使用spring-security3.1 + spring mvc + Hibernate 控制系统权限


第一步

下载spring-security3.1

解压后进入dist目录,里面有两个war文件,解压其中一个。

然后将里面的jar包全部复制到项目中。

官方中文文档下载地址:http://www.asdtiang.org/wp-content/uploads/2011/09/Spring-Security-3.0.1-%E4%B8%AD%E6%96%87%E5%AE%98%E6%96%B9%E6%96%87%E6%A1%A3.pdf

 

第二步

配置web.xml spring的监听器, 以及spring-mvc的监听器

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
	http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
	<display-name></display-name>
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>  
        classpath*:applicationContext.xml,
        </param-value>
	</context-param>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
	
	<servlet>
		<servlet-name>springmvc</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>  
          <param-name>contextConfigLocation</param-name>  
          <param-value>classpath*:spring-mvc.xml</param-value>  
        </init-param>  
		<load-on-startup>1</load-on-startup>
	</servlet>
	
	<servlet-mapping>
		<servlet-name>springmvc</servlet-name>
		<url-pattern>*.action</url-pattern>
	</servlet-mapping>
	
	
</web-app>

加入applicationContext.xml与spring-mvc.xml到src目录

applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xmlns:mvc="http://www.springframework.org/schema/mvc"
	xsi:schemaLocation="http://www.springframework.org/schema/beans   
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
            http://www.springframework.org/schema/context  
            http://www.springframework.org/schema/context/spring-context-3.0.xsd  
            http://www.springframework.org/schema/mvc   
            http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
	<!-- 启用注解方式 -->
	<context:annotation-config />
	
	<context:component-scan base-package="com.zf" />
	
	<!-- 启用mvc注解 -->
	<mvc:annotation-driven />
	
</beans>  

spring-mvc.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
	xsi:schemaLocation="http://www.springframework.org/schema/beans   
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

	<!-- 视图解析器 -->
	<bean id="viewResolver"
		class="org.springframework.web.servlet.view.InternalResourceViewResolver"
		p:prefix="/WEB-INF/jsp/" p:suffix=".jsp" />
		

</beans>  


第三步

加入spring-security.xml配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	
	<!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面  -->
	<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
	
	</security:http>
	
	<!-- 配置一个认证管理器 -->
	<security:authentication-manager>
		<security:authentication-provider>
			<security:user-service>
				<!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
				<security:user name="admin" password="admin" authorities="ROLE_USER"/>
			</security:user-service>
		</security:authentication-provider>
	</security:authentication-manager>
	
</beans>



第四步

在web.xml中配置SpringSecurity拦截器(如果不先进行第三步的配置,下面配置完之后,tomcat启动会报错)

<!-- 配置SpringSecurity -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	


好了,现在已经配置完成,tomcat已经可以启动了。但是还没有配置具体的权限策略。


第五步

配置Hibernate

在applicationContext.xml中配置JPA

	<!-- 开启注解事物 -->
	 <tx:annotation-driven transaction-manager="transactionManager" proxy-target-class="true" />  
	
	<!-- 配置hibernate -->
	<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">     
       <!-- 指定连接数据库的驱动 -->     
       <property name="driverClass" value="com.mysql.jdbc.Driver"/>     
       <!-- 指定连接数据库的URL -->     
       <property name="jdbcUrl" value="jdbc:mysql:///spring-scurity"/>     
       <!-- 指定连接数据库的用户名 -->     
       <property name="user" value="root"/>     
       <!-- 指定连接数据库的密码 -->     
       <property name="password" value="root"/>     
       <!-- 指定连接数据库连接池的最大连接数 -->     
       <property name="maxPoolSize" value="20"/>     
       <!-- 指定连接数据库连接池的最小连接数 -->     
       <property name="minPoolSize" value="1"/>     
       <!-- 指定连接数据库连接池的初始化连接数 -->     
       <property name="initialPoolSize" value="1"/>     
       <!-- 指定连接数据库连接池的连接的最大空闲时间 -->     
       <property name="maxIdleTime" value="20"/>     
    </bean>   
      
    <bean id="sessionFactory" class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean" >  
            <property name="dataSource" ref="dataSource"></property>  
            <property name="hibernateProperties">  
                <props>  
                    <prop key="hibernate.dialect">org.hibernate.dialect.MySQL5InnoDBDialect</prop>  
                    <prop key="hibernate.show_sql">true</prop>  
                    <prop key="hibernate.query.substitutions">true 1,false 0</prop>  
                    <prop key="hibernate.hbm2ddl.auto">update</prop>  
                </props>  
            </property>  
            <property name="packagesToScan">  
                <list>  
                    <value>com.zf.pojo</value>   
                </list>  
            </property>       
    </bean>  
      
    <!-- 事务管理器 -->  
    <bean id="transactionManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager">  
        <property name="sessionFactory" ref="sessionFactory"></property>  
    </bean>  
  

第六步

编写实体类与DAO

package com.zf.pojo;

import java.util.ArrayList;
import java.util.Date;
import java.util.List;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.Table;
import javax.persistence.Temporal;
import javax.persistence.TemporalType;

@Entity
@Table(name = "etuser")
public class ETUser {

	@Id
	@GeneratedValue(strategy = GenerationType.AUTO)
	private int id ;
	
	private String username ;
	
	private String password ;
	
	private int age ;
	
	@ManyToMany
	@JoinTable(name="user_role" , joinColumns = {
			@JoinColumn(name = "userid")
	}, inverseJoinColumns = {@JoinColumn(name="roleid")}) 
	private List<ETRole> roles = new ArrayList<ETRole>();  
	
	@Temporal(TemporalType.DATE)
	private Date regDate ;

	public int getId() {
		return id;
	}

	public void setId(int id) {
		this.id = id;
	}

	public String getUsername() {
		return username;
	}

	public void setUsername(String username) {
		this.username = username;
	}

	public String getPassword() {
		return password;
	}

	public void setPassword(String password) {
		this.password = password;
	}

	public int getAge() {
		return age;
	}

	public void setAge(int age) {
		this.age = age;
	}

	public Date getRegDate() {
		return regDate;
	}

	public void setRegDate(Date regDate) {
		this.regDate = regDate;
	}

	public List<ETRole> getRoles() {
		return roles;
	}

	public void setRoles(List<ETRole> roles) {
		this.roles = roles;
	}
	
	
}


package com.zf.pojo;

import java.util.ArrayList;
import java.util.List;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.Table;

@Entity
@Table(name = "etrole")
public class ETRole {

	@Id
	@GeneratedValue(strategy = GenerationType.AUTO)
	private int id;
	
	private String roleCode ;
	
	private String despripe ;
	
	
	@ManyToMany
	@JoinTable(name="user_role" , joinColumns = {
			@JoinColumn(name = "roleid")
	}, inverseJoinColumns = {@JoinColumn(name="userid")}) 
	private List<ETUser> users = new ArrayList<ETUser>();

	public int getId() {
		return id;
	}

	public void setId(int id) {
		this.id = id;
	}

	public String getRoleCode() {
		return roleCode;
	}

	public void setRoleCode(String roleCode) {
		this.roleCode = roleCode;
	}

	public String getDespripe() {
		return despripe;
	}

	public void setDespripe(String despripe) {
		this.despripe = despripe;
	}

	public List<ETUser> getUsers() {
		return users;
	}

	public void setUsers(List<ETUser> users) {
		this.users = users;
	}

	
}


package com.zf.dao;

import java.util.List;

import javax.annotation.Resource;

import org.hibernate.SessionFactory;
import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

import com.zf.pojo.ETUser;

@Service("UserDao")
@Transactional(propagation = Propagation.REQUIRED)
public class UserDao extends HibernateDaoSupport{
	
	
	/**
	 * 根据用户名查询用户
	 * @param username
	 * @return
	 */
	@SuppressWarnings("unchecked")
	public ETUser findUserByUserName(String username){
		List<ETUser> result =  getHibernateTemplate().find("from ETUser e where e.username = ?"
				, username );
		if(result != null && !result.isEmpty())    
			return result.get(0);
		return null ;
	}

	/**
	 * 根据用户名和密码查询用户
	 * @param username
	 * @param password
	 * @return
	 */
	@SuppressWarnings("unchecked")
	public ETUser findUserBuNameAndPwd(String username , String password){
		List<ETUser> result =  getHibernateTemplate().find("from ETUser e where e.username = ? and e.password = ?"
				, username , password);
		if(result != null && !result.isEmpty())  
			return result.get(0);
		return null ;
	}
	
	@Resource(name = "sessionFactory")
	public void setMySessionFactory(SessionFactory sessionFactory){
		super.setSessionFactory(sessionFactory);
	}


}



下面来配置使用数据库中的用户。.

编写处理用户信息的UserDetailsService实现类

package com.zf.service;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import javax.annotation.Resource;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Repository;

import com.zf.dao.UserDao;
import com.zf.pojo.ETRole;
import com.zf.pojo.ETUser;

/**
 * 该类用户从数据库获取用户信息和用户权限信息 提供给spring-security使用
 * @author Administrator
 *
 */
@Repository("ETUserDetailService")
public class ETUserDetailService implements UserDetailsService{

	@Resource(name = "UserDao")
	private UserDao userdao ;
	
	public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException {
		ETUser etuser = userdao.findUserByUserName(username);
		UserDetails user = null ;
		if(etuser != null){
			user = new User(username, etuser.getPassword(), true,
					true , 
					true,
					true,findUserAuthorities(etuser) );
		}
		
		return user;
	}

	/**
	 * 获取用户的权限
	 * @param user
	 * @return
	 */
	@SuppressWarnings("deprecation")
	public Collection<GrantedAuthority> findUserAuthorities(ETUser user){
		List<GrantedAuthority> autthorities = new ArrayList<GrantedAuthority>();
		List<ETRole> roles =  user.getRoles();
		System.out.println(roles.size());
		for (ETRole etRole : roles) {
			autthorities.add(new GrantedAuthorityImpl(etRole.getRoleCode()));
		}
		return autthorities ;
	}
	
	
}


配置spring-security.xml 。

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	
	<!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面  -->
	<security:http auto-config="true" use-expressions="true" access-denied-page="/powermiss.jsp" >
		
		<!-- 对登录页面,所有的用户都可以访问 -->		
		<security:intercept-url pattern="/login.jsp"  access="permitAll" />
		<!-- 对所有的资源,都必须要有ROLE_USER角色的用户 才可以访问 -->
		<security:intercept-url pattern="/*"  access="hasRole('ADMIN')" />
		<!-- 配置登录页面为login.jsp ,登录成功默认跳转到index.jsp,登录失败返回login.jsp并携带参数error=true -->
		<security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />
		
	</security:http>
	
	<!-- 配置一个认证管理器 -->
	<security:authentication-manager>
		<!-- 使用自定义的UserDetailService  -->
		<security:authentication-provider user-service-ref="ETUserDetailService">
		<!-- 下面的内容就可注释掉了 -->
<!-- 			<security:user-service> -->
				<!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
<!-- 				<security:user name="admin" password="admin" authorities="ROLE_USER"/> -->
<!-- 			</security:user-service> -->
		</security:authentication-provider>
	</security:authentication-manager>
	
</beans>

web.mvc 中配置openSessionInView

<filter>
		<filter-name>openSessionInView</filter-name>
		<filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
		<init-param>
			<param-name>singleSession</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>
	
	<filter-mapping>
		<filter-name>openSessionInView</filter-name>
		<url-pattern>*.action</url-pattern>
	</filter-mapping>
	
	<!-- 如果配置opensessionInView ,别忘了给login的action也加上 -->
	<filter-mapping>
		<filter-name>openSessionInView</filter-name>
		<url-pattern>/j_spring_security_check</url-pattern>
	</filter-mapping>
	
	


spring-mvc.xml 中配置OpenSessionInView 

<!-- 处理在类级别上的@RequestMapping注解 -->
	<bean
		class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
		<property name="interceptors">        <!-- 配置过滤器 -->
			<list>
				<ref bean="openSessionInView" />
			</list>
		</property>
	</bean>


	<!-- 将OpenSessionInView 打开 -->
	<bean id="openSessionInView"
		class="org.springframework.orm.hibernate3.support.OpenSessionInViewInterceptor">
		<property name="sessionFactory" ref="sessionFactory"></property>
	</bean>


编写测试用的页面。

login.jsp

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>My JSP 'index.jsp' starting page</title>
	<meta http-equiv="pragma" content="no-cache">
	<meta http-equiv="cache-control" content="no-cache">
	<meta http-equiv="expires" content="0">    
	<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
	<meta http-equiv="description" content="This is my page">
	<!--
	<link rel="stylesheet" type="text/css" href="styles.css">
	-->
  </head>
  <body>
    <h3>用户登录</h3>
    <!-- from的action地址,以及用户名密码的name 。都是spring-security固定的。 -->
   	 <form action="<%=basePath %>j_spring_security_check" method="post">    
  
        <p>  
            <label for="j_username">Username</label> <input id="j_username"  
                name="j_username" type="text" />  
        </p>  
  
        <p>  
            <label for="j_password">Password</label> <input id="j_password"  
                name="j_password" type="password" />  
        </p>  
  		
        <input type="submit" value="Login" />  
  
    </form>  
    
  </body>
</html>

index.jsp

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>My JSP 'index.jsp' starting page</title>
	<meta http-equiv="pragma" content="no-cache">
	<meta http-equiv="cache-control" content="no-cache">
	<meta http-equiv="expires" content="0">    
	<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
	<meta http-equiv="description" content="This is my page">
	<!--
	<link rel="stylesheet" type="text/css" href="styles.css">
	-->
  </head>
       
  <body>       
  		<h3>登录成功,欢迎您:<sec:authentication property="name" /></h3>      
  		<a href="<%=basePath%>admin.jsp">进入管理员页面</a>
  		<a href="<%=basePath%>vip.jsp">进入会员页面</a>
  		<a href="<%=basePath%>auth/logout">注销</a>  
  </body>
</html>

admin.jsp

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>My JSP 'index.jsp' starting page</title>
	<meta http-equiv="pragma" content="no-cache">
	<meta http-equiv="cache-control" content="no-cache">
	<meta http-equiv="expires" content="0">    
	<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
	<meta http-equiv="description" content="This is my page">
	<!--
	<link rel="stylesheet" type="text/css" href="styles.css">
	-->
  </head>
  
  <body>  
  		<h3>管理员页面</h3>
  </body>
</html>


<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>My JSP 'index.jsp' starting page</title>
	<meta http-equiv="pragma" content="no-cache">
	<meta http-equiv="cache-control" content="no-cache">
	<meta http-equiv="expires" content="0">    
	<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
	<meta http-equiv="description" content="This is my page">
	<!--
	<link rel="stylesheet" type="text/css" href="styles.css">
	-->
  </head>
  
  <body>  
  		<h3>会员页面</h3>    
  </body>
</html>


powermiss.jsp

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>My JSP 'powermiss.jsp' starting page</title>
    
	<meta http-equiv="pragma" content="no-cache">
	<meta http-equiv="cache-control" content="no-cache">
	<meta http-equiv="expires" content="0">    
	<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
	<meta http-equiv="description" content="This is my page">
	<!--
	<link rel="stylesheet" type="text/css" href="styles.css">
	-->


  </head>
  
  <body>
  	
  	<h1 style="color: red;">对不起,您无权访问该资源!</h1>
  	
  </body>
</html>

重新配置spring-security.xml 中各资源的权限

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	
	<!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面  -->
	<security:http auto-config="true" use-expressions="true" access-denied-page="/powermiss.jsp" >
		
		<!-- 对登录页面,所有的用户都可以访问 -->		
		<security:intercept-url pattern="/login.jsp*"  access="permitAll" />
		<security:intercept-url pattern="/vip.jsp*"  access="hasRole('VIP')" />
		<security:intercept-url pattern="/admin.jsp*"  access="hasRole('ADMIN')" />
		<!-- 对所有的资源,都必须要有COMM权限 才可以访问 -->
		<security:intercept-url pattern="/*"  access="hasRole('COMM')" />
		<!-- 配置登录页面为login.jsp ,登录成功默认跳转到index.jsp,登录失败返回login.jsp并携带参数error=true -->
		<security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />
		<!-- 退出配置 -->
		<security:logout invalidate-session="true" logout-success-url="/login.jsp" logout-url="/auth/logout"/>
	
	</security:http>
	
	<!-- 配置一个认证管理器 -->
	<security:authentication-manager>
		<!-- 使用自定义的UserDetailService  -->
		<security:authentication-provider user-service-ref="ETUserDetailService">
		<!-- 下面的内容就可注释掉了 -->
<!-- 			<security:user-service> -->
				<!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
<!-- 				<security:user name="admin" password="admin" authorities="ROLE_USER"/> -->
<!-- 			</security:user-service> -->
		</security:authentication-provider>
	</security:authentication-manager>
	
</beans>

向数据库中添加测试数据。



然后就可以测试访问了。



使用注解方式对指定的方法进行权限控制

AdminService.java

package com.zf.service;

import javax.annotation.security.RolesAllowed;

import org.springframework.security.access.prepost.PreAuthorize;

public interface AdminService {

	/* 拥有 Admin 权限才能的方法 ,必须定义在接口上面*/  
	@PreAuthorize("hasRole('ADMIN')")
	public String test01() ;    
	
	@RolesAllowed({"ADMIN"})
	public String test02();
	
	/* 上面的两种注解都可以 */
	
}


AdminServiceImpl.java
package com.zf.service;

import org.springframework.stereotype.Service;

@Service("AdminServiceImpl")
public class AdminServiceImpl implements AdminService{
	   
	public String test01(){    
		System.out.println("方法test01被Admin用户调用");
		return "success";
	}

	public String test02() {
		System.out.println("方法test02被Admin用户调用");
		return "success";
	}

}

package com.zf.control;

import javax.annotation.Resource;

import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;

import com.zf.service.AdminService;

@Controller
@RequestMapping("/admin/")
@Scope("request")
public class AdminController {
    
	@Resource(name = "AdminServiceImpl")
	private AdminService adminService;
	
	@RequestMapping(value = "test01")
	public ModelAndView test01(){
		ModelAndView mav = new ModelAndView("admin");  
		System.out.println(adminService.test01());
		return mav ;
	}
	
	
	@RequestMapping(value = "test02")
	public ModelAndView test02(){
		ModelAndView mav = new ModelAndView("admin");  
		System.out.println(adminService.test01());
		return mav ;
	}
	
	
}

向index.jsp中添加两个链接

<a href="<%=basePath%>admin/test01.action">/admin/test01</a>
  <a href="<%=basePath%>admin/test02.action">/admin/test02</a>


现在就可以测试了。



在jsp页面使用security标签需要引入<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>库


如果是使用freemarker ,配置方法见 http://blog.sina.com.cn/s/blog_55bba7c10100h5bz.html



其他功能

在http标签内配置

<!-- 配置session失效之后跳转到的页面 session-authentication-error-url指向的是登录被限制后跳转到的页面 -->
		<security:session-management invalid-session-url="/sessiontimeout.jsp"  session-authentication-error-url="/loginerror.jsp">
			<!-- 配置一个帐号同时只能有一个会话,这样当有第二个用户登录的时候,第一个用户就会失效 -->
			<security:concurrency-control max-sessions="1" />
			<!-- 配置一个帐号同时智能有一个会话 ,并且第第二个尝试登录的账户不能让他登录,然后跳转到session-authentication-error-url指向的页面-->
			<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"   />
		</security:session-management>


配置登录验证码实例:

写一个VolidateAuthCodeUsernamePasswordAuthenticationFilter继承UsernamePasswordAuthenticationFilter用于验证用户登录

package com.zf.myfilter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/**
 * 扩展UsernamePasswordAuthenticationFilter加上验证码的功能
 *   
 * @author Administrator
 *
 */
public class VolidateAuthCodeUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{

	@Override
	public Authentication attemptAuthentication(HttpServletRequest request,
			HttpServletResponse response) throws AuthenticationException {
		System.out.println("进入了VolidateAuthCodeUsernamePasswordAuthenticationFilter" + request.getParameter("j_username"));
		//这里可以进行验证验证码的操作
		
		return super.attemptAuthentication(request, response);
	}

}

需要配置一个LoginUrlAuthenticationEntryPoint bean

	<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
		<property name="loginFormUrl" value="/login.jsp"></property>
	</bean>

配置过滤器bean

	<!-- 验证码过滤器 -->
	<bean id="validateCodeAuthenticationFilter"
		class="com.zf.myfilter.VolidateAuthCodeUsernamePasswordAuthenticationFilter">
		<property name="authenticationSuccessHandler"
			ref="loginLogAuthenticationSuccessHandler"></property>
		<property name="authenticationFailureHandler"
			ref="simpleUrlAuthenticationFailureHandler"></property>
		<property name="authenticationManager" ref="authenticationManager"></property>
	</bean>

	<!-- 登录成功 -->
	<bean id="loginLogAuthenticationSuccessHandler"
		class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
		<property name="defaultTargetUrl" value="/index.jsp"></property>
	</bean>

	<!-- 登录失败 -->
	<bean id="simpleUrlAuthenticationFailureHandler"
		class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
		<property name="defaultFailureUrl" value="/index.jsp?error=true"></property>
	</bean>

将 <http> 中的auto-config 属性删除。加上 entry-point-ref="authenticationProcessingFilterEntryPoint" 属性

并将<form-login> 删除,使用<security:custom-filter
ref="validateCodeAuthenticationFilter"  position="FORM_LOGIN_FILTER"
/> 替代 FORM_LOGIN_FILTER拦截器


完整的spring-security.xml 配置如下:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.1.xsd">

	<!-- 启用注解方式对方法的权限控制 -->
	<security:global-method-security
		pre-post-annotations="enabled" secured-annotations="enabled"
		jsr250-annotations="enabled" proxy-target-class="true">
		<security:protect-pointcut access="VIP"
			expression="execution(* com.zf.service.VipService.*(..))" />
	</security:global-method-security>

	<!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是,当验证权限失败后会跳转到的页面 -->
	<security:http use-expressions="true" access-denied-page="/powermiss.jsp" entry-point-ref="authenticationProcessingFilterEntryPoint">
		<!-- 对登录页面,所有的用户都可以访问 -->
		<security:intercept-url pattern="/login.jsp*"
			access="permitAll" />
		<security:intercept-url pattern="/vip.jsp*"
			access="hasRole('VIP')" />
		<security:intercept-url pattern="/admin.jsp*"
			access="hasRole('ADMIN')" />
		<!-- 对所有的资源,都必须要有COMM权限 才可以访问 -->  
		<security:intercept-url pattern="/*"
			access="hasRole('COMM')" />
			
		<!-- 使用自己的过滤器 -->
		<!-- 下面的配置表示将自己的过滤器放在FORM_LOGIN_FILTER过滤链的最前面(可以这样来验证登录验证码) -->
		<security:custom-filter
			ref="validateCodeAuthenticationFilter"  position="FORM_LOGIN_FILTER"
			 />
			
		<!-- 配置登录页面为login.jsp ,登录成功默认跳转到index.jsp,登录失败返回login.jsp并携带参数error=true -->
<!-- 		<security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />  -->
		
		<!-- 退出配置 -->
		<security:logout invalidate-session="true"
			logout-success-url="/login.jsp" logout-url="/auth/logout" />

	</security:http>
	
	
	<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
		<property name="loginFormUrl" value="/login.jsp"></property>
	</bean>

	<!-- 验证码过滤器 -->
	<bean id="validateCodeAuthenticationFilter"
		class="com.zf.myfilter.VolidateAuthCodeUsernamePasswordAuthenticationFilter">
		<property name="authenticationSuccessHandler"
			ref="loginLogAuthenticationSuccessHandler"></property>
		<property name="authenticationFailureHandler"
			ref="simpleUrlAuthenticationFailureHandler"></property>
		<property name="authenticationManager" ref="authenticationManager"></property>
	</bean>

	<!-- 登录成功 -->
	<bean id="loginLogAuthenticationSuccessHandler"
		class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
		<property name="defaultTargetUrl" value="/index.jsp"></property>
	</bean>

	<!-- 登录失败 -->
	<bean id="simpleUrlAuthenticationFailureHandler"
		class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
		<property name="defaultFailureUrl" value="/index.jsp?error=true"></property>
	</bean>


	<!-- 配置一个认证管理器 -->
	<security:authentication-manager alias="authenticationManager">
		<!-- 使用自定义的UserDetailService -->
		<security:authentication-provider
			user-service-ref="ETUserDetailService">
			<!-- 下面的内容就可注释掉了 -->
			<!-- <security:user-service> -->
			<!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色(角色可以用逗号隔开) -->
			<!-- <security:user name="admin" password="admin" authorities="ROLE_USER"/> -->
			<!-- </security:user-service> -->
		</security:authentication-provider>
	</security:authentication-manager>


</beans>




SPEL 表达式 

	//拥有DISUSER_PUBLISH_ROOM一个权限就可以访问
//	@PreAuthorize("hasRole('DISUSER_PUBLISH_ROOM')")
	
	//拥有DISUSER_PUBLISH_ROOM、DISUSER_MODIFY_ROOM中任意一个权限即可访问
	@PreAuthorize("hasAnyRole('DISUSER_PUBLISH_ROOM','DISUSER_ADMIN')") 
	// or
//	@PreAuthorize("hasRole('DISUSER_PUBLISH_ROOM') or hasRole('DISUSER_MODIFY_ROOM')")
	
	//必须同时拥有DISUSER_PUBLISH_ROOM、DISUSER_MODIFY_ROOM两个权限才可以访问
    //@PreAuthorize("hasRole('DISUSER_PUBLISH_ROOM') and hasRole('DISUSER_MODIFY_ROOM')")





未完待续》。。

评论 31
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值