTP摘要認證 http://www.linuxidc.com/Linux/2014-02/97403.htm

Spring Security 學習之HTTP表單驗證 http://www.linuxidc.com/Linux/2014-02/97402.htm

Spring Security異常之You must provide a configuration attribute  http://www.linuxidc.com/Linux/2015-02/113364.htm

然後是連接數據庫的constants.properties:

db.driverClass=com.mysql,jdbc.Driver
db.jdbcUrl=jdbc:mysql://localhost:3306/springsecurity
db.user=root
db.password=luwenhu

最後就是jsp文件,這個沒有什麼特別的,比如login.jsp:

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    <title>登錄界面</title>
  </head>
  <body onload="document.f.j_username.focus();">
  <c:if test="${not empty param.login_error }">
  <font color="red">
  登錄失敗,請重試!<br/>
  原因:<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message }"></c:out>
  </font>
  </c:if>
  <form action="/acegi1/j_spring_security_check" method="post">
  username:<input type="text" name="j_username"/><br/>
  password:<input type="password" name="j_password"/></br>
  <input type="checkbox" name="_spring_security_remember_me">兩周內自動登錄
  <input type="submit" value="用戶登錄">
  </form>
  </body>
</html>

下一頁i繼續深入spring security,加入自己的filter。

更多詳情見請繼續閱讀下一頁的精彩內容: http://www.linuxidc.com/Linux/2016-10/135820p2.htm

Copyright © Linux教程網 All Rights Reserved