什么是Spring Security?
Spring Security是一个提供安全解决方案的框架,可在Web请求级别和方法级别上处理身份验证和授权。 Spring安全性通过两种方式处理安全性。 一种是安全的Web请求,另一种是在URL级别限制访问。 Spring Security使用Servlet过滤器。
在这篇文章中,我将创建一个处理登录身份验证和授权的简单Web应用程序。
下载项目: http : //www.mediafire.com/?bb9x88uxvkb0uuv或http://dl.dropbox.com/u/7215751/JavaCodeGeeks/SpringSecurityTutorialPart1/spring-security-login-example.rar
在创建项目之前,需要对mysql执行一些查询以创建一个新的数据库,表并添加一些示例数据。
创建表
CREATE DATABASE IF NOT EXISTS `spring-test`;
-- create user
CREATE USER 'user'@'localhost' IDENTIFIED BY 'test';
GRANT ALL ON spring-test.* TO 'user'@'localhost';
USE `spring-test`;
CREATE TABLE USER_DETAILS (
USERNAME VARCHAR(10) NOT NULL,
PASSWORD VARCHAR(32) NOT NULL,
PRIMARY KEY (USERNAME)
);
CREATE TABLE USER_AUTH (
USERNAME VARCHAR(10) NOT NULL,
AUTHORITY VARCHAR(10) NOT NULL,
FOREIGN KEY (USERNAME) REFERENCES USER_DETAILS(USERNAME)
);测试数据
insert into USER_DETAILS values ('user','123');
insert into USER_DETAILS values ('admin','admin');
insert into USER_AUTH values ('user', 'ROLE_USER');
insert into USER_AUTH values ('admin', 'ROLE_ADMIN');之后,我使用maven创建一个Web项目,并将以下依赖项添加到pom.xml中
<properties>
<spring.version>3.0.5.RELEASE</spring.version>
</properties><dependencies>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.0.0.GA</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- jstl -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- MySQL database driver -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.9</version>
</dependency>
<dependency>
<groupId>c3p0</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.1</version>
</dependency>
</dependencies>之后,像这样更改web.xml
<!DOCTYPE web-app PUBLIC
'-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN'
'http://java.sun.com/dtd/web-app_2_3.dtd' >
<web-app>
<display-name>spring-security-login</display-name>
<servlet>
<servlet-name>login</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/login-servlet.xml,
/WEB-INF/login-security.xml,
/WEB-INF/login-service.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
</web-app>现在,我需要创建login-servlet.xml,login-security.xml和login-service.xml弹簧配置文件。 在此示例中,我们将c3p0连接池与Mysql数据库一起使用。
这是login-servlet.xml文件
<?xml version='1.0' encoding='UTF-8'?>
<beans xmlns='http://www.springframework.org/schema/beans'
xmlns:context='http://www.springframework.org/schema/context'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd'>
<context:component-scan base-package='rd.controller'/>
<bean id='internalResourceResolver'
class='org.springframework.web.servlet.view.InternalResourceViewResolver'>
<property name='prefix' value='/WEB-INF/views/'/>
<property name='suffix' value='.jsp'/>
</bean>
<bean class='org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping'></bean>
<bean class='org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter'/>
<bean id='placeholderConfig'
class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'>
<property name='locations'>
<list>
<value>classpath:login.properties</value>
</list>
</property>
</bean>
</beans>这是login-security.xml
<?xml version='1.0' encoding='UTF-8'?>
<beans:beans xmlns='http://www.springframework.org/schema/security'
xmlns:beans='http://www.springframework.org/schema/beans'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd'>
<beans:import resource='login-service.xml'/>
<http>
<intercept-url pattern='/home*' access='ROLE_USER,ROLE_ADMIN' />
<intercept-url pattern='/admin*' access='ROLE_ADMIN' />
<form-login login-page='/login.jsp' default-target-url='/home' authentication-failure-url='/login.jsp?error=true'/>
<logout logout-success-url='/login.jsp' />
<anonymous username='guest' granted-authority='ROLE_GUEST'/>
<remember-me/>
</http>
<authentication-manager>
<authentication-provider>
<!--<user-service>-->
<!--<user name='admin' password='secret' authorities='ROLE_ADMIN,ROLE_USER' />-->
<!--<user name='user1' password='1111' authorities='ROLE_USER' />-->
<!--</user-service>-->
<jdbc-user-service data-source-ref='dataSource'
users-by-username-query='select username,password, 'true' as enabled from USER_DETAILS where username=?'
authorities-by-username-query='select USER_DETAILS.username , USER_AUTH.AUTHORITY as authorities from USER_DETAILS,USER_AUTH
where USER_DETAILS.username = ? AND USER_DETAILS.username=USER_AUTH.USERNAME '/>
</authentication-provider>
</authentication-manager>
</beans:beans>这是login-service.xml
<beans xmlns='http://www.springframework.org/schema/beans'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd'>
<bean id='dataSource' class='com.mchange.v2.c3p0.ComboPooledDataSource'>
<!--Driver name to connect to the database-->
<property name='driverClass'>
<value>${login.jdbc.driver}</value>
</property>
<!--DB URL-->
<property name='jdbcUrl'>
<value>${login.url}</value>
</property>
<!--DB User used to connect to the schema-->
<property name='user'>
<value>${login.username}</value>
</property>
<!--Password required to access for the above user-->
<property name='password'>
<value>${login.password}</value>
</property>
<!-- configuration pool via c3p0-->
<property name='acquireIncrement'>
<value>${login.c3p0.acquireIncrement}</value>
</property>
<property name='idleConnectionTestPeriod'>
<value>${login.c3p0.idleConnectionTestPeriod}</value>
<!-- seconds -->
</property>
<property name='maxPoolSize'>
<value>${login.c3p0.maxPoolSize}</value>
</property>
<property name='maxStatements'>
<value>${login.c3p0.maxStatements}</value>
</property>
<property name='minPoolSize'>
<value>${login.c3p0.minPoolSize}</value>
</property>
<property name='initialPoolSize'>
<value>${login.c3p0.initialPoolSize}</value>
</property>
<property name='maxIdleTime'>
<value>${login.c3p0.maxIdleTime}</value>
</property>
<property name='acquireRetryAttempts'>
<value>${login.c3p0.acquireRetryAttempts}</value>
</property>
<property name='acquireRetryDelay'>
<value>${login.c3p0.acquireRetryDelay}</value>
</property>
<property name='breakAfterAcquireFailure'>
<value>${login.c3p0.breakAfterAcquireFailure}</value>
</property>
</bean>
</beans>login.jsp页面如下所示。 (需要放置在webapp目录下。但不在WEB_INF目录下)
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %>
<html>
<head>
<title>Login</title>
</head>
<body>
<c:if test='${not empty param.error}'>
<font color='red'>
Login error. <br />
Reason : ${sessionScope['SPRING_SECURITY_LAST_EXCEPTION'].message}
</font>
</c:if>
<form method='POST' action='<c:url value='/j_spring_security_check' />'>
<table>
<tr>
<td align='right'>Username</td>
<td><input type='text' name='j_username' /></td>
</tr>
<tr>
<td align='right'>Password</td>
<td><input type='password' name='j_password' /></td>
</tr>
<tr>
<td colspan='2' align='right'>
<input type='submit' value='Login' />
</td>
</tr>
</table>
</form>
</body>
</html>home.jsp页面
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %>
<%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %>
<html>
<head>
<title>Home</title>
</head>
<body>
<a href=<c:url value='/j_spring_security_logout'/>>Logout</a><br/>
<sec:authorize ifAnyGranted='ROLE_ADMIN'>
<h1>Only admin can see this</h1><br/>
<a href='admin'> Admin Home </a>
</sec:authorize>
<h1>Welcome</h1>
</body>
</html>admin-home.jsp页面
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %>
<%@ page contentType='text/html;charset=UTF-8' language='java' %>
<html>
<head>
<title>Admin</title>
</head>
<body>
<a href=<c:url value='/j_spring_security_logout'/>>Logout</a><br/>
<h1>Only Admin allowed here</h1>
</body>
</html>之后,您需要编写两个控制器来检索主页和admin-home页面。 这是HomeController.java
package rd.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class HomeController {
@RequestMapping(value = '/home' , method = RequestMethod.GET)
public String setUp(Model model){
return 'home';
}
}这是AdminController.java
package rd.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class AdminController {
@RequestMapping(value = '/admin' , method = RequestMethod.GET)
public String setUp(Model model){
return 'admin-home';
}
} 而已。 运行mvn clean install命令创建war文件。 将war文件复制到tomcat / webapps目录下,然后在您喜欢的浏览器中访问该Web应用程序。
网址:本地主机:<端口> /spring-login/login.jsp
测试案例1:尝试使用用户名123和密码登录。 您将获得用户主页。
测试案例2:尝试使用admin作为用户名admin作为密码登录。 您将获得带有可见管理页面链接的用户主页。
在Spring安全性第2部分中,我将修改此项目并添加“记住我”功能和md5密码加密功能。
在不久的将来,Ill会尝试发布有关CAS集成和LDAP集成的Spring安全性的有趣文章。 敬请关注 :)
参考: Spring Security第1部分–与我们的JCG合作伙伴 Rajith Delantha在带有Rajith…博客的Looping博客中的数据库简单登录应用程序 。
翻译自: https://www.javacodegeeks.com/2012/07/spring-security-part-1-simple-login.html
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
