今天要讲的内容:
- 简单列子
- 自定义登录界面
- 数据库管理权限(系统默认)
- IS_AUTHENTICATED_ANONYMOUSLY与IS_AUTHENTICATED_FULLY
- login.jsp增加登录失败提示信息
一:简单列子
第一步jar包准备
第二步在web.xml中配置过滤器
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
第三步.配置applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"
default-autowire="byType">
<ss:http auto-config="true">
<ss:intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/>
</ss:http>
<ss:authentication-provider>
<ss:user-service>
<ss:user password="admin" name="admin" authorities="ROLE_ADMIN"/>
<ss:user password="user" name="user" authorities="ROLE_USER"/>
</ss:user-service>
</ss:authentication-provider>
</beans>
二:自定义登录界面
第一步新建login.jsp
注意以下几点:action路径,用户名与密码,下面用红色标出来了
- <form id="loginForm" name="loginForm" action="${path}/j_spring_security_check" method="post">
- <input type='text' name='j_username'/>
- <input type='password' name='j_password' size="16"/>
第二步修改applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"
default-autowire="byType">
<ss:http auto-config="true">
<ss:intercept-url pattern="/login.action" filters="none"/>
<ss:intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/>
<ss:form-login
login-page="/login.action"
authentication-failure-url="/login.action?error=true"
default-target-url="/" <!-- default-target-url登录成功页 /代表系统默认路径 -->
always-use-default-target="true"
/>
</ss:http>
<ss:authentication-provider>
<ss:user-service>
<ss:user password="admin" name="admin" authorities="ROLE_ADMIN"/>
<ss:user password="user" name="user" authorities="ROLE_USER"/>
</ss:user-service>
</ss:authentication-provider>
三:用spring security提供的默认数据库实现简单的权限控制
1.根据数据据脚本创建数据表
create table users(
username varchar2(50) not null,
password varchar2(50) not null,
enabled char(1) not null
);
create table authorities (
username varchar2(50) not null,
authority varchar2(50) not null
);
insert into users(username,password,enabled) values('admin','admin','1');
insert into users(username,password,enabled) values('user','user','1');
insert into authorities(username,authority) values('admin','ROLE_ADMIN');
insert into authorities(username,authority) values('admin','ROLE_USER');
insert into authorities(username,authority) values('user','ROLE_USER');
2.修改applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"
default-autowire="byType">
<ss:http auto-config="true">
<ss:intercept-url pattern="/login.action" filters="none"/>
<ss:intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/>
<ss:form-login
login-page="/login.action"
authentication-failure-url="/login.action?error=true"
default-target-url="/" <!-- default-target-url登录成功页 /代表系统默认路径 -->
always-use-default-target="true"
/>
</ss:http>
<!--<ss:authentication-provider>
<ss:user-service>
<ss:user password="admin" name="admin" authorities="ROLE_ADMIN"/>
<ss:user password="user" name="user" authorities="ROLE_USER"/>
</ss:user-service>
</ss:authentication-provider>-->
<ss:authentication-provider>
<ss:jdbc-user-service data-source-ref="dataSource"/>
</ss:authentication-provider><!--用spring security自带的表结构 USERS AUTHORITIES dataSource是自己配置的数据源-->
</beans>
四: IS_AUTHENTICATED_ANONYMOUSLY与IS_AUTHENTICATED_FULLY
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"
default-autowire="byType">
<ss:http auto-config="true">
<ss:intercept-url pattern="/common/**" filters="none"/>
<ss:intercept-url pattern="/css/**" filters="none"/>
<ss:intercept-url pattern="/images/**" filters="none"/>
<ss:intercept-url pattern="/js/**" filters="none"/>
<!-- 取消对css,js等资源的拦截-->
<!--<ss:intercept-url pattern="/login.action" filters="none"/>-->
<ss:intercept-url pattern="/login.action" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<!--login.action 不进行拦截 IS_AUTHENTICATED_ANONYMOUSLY匿名登录权限 -->
<ss:intercept-url pattern="/company/company.action" access="ROLE_ADMIN"/>
<ss:intercept-url pattern="/dept/dept.action" access="ROLE_USER"/>
<!--<ss:intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/>-->
< ss:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
IS_AUTHENTICATED_FULLY 只要登录了,都可以访问
<ss:form-login
login-page="/login.action"
authentication-failure-url="/login.action?error=true"
default-target-url="/" <!-- default-target-url登录成功页 /代表系统默认路径 -->
always-use-default-target="true"
/>
</ss:http>
<!--<ss:authentication-provider>
<ss:user-service>
<ss:user password="admin" name="admin" authorities="ROLE_ADMIN"/>
<ss:user password="user" name="user" authorities="ROLE_USER"/>
</ss:user-service>
</ss:authentication-provider>-->
<ss:authentication-provider>
<ss:jdbc-user-service data-source-ref="dataSource"/>
</ss:authentication-provider><!--用spring security自带的表结构 USERS AUTHORITIES dataSource是自己配置的数据源-->
</beans>
五:login.jsp增加登录失败提示信息
<%
if (session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY) != null) {
%>
<span style="color:red"> 登录失败,请重试.</span>
<%
}
%>