早已久仰Spring Security大名,一直沒機會實踐,最近計劃對其進行系統學習並通過bolg將心得記錄與博友們分享!
准備工作:
1. Spring Security 源碼和Samples可以從以下鏈接下載:
https://github.com/spring-projects/spring-security/tree/master/samples
2. 從Spring官網下載STS
3. 學習時使用的版本 -- Spring : 4.0.0.RELEASE,Spring Security : 3.2.0.RELEASE
歷史:
前身為“The Acegi Security System for Spring”,始於2006年,項目得到廣大認可和適用後更名為Spring Security納入Spring的項目之一。
適用場景:
JAVA應用安全管理中的認證和授權,特別是使用Spring框架開發的JAVA應用。
基本原理:
Spring的DI和AOP -- Spring Security大量使用AOP以避免對業務邏輯的干涉,並與Spring核心框架深度集成。
javax.servlet.FilterChain -- 目前Spring Security主要用於web應用,在web應用中通過Filter攔截HTTP請求進行安檢。
HTTP表單認證:
Spring Security 內置HTTP表單認證支持,使用Security名字空間可以非常簡單讓Web應用支持HTTP表單認證,基本使用步驟如下:
1. web.xml配置
首先我們需要在web描述符中配置一個Filter名為springSecurityFilterChain供Spring框架使用,這個名稱不能自己隨便更改,否則Spring框架會找不到。
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2. Spring bean配置
Spring Security bean配置分兩部分,分別是資源訪問權限配置和用戶定義,部分標簽解說:
http標簽 :用於創建FilterChainProxy和它將使用的bean。
auto-config="true" :表示以下配置
<http>
<form-login />
<http-basic />
<logout />
</http>
intercept-url :定義被保護資源的訪問權限
pattern :指定被保護的資源,可以使用正則表達式
access :訪問權限定義,有多種方式,示例中使用角色,角色必須以ROLE_前綴開始。
user :定義用戶名密碼和擁有的角色,密碼可以使用MD5加密。
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/hello"
access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user authorities="ROLE_USER" name="stevex"
password="stevex" />
<security:user authorities="ROLE_USER, ROLE_ADMIN"
name="admin" password="admin" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
實踐:
有很多安全相關的專業概念,需要自己慢慢認識,我們先創建一個實例,感性認識一下,步驟如下:
1. New-->Spring Project-->選擇"Spring MVC Project"模板--Finish
2. 修改pom.xml,將Spring的版本更改為4.0.0.Release,增加Spring Security的依賴
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.0.RELEASE</version>
</dependency>
3. 修改web.xml,增加springSecurityFilterChain
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml /WEB-INF/spring/app-security.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4. 增加app-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/hello"
access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user authorities="ROLE_USER" name="stevex"
password="stevex" />
<security:user authorities="ROLE_USER, ROLE_ADMIN"
name="admin" password="admin" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
5. 修改HomeController.java,增加hello函數
/**
* Handles requests for the application home page.
*/
@Controller
public class HomeController {
private static final Logger logger = LoggerFactory.getLogger(HomeController.class);
/**
* Simply selects the home view to render by returning its name.
*/
@RequestMapping(value = "/", method = RequestMethod.GET)
public String home(Locale locale, Model model) {
logger.info("Welcome home! The client locale is {}.", locale);
Date date = new Date();
DateFormat dateFormat = DateFormat.getDateTimeInstance(DateFormat.LONG, DateFormat.LONG, locale);
String formattedDate = dateFormat.format(date);
model.addAttribute("serverTime", formattedDate );
return "home";
}
//produces="text/plain" 必須有,否則會有亂碼
@RequestMapping(value = "/hello", method = RequestMethod.GET, produces="text/plain")
@ResponseBody
public String hello(){
logger.info("request coming!");
return "Hello Stevex, you are so hard!";
}
}
6. 運行應用進行測試
大功告成!
Spring Web MVC Security 下載地址:
免費下載地址在 http://linux.linuxidc.com/
用戶名與密碼都是www.linuxidc.com
具體下載目錄在 /2014年資料/2月/28日/Spring Security 學習之HTTP表單驗證
下載方法見 http://www.linuxidc.com/Linux/2013-07/87684.htm