在上一篇入门中,简单介绍了spring security3的用法,但现实中,登录页面都是用户自己定义的,而不是spring security3生产的,这个时候,我们可以自定义用户登录页面。通过分析spring security3生成的登录页面,我们可以看到,它是一个表单,表单的action,userName 和 password的name分别为 j_spring_security_check, j_username,j_password。
(1)针对这个情况,我们自定义登录页面login.jsp,内容如下:
- < %@ page language = "java" contentType = "text/html; charset=UTF-8"
- pageEncoding = "UTF-8" % >
- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
- < html >
- < head >
- < meta http-equiv = "Content-Type" content = "text/html; charset=UTF-8" >
- < title > login interface </ title >
- </ head >
- < body >
- < h3 > user login </ h3 >
- ${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
- < form action = "${pageContext.request.contextPath}/j_spring_security_check" method = "post" >
- userName:< input type = "text" name = "j_username" /> < br />
- password:< input type = "password" name = "j_password" /> < br />
- < input type = "submit" value = "登录" >
- </ form >
- </ body >
- </ html >
其 中,${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}为spring security框架自带的信息,通过配置国际化文件,实现信息的提示,展开spring security core 可以看到国际化的文件,用户可以修改其内容满足自己项目的需要,也可自定义自己的国际化文件,将spring security core 中的key-value中的value进行修改,如果采用spring自带的国际化文件,请在配置文件中写入如下的配置信息:
- <? xml version = "1.0" encoding = "UTF-8" ?>
- < beans xmlns = "http://www.springframework.org/schema/beans"
- xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns:aop = "http://www.springframework.org/schema/aop"
- xmlns:tx = "http://www.springframework.org/schema/tx" xmlns:context = "http://www.springframework.org/schema/context"
- xmlns:jee = "http://www.springframework.org/schema/jee"
- xsi:schemaLocation ="
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
- http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd">
- <!--****************************************************************************************-->
- <!--**********************国际化支持信息配置*************************************************-->
- <!--****************************************************************************************-->
- <!-- 国际化支持 -->
- <!-- Bean id 必须是“messageSource”,因为Spring 在装配系统Bean 时会根据这个名字进行查找-->
- < bean id = "messageSource" class = "org.springframework.context.support.ResourceBundleMessageSource" >
- < property name = "basename" value = "org.springframework.security.messages" />
- </ bean >
- </ beans >
(2)修改spring-security配置文件满足自定义方式
- <?xml version= "1.0" encoding= "UTF-8" ?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!--对登录页面不进行拦截,在页面后面加*表示,该页面后面可能会带一些参数-->
- <security:http pattern="/login.jsp*" security= "none" />
- <!-- 保护应用程序的所有URL,只有拥有ROLE_USER才可以访问 -->
- <security:http auto-config="true" >
- <!-- login-page: 指定登录页面-->
- <security:form-login login-page="/login.jsp" />
- <security:intercept-url pattern="/**" access= "ROLE_USER" />
- </security:http>
- <!--配置认证管理器,只有用户名为user,密码为opal的用户,角色为ROLE_USER可访问指定的资源 -->
- <security:authentication-manager>
- <security:authentication-provider>
- <security:user-service>
- <security:user name="user" password= "opal" authorities= "ROLE_USER" />
- </security:user-service>
- </security:authentication-provider>
- </security:authentication-manager>
- </beans>
(3)运行该程序,系统自动跳到用户自定义的界面,输错代码,点击登录,错误信息提示如下:
(4)用户可以对密码进行加密,例如采用MD5的方式,假设用户密码为opal,其加密后为
22b5c9accc6e1ba628cedc63a72d57f8
此时,配置文件中的配置修改如下:
- <? xml version = "1.0" encoding = "UTF-8" ?>
- < beans xmlns = "http://www.springframework.org/schema/beans"
- xmlns:security = "http://www.springframework.org/schema/security"
- xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation ="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!--对登录页面不进行拦截,在页面后面加*表示,该页面后面可能会带一些参数-->
- < security:http pattern = "/login.jsp*" security = "none" />
- <!-- 保护应用程序的所有URL,只有拥有ROLE_USER才可以访问 -->
- < security:http auto-config = "true" >
- <!-- login-page: 指定登录页面-->
- < security:form-login login-page = "/login.jsp" />
- < security:intercept-url pattern = "/**" access = "ROLE_USER" />
- </ security:http >
- <!--配置认证管理器,只有用户名为user,密码为opal的用户,角色为ROLE_USER可访问指定的资源 -->
- < security:authentication-manager >
- < security:authentication-provider >
- < security:password-encoder hash = "md5" />
- < security:user-service >
- < security:user name = "user" password = "22b5c9accc6e1ba628cedc63a72d57f8" authorities = "ROLE_USER" />
- </ security:user-service >
- </ security:authentication-provider >
- </ security:authentication-manager >
- </ beans >