先在web.xml 中配置一个过滤器(必须在Struts的过滤器之前)
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
然后就是编写Spring安全的配置文件applicationContext-security.xml并配置到Spring解析的路径下
Spring Security主要做两件事,一件是认证,一件是授权。
认证
在http标签中的
<form-login login-page="/page/login.jsp" />
配置。且该登录页面必须是不被拦截的。故要配置上
<intercept-url pattern="/page/login.jsp" filters="none" />
Web项目的认证如果在HTTP标签中配置了auto-config="true",框架就会自动的配置多8?个拦截器。 默认表单登录认证的是FORM_LOGIN_FILTER拦截器,我们可以直接写自定义的UserDetailsService,在这个类中实现方法UserDetails loadUserByUsername(String username),从数据库获取用户信息,以及其拥有的角色。
@Service("myUserDetailsService")
public class MyUserDetailsServiceImpl extends BaseService implements UserDetailsService {
@Resource
private UserDao userDao;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
User user = userDao.getUserByUsername(username);
List<Role> roles = user.getRoles();
Collection<GrantedAuthority> authorities = new LinkedList<GrantedAuthority>();
for (Role role : roles) {
authorities.add(new GrantedAuthorityImpl(role.getCode()));
}
UserDetails userDetails = new org.springframework.security.core.userdetails.User(username,user.getPassword(),Constants.STATE_VALID.equals(user.getState()),true,true,true,authorities);
return userDetails;
}
}
配置在
<authentication-manager alias="myAuthenticationManager">
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
如果需要在登录的时候,在HTTP SESSION中配置做些操作的。就得配置自定义的FORM_LOGIN_FILTER了 在HTTP标签中加入
<custom-filter ref="loginFilter" before="FORM_LOGIN_FILTER" />
并配置
<!-- 访问控制验证器Authority -->
<beans:bean id="securityFilter"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property n