spring-security3配置—学习笔记《一》

一、添加jar

pom.xml中配置:

<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-acl</artifactId>
			<version>3.1.3.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-core</artifactId>
			<version>3.1.3.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-taglibs</artifactId>
			<version>3.1.3.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>3.1.3.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>3.1.3.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-crypto</artifactId>
			<version>3.1.3.RELEASE</version>
		</dependency>

二、添加配置

web.xml添加filter：

<!-- security过滤器必须放在struts前 -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

新建applicationContext-security.xml 并引入

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

	<!-- 开启debug模式 在控制台输出security处理 -->
	<debug />

	<!-- 开启注解 -->
	<global-method-security pre-post-annotations="enabled" />

	<!-- 排除的资源 -->
	<http pattern="/images/**" security="none" />
	<http pattern="/plugins/**" security="none" />
	<http pattern="/scripts/**" security="none" />
	<http pattern="/styles/**" security="none" />
	<http pattern="/login.jsp" security="none" />
	<http pattern="/loggedout.jsp" security="none" />

	<!-- 支持表达式 -->
	<http use-expressions="true">
        <intercept-url pattern="/admin/**" access="hasRole('supervisor')"/>
        <intercept-url pattern="/**" access="hasRole('user')" />
        
        <!-- 四个参数：登录页面|登录失败跳到|登录成功页面|登录action -->
        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp" 
        	default-target-url="/index.jsp" login-processing-url="/j_security_check"/>
        <logout logout-success-url="/index.jsp" delete-cookies="JSESSIONID"/>
        <remember-me />
		<!--
		    Uncomment to enable X509 client authentication support
		        <x509 />
		-->
        <!-- Uncomment to limit the number of sessions a user can have -->
        <session-management invalid-session-url="/timeout.jsp">
            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
        </session-management>

    </http>

    <!--
    Usernames/Passwords are
        rod/koala
        dianne/emu
        scott/wombat
        peter/opal
    -->
    <beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>

    <authentication-manager>
        <authentication-provider>
            <password-encoder ref="encoder"/>
            <user-service>
                <user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" />
                <user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" />
                <user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" />
                <user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
    
</beans:beans>

<!-- 引入其它spring配置文件 -->
<import resource="classpath:applicationContext-*.xml" />

三、新建登录页面

login.jsp:

<%@ page language="java" contentType="text/html; charset=UTF-8"
	pageEncoding="UTF-8"%>
<%@ taglib prefix="s" uri="/struts-tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>登录系统</title>
</head>
<body>
	<form action="${pageContext.request.contextPath}/j_security_check" method="post">
		Account：<Input name="j_username" /><br />
		Password：<input name="j_password" type="password" /><br /> 
		<input value="submit" type="submit" />
	</form>
	<s:debug></s:debug>
</body>
</html>

四、试用

rod/koala
        dianne/emu
        scott/wombat
        peter/opal

使用这些帐号测试登录 登录错误密码应该会跳到login.jsp页面，正确密码跳到index.jsp

五、其它说明
 登录表单的action 对应配置文件中 

login-processing-url="/j_security_check"

可以自定义名称。

用户名和密码 name  是固定的 j_username/j_password

对应spring-security-web-3.1.3.jar下 org.springframework.security.web.authentication 包中 UsernamePasswordAuthenticationFilter

public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";//line：51
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";