1.创建两张表
用户表
create table users(
username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(50) not null,
enabled boolean not null
);
INSERT INTO users(username,password,enabled)
VALUES('admin','21232f297a57a5a743894a0e4a801fc3',1)
INSERT INTO users(username,password,enabled)
VALUES('user','ee11cbb19052e40b07aac0ca060c23ee',1);
admin的密码为md5加密admin
user的密码为md5加密user
权限表
create table authorities(
username varchar_ignorecase(50) not null,
authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references
users(username)
);
create unique index ix_auth_username on authorities
(username,authority);
INSERT INTO authorities VALUES('admin','ROLE_ADMIN');
INSERT INTO authorities VALUES('user','ROLE_USER');
2.在applicationContext.xml配置文件中配置数据源,由于要访问数据库还要加入mysql的驱动包
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jee="http://www.springframework.org/schema/jee" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/security/spring-security-3.0.xsd"
default-lazy-init="true">
<!-- <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basenames" value="classpath:org/springframework/security/messages_zh_CN"></property>
</bean> -->
<bean id="datasource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver"></property>
<property name="url" value="jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf8"></property>
<property name="username" value="root"></property>
<property name="password" value="root"></property>
</bean>
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basenames" value="classpath:message_zh_CN"></property>
</bean>
</beans>
3.springSecurity.xml配置
配置名称空间
由于配置了名称空间,之前使用的标签要加上security:将之前使用的user-service注释,使用jdbc-user-service标签,映入上面配置的数据源datasource
security:password-encoder hash=”md5”:作用将前台传入的密码通过md5加密后,在到数据库中匹配,直接配置 hash = ‘md5’ 等效于单独配置<bean id="encoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
security:intercept-url pattern=”/index.jsp*” access=”ROLE_ADMIN,ROLE_USER”:拦截index.jsp请求,access:权限验证,ROLE_ADMIN,ROLE_USER这两个角色可以访问
access-denied-page=”/error.jsp”:指定被拒绝的页面
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<!-- 这表示,我们要保护应用程序中的所有 URL,只有拥有 ROLE_USER 角色的用户才能访问 -->
<security:http auto-config="true" access-denied-page="/error.jsp">
<!-- login-page指定登录页面
/login.jsp* 加个*号是防止请求时后面带了参数-->
<security:form-login login-page="/login.jsp"/>
<security:intercept-url pattern="/login.jsp*" filters="none"/>
<security:intercept-url pattern="/admin.jsp*" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/index.jsp*" access="ROLE_ADMIN,ROLE_USER"/>
<security:intercept-url pattern="/*" access="ROLE_USER"/>
</security:http>
<!-- 配置认证管理器 -->
<security:authentication-manager>
<security:authentication-provider>
<!-- <security:user-service> -->
<!-- <user name="user" password="user" authorities="ROLE_USER"/> -->
<!-- </security:user-service> -->
<security:password-encoder hash="md5"></security:password-encoder>
<security:jdbc-user-service data-source-ref="datasource"/>
</security:authentication-provider>
</security:authentication-manager>
</beans>
通过以上配置我们知道
1. 系统中除了 login.jsp 可以直接访问以外,其它的页面都需要权限才能进入
2. index.jsp 页面 ROLE_USER 和 ROLE_ADMIN 都可以访问;
3. admin.jsp 页面只有 ROLE_ADMIN 权限可以访问
index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>首页</title>
</head>
<body>
欢迎来到springSecurity世界!<br/>
<a href="admin.jsp" type="button">进入管理员页面</a>
</body>
</html>
admin.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>管理员页面</title>
</head>
<body>
欢迎来到管理员页面!<br/>
</body>
</html>
error.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>提示页面</title>
</head>
<body>
您的访问被拒绝,您无权限访问该资源!
</body>
</html>
user用户登录
点击进入管理员页面
admin用户登录
点击进入管理员页面