第一次接觸spring security,第一個例子是最簡單,實現的功能也僅僅是權限控制一些最基本的功能;
首先是web.xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name></display-name>
<!-- 獲取application-security.xml的位置 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:application*.xml
</param-value>
</context-param>
<!-- 對spring容器進行實例化(監聽) -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<!-- SpringSecurity必須的filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 設置session時間 -->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
</web-app>
web.xml的配置比較熟悉,所有沒有什麼太難的。
接下來是核心applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- 配置保護資源 -->
<security:http auto-config="true" access-denied-page="/deniedpage.jsp">
<!-- 設置同步會話控制 -->
<security:session-management invalid-session-url="/login.jsp" session-fixation-protection="none">
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTimeout.jsp"/>
</security:session-management>
<!-- http表達驗證 -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/success.jsp"/>
<security:logout/>
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/index.jsp" access="ROLE_USER,ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
<!-- 配置用戶 -->
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置數據庫信息 -->
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
<property name="driverClass" value="${db.driverClass}"/>
<property name="jdbcUrl" value="${db.jdbcUrl}"/>
<property name="user" value="${db.user}"/>
<property name="password" value="${db.password}"/>
</bean>
<!-- 讀取資源文件 -->
<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:constants.properties</value>
</list>
</property>
</bean>
</beans>
注解:
1、從session緩存中獲取當前session信息,如果發現過期了,就跳轉到expired-url配置的url或者響應session失效提示信息。當前session有哪些情況會導致session失效呢?這裡的失效並不是指在web容器中session的失效,而是spring security把登錄成功的session封裝為SessionInformation並放到注冊類緩存中,如果SessionInformation的expired變量為true,則表示session已失效。所以,ConcurrentSessionFilter過濾器主要檢查SessionInformation的expired變量的值。
2、如果concurrency-control標簽配置了error-if-maximum-exceeded="true",max-sessions="1",那麼第二次登錄時,是登錄不了的。如果error-if-maximum-exceeded="false",那麼第二次是能夠登錄到系統的,但是第一個登錄的賬號再次發起請求時,會跳轉到expired-url配置的url中(如果沒有配置,則顯示This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).提示信息)
Spring Security3.1高級詳細開發指南 PDF http://www.linuxidc.com/Linux/2016-05/131482.htm
Spring Security 學習之數據庫認證 http://www.linuxidc.com/Linux/2014-02/97407.htm
Spring Security 學習之LDAP認證 http://www.linuxidc.com/Linux/2014-02/97406.htm
Spring Security 學習之OpenID認證 http://www.linuxidc.com/Linux/2014-02/97405.htm
Spring Security 學習之X.509認證 http://www.linuxidc.com/Linux/2014-02/97404.htm
Spring Security 學習之HTTP基本認證和HTTP摘要認證 http://www.linuxidc.com/Linux/2014-02/97403.htm
Spring Security 學習之HTTP表單驗證 http://www.linuxidc.com/Linux/2014-02/97402.htm
Spring Security異常之You must provide a configuration attribute http://www.linuxidc.com/Linux/2015-02/113364.htm
然後是連接數據庫的constants.properties:
db.driverClass=com.mysql,jdbc.Driver
db.jdbcUrl=jdbc:mysql://localhost:3306/springsecurity
db.user=root
db.password=luwenhu
最後就是jsp文件,這個沒有什麼特別的,比如login.jsp:
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>登錄界面</title>
</head>
<body onload="document.f.j_username.focus();">
<c:if test="${not empty param.login_error }">
<font color="red">
登錄失敗,請重試!<br/>
原因:<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message }"></c:out>
</font>
</c:if>
<form action="/acegi1/j_spring_security_check" method="post">
username:<input type="text" name="j_username"/><br/>
password:<input type="password" name="j_password"/></br>
<input type="checkbox" name="_spring_security_remember_me">兩周內自動登錄
<input type="submit" value="用戶登錄">
</form>
</body>
</html>
下一頁i繼續深入spring security,加入自己的filter。
更多詳情見請繼續閱讀下一頁的精彩內容: http://www.linuxidc.com/Linux/2016-10/135820p2.htm