先放官网文档 http://docs.spring.io/spring-security/site/docs/current/reference/html/ (最值得看!!!)
然后是别人写的spring mvc 以及spring security的java,xml配置对比的文档。http://hanqunfeng.iteye.com/blog/2114980
java配置代码如下
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MySavedRequestAwareAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private MyAuthenticationFailureHandler myAuthenticationFailureHandler;
// @Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(myAuthenticationFailureHandler).and()
.requiresChannel()
.antMatchers("/login").requiresSecure()
.antMatchers("/system1/**").requiresSecure()
.antMatchers("/system2/**").requiresSecure().and()
.authorizeRequests()
.antMatchers("/login", "/myresource/**").permitAll()
.antMatchers("/system1/**").hasRole("USER1")
.antMatchers("/system2/**").hasRole("USER2")
.antMatchers("/system3/**").hasAnyRole("USER1", "USER2")
.anyRequest().authenticated();//.and()
}
///这个函数主要说明需要认证的用户,密码,以及权限
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(new MyUserDetailService());
}
}
XML配置代码如下
web.xml如下
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>config.MyServerInit</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext.xml,
classpath:spring-security.xml
</param-value>
</context-param>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:mvc-dispatcher-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
mvc-dipatcher-servlet.xml 如下
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 静态资源(js、image等)的访问 -->
<mvc:default-servlet-handler/>
<!-- 开启注解 -->
<mvc:annotation-driven/>
<!--指明 controller 所在包,并扫描其中的注解
<context:component-scan base-package="evss.controller"/>
-->
<bean id="baseController" class="web.BaseController"
/>
<!--ViewResolver 视图解析器-->
<!--用于支持Servlet、JSP视图解析-->
<bean id="jspViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
<property name="prefix" value="/WEB-INF/pages/"/>
<property name="suffix" value=".jsp"/>
</bean>
</beans>
applicationContext.xml的内容也是为空
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
</beans>
最最关键代码来了。
spring-security.xml代码如下
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<beans:bean id="myUserDetailService" class ="config.MyUserDetailService"/>
<beans:bean id="mySavedRequestAwareAuthenticationSuccessHandler" class ="config.MySavedRequestAwareAuthenticationSuccessHandler"/>
<beans:bean id="myAuthenticationFailureHandler" class ="config.MyAuthenticationFailureHandler"/>
<beans:bean id="myMatcher" class ="config.MyMatcher"/>
<http>
<intercept-url pattern="/system1/**" requires-channel="https" access="hasRole('USER1')" />
<intercept-url pattern="/system2/**" requires-channel="https" access="hasRole('USER2')" />
<intercept-url pattern="/system3/**" requires-channel="https" access="hasRole('USER1','USER2')" />
<intercept-url pattern="/login" requires-channel="https" access="permitAll"/>
<intercept-url pattern="/myresource" access="permitAll"/>
<intercept-url request-matcher-ref="myMatcher" access="authenticated" />
<!--<intercept-url pattern="/**" access="authenticated"/>-->
<!-- 如果需要定义自己的类实现角色和路径的判定 <intercept-url request-matcher-ref="myMatcher"/>-->
<form-login authentication-success-handler-ref="mySavedRequestAwareAuthenticationSuccessHandler"
authentication-failure-handler-ref="myAuthenticationFailureHandler"
/>
</http>
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailService'/>
</authentication-manager>
</beans:beans>
其中的MyMatcher的代码如下
import org.springframework.security.web.util.matcher.RequestMatcher;
import javax.servlet.http.HttpServletRequest;
import java.util.List;
import java.util.regex.Pattern;
/**
* Created by zhangjiasong on 2016/12/14.
*/
public class MyMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern
.compile("^(GET|HEAD|TRACE|OPTIONS)$");
public boolean matches(HttpServletRequest request) {
if (execludeUrls != null && execludeUrls.size() > 0) {
String servletPath = request.getServletPath();
for (String url : execludeUrls) {
if (servletPath.contains(url)) {
return false;
}
}
}
return !allowedMethods.matcher(request.getMethod()).matches();
}
/**
* 需要排除的url列表
*/
private List<String> execludeUrls;
public List<String> getExecludeUrls() {
return execludeUrls;
}
public void setExecludeUrls(List<String> execludeUrls) {
this.execludeUrls = execludeUrls;
}
}
正在的对应就是spring-security.xml 借助官网文档。翻译还是很容易。