Spring Security应用实例(一):用户登录

最新推荐文章于 2024-06-15 16:48:03 发布
最新推荐文章于 2024-06-15 16:48:03 发布
阅读量249 收藏
点赞数
分类专栏: 身份验证 文章标签: Security Spring 应用服务器 Bean Hibernate

经过Spring Security官方文档及相关资料的学习,自己做了一个简单的用户登录模块,现在将自己写的代码整理处理,以供大家参考或交流,如有不对,请指正错误。

1、库表建立

     1)用户表

DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
  `id` int(10) NOT NULL auto_increment,
  `login_name` varchar(20) default NULL,
  `password` varchar(20) default NULL,
  `name` varchar(20) default NULL,
  `email` varchar(30) default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

     2)角色表

DROP TABLE IF EXISTS `roles`;
CREATE TABLE `roles` (
  `id` int(10) NOT NULL auto_increment,
  `name` varchar(20) default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

     3)权限表

DROP TABLE IF EXISTS `authorities`;
CREATE TABLE `authorities` (
  `id` int(10) NOT NULL auto_increment,
  `name` varchar(20) default NULL,
  `display_name` varchar(20) default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

     4)用户-角色表

DROP TABLE IF EXISTS `users_roles`;
CREATE TABLE `users_roles` (
  `user_id` int(10) NOT NULL,
  `role_id` int(10) NOT NULL,
  PRIMARY KEY  (`user_id`,`role_id`),
  KEY `FK_R_2` (`role_id`),
  CONSTRAINT `FK_R_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`),
  CONSTRAINT `FK_R_2` FOREIGN KEY (`role_id`) REFERENCES `roles` (`id`)

 

    5)角色-权限表

DROP TABLE IF EXISTS `roles_authorities`;
CREATE TABLE `roles_authorities` (
  `role_id` int(10) NOT NULL,
  `authority_id` int(10) NOT NULL,
  PRIMARY KEY  (`role_id`,`authority_id`),
  KEY `FK_R_4` (`authority_id`),
  CONSTRAINT `FK_R_3` FOREIGN KEY (`role_id`) REFERENCES `roles` (`id`),
  CONSTRAINT `FK_R_4` FOREIGN KEY (`authority_id`) REFERENCES `authorities` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

 

2、建立Pojo类

     1)用户

package cn.com.sunjiesh.springmvcdemo.entity;

import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.MappedSuperclass;

/**
 * 统一定义id的entity基类.
 * 
 * @author calvin
 */
@MappedSuperclass
public class IdEntity {

	private Long id;

	@Id
	@GeneratedValue(strategy = GenerationType.IDENTITY)
	public Long getId() {
		return id;
	}

	public void setId(Long id) {
		this.id = id;
	}
}
  
package cn.com.sunjiesh.springmvcdemo.entity.user;

import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;

import javax.persistence.CascadeType;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.OrderBy;
import javax.persistence.Table;
import javax.persistence.Transient;

import org.apache.commons.lang.builder.ToStringBuilder;
import org.hibernate.annotations.Cache;
import org.hibernate.annotations.CacheConcurrencyStrategy;
import org.hibernate.annotations.Fetch;
import org.hibernate.annotations.FetchMode;
import org.springside.modules.utils.CollectionUtils;

import cn.com.sunjiesh.springmvcdemo.entity.IdEntity;

/**
 * 用户.
 * 
 * 注意@Cache(Entity与集合的缓存),@ManyToMany/@JoinTable(多对多关系),@OrderBy/LinkedHashSet(集合排序),@Transient(非持久化属性)的应用.
 * 
 * @author calvin
 */
@Entity
@Table(name = "USERS")
@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
public class User extends IdEntity {

	private String loginName;

	private String password;

	private String name;

	private String email;

	private Set<Role> roles = new LinkedHashSet<Role>();

	@Column(name="login_name")
	public String getLoginName() {
		return loginName;
	}

	public void setLoginName(String loginName) {
		this.loginName = loginName;
	}

	@Column(name="password")
	public String getPassword() {
		return password;
	}

	public void setPassword(String password) {
		this.password = password;
	}

	@Column(name="name")
	public String getName() {
		return name;
	}

	public void setName(String name) {
		this.name = name;
	}

	@Column(name="email")
	public String getEmail() {
		return email;
	}

	public void setEmail(String email) {
		this.email = email;
	}

	@ManyToMany(cascade = { CascadeType.PERSIST, CascadeType.MERGE },fetch=FetchType.EAGER)
	@JoinTable(name = "USERS_ROLES", joinColumns = { @JoinColumn(name = "USER_ID") }, inverseJoinColumns = { @JoinColumn(name = "ROLE_ID") })
	@OrderBy("id")
	@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
	public Set<Role> getRoles() {
		return roles;
	}

	public void setRoles(Set<Role> roles) {
		this.roles = roles;
	}

	@Transient
	public String getRoleNames() throws Exception {
		return CollectionUtils.fetchPropertyToString(roles, "name", ", ");
	}

	@SuppressWarnings("unchecked")
	@Transient
	public List<Long> getRoleIds() throws Exception {
		return CollectionUtils.fetchPropertyToList(roles, "id");
	}

	@Override
	public String toString() {
		return ToStringBuilder.reflectionToString(this);
	}
}
 

     2)角色

package cn.com.sunjiesh.springmvcdemo.entity.user;

import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;

import javax.persistence.CascadeType;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.OrderBy;
import javax.persistence.Table;
import javax.persistence.Transient;

import org.apache.commons.lang.builder.ToStringBuilder;
import org.hibernate.annotations.Cache;
import org.hibernate.annotations.CacheConcurrencyStrategy;
import org.springside.modules.utils.CollectionUtils;

import cn.com.sunjiesh.springmvcdemo.entity.IdEntity;

/**
 * 角色.
 * 
 * 注意@Cache(Entity与集合的缓存),@ManyToMany/@JoinTable(多对多关系),@OrderBy/LinkedHashSet(集合排序),@Transient(非持久化属性)的应用.
 * 
 * @author calvin
 */
@Entity
@Table(name = "ROLES")
@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
public class Role extends IdEntity {

	private String name;

	private Set<Authority> auths = new LinkedHashSet<Authority>();

	public String getName() {
		return name;
	}

	public void setName(String name) {
		this.name = name;
	}

	@ManyToMany(cascade = { CascadeType.PERSIST, CascadeType.MERGE },fetch=FetchType.EAGER)
	@JoinTable(name = "ROLES_AUTHORITIES", joinColumns = { @JoinColumn(name = "ROLE_ID") }, inverseJoinColumns = { @JoinColumn(name = "AUTHORITY_ID") })
	@OrderBy("id")
	@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
	public Set<Authority> getAuths() {
		return auths;
	}

	public void setAuths(Set<Authority> auths) {
		this.auths = auths;
	}

	@Transient
	public String getAuthNames() throws Exception {
		return CollectionUtils.fetchPropertyToString(auths, "displayName", ", ");
	}

	@SuppressWarnings("unchecked")
	@Transient
	public List<Long> getAuthIds() throws Exception {
		return CollectionUtils.fetchPropertyToList(auths, "id");
	}

	@Override
	public String toString() {
		return ToStringBuilder.reflectionToString(this);
	}
}
 

     3)权限

package cn.com.sunjiesh.springmvcdemo.entity.user;

import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Table;

import org.apache.commons.lang.builder.ToStringBuilder;
import org.hibernate.annotations.Cache;
import org.hibernate.annotations.CacheConcurrencyStrategy;

import cn.com.sunjiesh.springmvcdemo.entity.IdEntity;

/**
 * 权限.
 * 
 * @Cache使用READ_ONLY策略.
 * 
 * @author calvin
 */
@Entity
@Table(name = "AUTHORITIES")
@Cache(usage = CacheConcurrencyStrategy.READ_ONLY)
public class Authority extends IdEntity {

	private String name;

	private String displayName;

	public String getName() {
		return name;
	}

	public void setName(String name) {
		this.name = name;
	}

	@Column(name="display_name")
	public String getDisplayName() {
		return displayName;
	}

	public void setDisplayName(String displayName) {
		this.displayName = displayName;
	}

	@Override
	public String toString() {
		return ToStringBuilder.reflectionToString(this);
	}
}
 

     注意:@ManyToMany中的fetch=FetchType.EAGER。如果fetch=FetchType.LAZY会报异常。

3、建立DAO类

    1)接口

 

package cn.com.sunjiesh.springmvcdemo.dao.iface;

import cn.com.sunjiesh.springmvcdemo.entity.user.User;



/**
 * 
 * @author sunjie
 * @since 2009-03-29
 * 
 */
public interface IUserDAO extends IBaseHibernateDAO<User> {

	public User getUserByUserName(String username);

}
 

    2)实现类

package cn.com.sunjiesh.springmvcdemo.dao.impl;

import org.apache.log4j.Logger;
import org.hibernate.Query;


import cn.com.sunjiesh.springmvcdemo.dao.iface.IUserDAO;
import cn.com.sunjiesh.springmvcdemo.entity.user.User;

public class UserDAOImpl extends BaseHibernateDAOImpl<User> implements IUserDAO {

	private static Logger LOG = Logger.getLogger(UserDAOImpl.class);

	public User getUserByUserName(String username) {
		String hql = "from User where loginName = ?";
		Query query = getSession().createQuery(hql);
		query.setParameter(0, username);
		User user = (User) query.list().get(0);
		return user;
	}

}

 

4、Spring Security相关代码

package cn.com.sunjiesh.springmvcdemo.service.security;

import java.util.ArrayList;
import java.util.List;

import org.apache.log4j.Logger;
import org.springframework.dao.DataAccessException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;

import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
import org.springframework.security.userdetails.UsernameNotFoundException;

import cn.com.sunjiesh.springmvcdemo.dao.iface.IUserDAO;
import cn.com.sunjiesh.springmvcdemo.entity.user.Authority;
import cn.com.sunjiesh.springmvcdemo.entity.user.Role;
import cn.com.sunjiesh.springmvcdemo.entity.user.User;



/**
 * 实现SpringSecurity的UserDetailsService接口,获取用户Detail信息.
 * @author calvin
 */
public class UserDetailServiceImpl implements UserDetailsService{

	private static Logger LOG=Logger.getLogger(UserDetailServiceImpl.class);
	
	private IUserDAO userDao;
	
	public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException, DataAccessException {
		if(username==null){
			LOG.error("username is null");
		}
		if(userDao==null){
			LOG.error("userDao is null");
		}
		User user=userDao.getUserByUserName(username);
		//TOTO 判断用户存在,如果不存在,则抛出异常。
		if(user==null){
			LOG.error(username+" is not exist", new UsernameNotFoundException(username+" is not exist"));
		}
		
		List<GrantedAuthority> authsList = new ArrayList<GrantedAuthority>();
		
		System.out.println("user.getRoles().size()="+user.getRoles().size());
		for (Role role : user.getRoles()) {
			for (Authority authority : role.getAuths()) {
				authsList.add(new GrantedAuthorityImpl(authority.getName()));
			}
		}
		
		//TODO 
		org.springframework.security.userdetails.User userdetail = new org.springframework.security.userdetails.User(
				user.getLoginName(), user.getPassword(), true, true, true, true, authsList
						.toArray(new GrantedAuthority[authsList.size()]));

		return userdetail;
	}

	public void setUserDao(IUserDAO userDao) {
		this.userDao = userDao;
	}
}
 

5、配置文件

    1)web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	<display-name> SpringMVCDemo</display-name>
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath:/cn/com/sunjiesh/springmvcdemo/spring/spring-*.xml,/WEB-INF/springmvcdemo-servlet.xml</param-value>
	</context-param>
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
	<!--
		Spring Security可以限制一个主体并行认证到同一系统的次数。
		很多ISV利用这点来加强授权公里,网管也喜欢这个功能,因为它可以防止人们共享登录名。
		你可以,比如,禁止用户"Batman"从两个不同的会话登录到web应用里。
	-->
	<listener>
		<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
	</listener>
	
	
   	<!--Character Encoding Convert-->
	<filter>
		<filter-name>encodingFilter</filter-name>
		<filter-class> org.springframework.web.filter.CharacterEncodingFilter 
		</filter-class>
		<init-param>
			<param-name>encoding</param-name>
			<param-value>gb2312</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>encodingFilter</filter-name>
		<url-pattern>*.do</url-pattern>
	</filter-mapping>
	<!-- Spring Security Filter-->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<!-- Use DWR -->
	<servlet>
		<servlet-name>dwr-invoker</servlet-name>
		<servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>dwr-invoker</servlet-name>
		<url-pattern>/dwr/*</url-pattern>
	</servlet-mapping>
    <!-- Spring MVC Dispatcher -->
	<servlet>
		<servlet-name>springmvcdemo</servlet-name>
		<servlet-class> org.springframework.web.servlet.DispatcherServlet 
		</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value>WEB-INF/springmvcdemo-servlet.xml</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>springmvcdemo</servlet-name>
		<url-pattern>*.do</url-pattern>
	</servlet-mapping>
	
	<!-- JSTL Configuration -->
	<jsp-config>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/fmt</taglib-uri>
			<taglib-location>/WEB-INF/tlds/fmt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/fmt-rt</taglib-uri>
			<taglib-location>/WEB-INF/tlds/fmt-rt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
			<taglib-location>/WEB-INF/tlds/c.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/core-rt</taglib-uri>
			<taglib-location>/WEB-INF/tlds/c-rt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/sql</taglib-uri>
			<taglib-location>/WEB-INF/tlds/sql.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/sql-rt</taglib-uri>
			<taglib-location>/WEB-INF/tlds/sql-rt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/x</taglib-uri>
			<taglib-location>/WEB-INF/tlds/x.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/x-rt</taglib-uri>
			<taglib-location>/WEB-INF/tlds/x-rt.tld</taglib-location>
		</taglib>
	</jsp-config>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.jsp</welcome-file>
	</welcome-file-list>
</web-app>
 

 

    2)spring-base.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
	<bean id="propertyConfigurer"
		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
		<property name="locations">
			<list>
				<value>classpath:/cn/com/sunjiesh/springmvcdemo/spring/jdbc.properties</value>
			</list>
		</property>
	</bean>
	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
		destroy-method="close">
		<property name="driverClassName" value="${jdbc.driverClassName}" />
		<property name="url" value="${jdbc.url}" />
		<property name="username" value="${jdbc.username}" />
		<property name="password" value="${jdbc.password}" />
	</bean>
	<bean id="sessionFactory"
		class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
		<property name="dataSource" ref="dataSource" />
		<!-- Hibernate Annotation Entity -->
		<property name="annotatedClasses">
			<list>
				<value>cn.com.sunjiesh.springmvcdemo.entity.user.Authority</value>
				<value>cn.com.sunjiesh.springmvcdemo.entity.user.Role</value>
				<value>cn.com.sunjiesh.springmvcdemo.entity.user.User</value>
			</list>
		</property>
		<property name="hibernateProperties">
			<props>
				<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
				<prop key="hibernate.show_sql">true</prop>
				<prop key="hibernate.cache.provider_class">org.hibernate.cache.EhCacheProvider</prop>
				<prop key="hibernate.cache.use_second_level_cache">false</prop>
				<prop key="hibernate.cache.use_query_cache">false</prop>
			</props>
		</property>
	</bean>
	<bean id="txManager"
		class="org.springframework.orm.hibernate3.HibernateTransactionManager">
		<property name="sessionFactory" ref="sessionFactory" />
	</bean>
	<bean id="baseTxService"
		class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"
		abstract="true">
		<property name="transactionManager" ref="txManager" />
		<property name="proxyTargetClass" value="true" />
		<property name="transactionAttributes">
			<props>
				<prop key="get*">PROPAGATION_REQUIRED,readOnly</prop>
				<prop key="find*">PROPAGATION_REQUIRED,readOnly</prop>
				<prop key="load*">PROPAGATION_REQUIRED,readOnly</prop>
				<prop key="save*">PROPAGATION_REQUIRED</prop>
				<prop key="update*">PROPAGATION_REQUIRED</prop>
				<prop key="remove*">PROPAGATION_REQUIRED</prop>
			</props>
		</property>
	</bean>
</beans>
 

    3)spring-dao.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<!-- 
	Author By Sun Jie
	Shared document
-->
<beans default-autowire="byName" default-lazy-init="true">
	
	<!-- Add By Sun Jie -->
	<bean id="userDaoTarget" class="cn.com.sunjiesh.springmvcdemo.dao.impl.UserDAOImpl">
	</bean>
	<!-- End Edit -->
	
	<!-- Add By Sun Jie -->
	<bean id="userDao" parent="baseTxService">
		<property name="target">
			<ref bean="userDaoTarget"/>
		</property>
	</bean>
	<!-- End Edit -->
</beans>
 

    4)spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
	xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
	<!--
		FilterChainProxy会按顺序来调用这些filter,使这些filter能享用Spring Ioc的功能
	-->
	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
		<security:filter-chain-map path-type="ant">
			<security:filter-chain pattern="/user/**"
				filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter" />
		</security:filter-chain-map>
	</bean>
	<!--
		集成过滤器(HttpSessionContextIntegrationFilter是集成过滤器的一个实现)
		每次request前HttpSessionContextIntegrationFilter从Session中获取Authentication对象,在request完后
		又把Authentication对象保存到Session中供下次request使用,此filter必须在其他Acegi filter前使用
	-->
	<bean id="httpSessionContextIntegrationFilter"
		class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
    
    <!--
        退出(Logout)过滤器 退出登录操作
    -->
	<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
        <!-- 退出系统后系统跳转到此URL -->
		<constructor-arg value="/login.action" />
        <!-- 退出系统后的操作(调用logout方法) -->
		<constructor-arg>
			<list>
                <!-- 实现了LogoutHandler接口(logout方法) -->
				<ref bean="rememberMeServices" />
				<bean
					class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
			</list>
		</constructor-arg>
	</bean>
	<!--
		处理表单认证filter: 1.authenticationManager 认证管理器 2.authenticationFailureUrl
		定义登录失败时转向的页面 3.defaultTargetUrl 定义登录成功时转向的页面 4.filterProcessesUrl
		定义登录请求的地址 5.rememberMeServices 在验证成功后添加cookie信息
	-->
	<bean id="authenticationProcessingFilter"
		class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"></property>
		<property name="authenticationFailureUrl" value="/user/login.jsp"></property>
		<property name="defaultTargetUrl" value="/user/index.jsp"></property>
		<property name="filterProcessesUrl" value="/user/j_spring_security_check"></property>
		<property name="rememberMeServices" ref="rememberMeServices"></property>
	</bean>
	
	<!-- 基本认证机制处理 -->
	<bean id="basicProcessingFilter"
		class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="authenticationEntryPoint">
			<bean id="authenticationEntryPoint"
				class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
				<property name="realmName">
					<value>Name Of Your Realm</value>
				</property>
			</bean>
		</property>
	</bean>
	<bean id="securityContextHolderAwareRequestFilter"
		class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter" />
		<!--
        如果不存在任何授权信息时,自动添加匿名用户身份至SecurityContextHolder中
    -->
	<bean id="anonymousProcessingFilter"
		class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="springsecurity"></property>
		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"></property>
	</bean>
	<!--
		异常处理filter(异常转换过滤器),主要是处理AccessDeniedException和AuthenticationException,
		将给每个异常找到合适的"去向"
	-->
	<bean id="exceptionTranslationFilter"
		class="org.springframework.security.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint" />
		<property name="accessDeniedHandler">
			<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessDenied.jsp" />
			</bean>
		</property>
	</bean>
	<!--
		使用过滤器安全拦截器保护资源
		filterSecurityInterceptor在执行转向目标url前检查objectDefinitionSource中设定的用户权限信息,
		安全强制过滤器负责拦截请求,判断请求是否安全,并且给予认证和访问决策管理器一个机会来验证用户的身份和权限 过程:
		首先,过滤器安全拦截器使用authenticationManager调用自己的provider来对用户的认证信息进行验证并获取用户已有的权限。
		然后,使用访问决策管理器来判断用户是否拥用合适的授权来访问受保护的资源。
		(objectDefinitionSource属性定义了访问URL需要的权限信息)
		最后,有投票者根据用户持有认证和访问url需要的属性,调用自己的voter来投票,决定是否允许访问。
	-->
	<bean id="filterSecurityInterceptor"
		class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"></property>
		<property name="accessDecisionManager" ref="accessDecisionManager"></property>
		<!--
			<property name="objectDefinitionSource"
			ref="objectDefinitionSource"></property>
		-->
		<property name="objectDefinitionSource">
			<security:filter-invocation-definition-source>
				<security:intercept-url pattern="/secure/super/**"
					access="ROLE_WE_DONT_HAVE" />
				<security:intercept-url pattern="/secure/**"
					access="ROLE_SUPERVISOR,ROLE_TELLER" />
				<security:intercept-url pattern="/login.action*"
					access="IS_AUTHENTICATED_ANONYMOUSLY" />
				<security:intercept-url pattern="/user/user!save.action*"
					access="ROLE_MODIFY_USER" />
				<security:intercept-url pattern="/user/user!delete.action*"
					access="ROLE_MODIFY_USER" />
				<security:intercept-url pattern="/user/user*.action*"
					access="ROLE_VIEW_USER" />
				<security:intercept-url pattern="/user/role!save.action*"
					access="ROLE_MODIFY_ROLE" />
				<security:intercept-url pattern="/user/role!delete.action*"
					access="ROLE_MODIFY_ROLE" />
				<security:intercept-url pattern="/user/role*.action*"
					access="ROLE_VIEW_ROLE" />
			</security:filter-invocation-definition-source>
		</property>
	</bean>
	<!--
		访问决策管理器
		验证用户是否有权限访问相应的资源(filterSecurityInterceptor中objectDefinitionSource属性定义的访问URL需要的属性信息)
	-->
	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"
		p:allowIfAllAbstainDecisions="false">
		<property name="decisionVoters">
			<list>
				<bean class="org.springframework.security.vote.RoleVoter" />
				<bean class="org.springframework.security.vote.AuthenticatedVoter" />
			</list>
		</property>
	</bean>
	<bean id="authenticationProcessingFilterEntryPoint"
		class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl" value="/login.jsp" />
		<property name="forceHttps" value="false" />
	</bean>
	<!--
		认证管理器(org.springframework.security.AuthenticationManager接口)
		org.springframework.security.providers.ProviderManager是认证管理器的一个实现,
		ProviderManager通过遍历一个提供者的集合来实现身份验证, 直到某一个认证提供者能够成功地验证该用户的身份
	-->
	<!--
		通过Providers提供认证者列表,如果一个认证提供者失败可以尝试另外一个认证提供者,以保证获取不同来源的身份认证,如
		DaoAuthenticationProvider 从数据库中读取用户信息验证身份
		AnonymousAuthenticationProvider 匿名用户身份认证
		RememberMeAuthenticationProvider 已存cookie中的用户信息身份认证 其它的还有
		AuthByAdapterProvider 使用容器的适配器验证身份 CasAuthenticationProvider
		根据Yale中心认证服务验证身份, 用于实现单点登陆 JaasAuthenticationProvider
		从JASS登陆配置中获取用户信息验证身份 RemoteAuthenticationProvider 根据远程服务验证用户身份
		RunAsImplAuthenticationProvider 对身份已被管理器替换的用户进行验证
		X509AuthenticationProvider 从X509认证中获取用户信息验证身份
		TestingAuthenticationProvider 单元测试时使用
		每个认证者会对自己指定的证明信息进行认证,如DaoAuthenticationProvider仅对UsernamePasswordAuthenticationToken这个证明信息进行认证。
	-->
	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider" />
				<ref local="anonymousAuthenticationProvider" />
			</list>
		</property>
		<!-- <property name="sessionController" ref="concurrentSessionController" /> -->
	</bean>
	<bean id="daoAuthenticationProvider"
		class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
		<!--  <property name="passwordEncoder" ref="passwordEncoder"></property>-->
		<property name="userDetailsService" ref="userDetailsService"></property>
	</bean>
	<bean id="anonymousAuthenticationProvider"
		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
		<property name="key" value="springsecurity"></property>
	</bean>
	<!-- RemeberMeServices -->
	<bean id="rememberMeServices"
		class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
		<property name="key" value="springsecurity"></property>
		<property name="userDetailsService" ref="userDetailsService"></property>
	</bean>
	<bean id="userDetailsService"
		class="cn.com.sunjiesh.springmvcdemo.service.security.UserDetailServiceImpl">
		<property name="userDao" ref="userDao"></property>
		</bean>
	<bean id="passwordEncoder"
		class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
	<bean id="loggerListener"
		class="org.springframework.security.event.authentication.LoggerListener" />
</beans>
 

    5)springmvcdemo-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<!-- 
	Author Sun Jie
 -->
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>

	<!-- Multi-Action-->
	<bean id="methodNameResolver"
		class="org.springframework.web.servlet.mvc.multiaction.ParameterMethodNameResolver">
		<property name="paramName" value="method" />
		<property name="defaultMethodName" value="index" />
	</bean>
	<!-- View Resolver -->
	<bean id="viewResolver"
		class="org.springframework.web.servlet.view.InternalResourceViewResolver">
		<property name="viewClass"
			value="org.springframework.web.servlet.view.JstlView" />
		<property name="prefix" value="/" />
	</bean>
	<bean id="adminHandlerMapping"
		class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
		<property name="mappings">
			<props>
				<!-- Add By Sun Jie -->
				<prop key="/user/login.do">userLoginController</prop>
				<!-- Add By Sun Jie -->
			</props>
		</property>
	</bean>
	
	<bean id="userLoginController" class="cn.com.sunjiesh.springmvcdemo.web.user.LoginController"
		autowire="byName">
		<property name="successView" value="/user/index.jsp" />
		<property name="errorView" value="" />
	</bean>
</beans>
 

6、页面

<%@ page contentType="text/html;charset=gb2312"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<%@ page import="org.springframework.security.ui.AbstractProcessingFilter"%>
<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"%>
<%@ page import="org.springframework.security.AuthenticationException"%>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<title>SpringMVCDemo登录页</title>
		<%@ include file="/common/meta.jsp"%>
		<script src="${ctx}/js/validate/jquery.validate.js" type="text/javascript"></script>
		<script src="${ctx}/js/validate/messages_cn.js" type="text/javascript"></script>
  		<script>
  			$(document).ready(function(){
    			$("#loginForm").validate();
 			 });
  		</script>
	</head>
	<body>
<c:set var="ctx" value="${pageContext.request.contextPath}"/>
		<div id="content">
			<%
				if (session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY) != null) {
			%>
			<span style="color:red"> 登录失败,请重试. </span>
			<%
				}
			%>
			<h2>SpringMVCDemo示例</h2>
			<h3>--CRUD管理界面演示</h3>
			<form id="loginForm" action="${ctx}/user/j_spring_security_check" method="post">
				<table class="inputView">
					<tr>
						<td>
							用户名:
						</td>
						<td>
							<input type='text' name='j_username'
								<c:if test="${not empty param.error}"> value='<%=session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY)%>'</c:if> class="required"/>
						</td>
					</tr>
					<tr>
						<td>
							密码:
						</td>
						<td>
							<input type='password' name='j_password' class="required" />
						</td>
					</tr>
					<tr>
						<td colspan='2'>
							<input value="登录" type="submit" />
						</td>
					</tr>
				</table>
			</form>
		</div>
	</body>
</html>

 备注:登录页面上的表单action与spring-security中authenticationProcessingFilter过滤器中的filterProcessesUrl相对应。用户名与输入框的name属性值分别是j_username与j_password。

 

iteye_8385
关注
专栏目录
Spring security认证两类用户代码实例
08-19
在这个代码实例中,我们将探讨如何使用Spring Security来认证两类不同的用户:一类是使用内存认证的管理员,另一类是通过数据库认证的老师和学生。这个实例有助于理解Spring Security的用户认证流程以及如何根据用户...
11 | 实战案例:使用Spring Security搭建一套基于JWT的OAuth 2.0架构
qq_37756660的博客
12-01 1386
今天这一节,我们完整演示了如何使用 Spring Cloud 的 OAuth 2.0 组件基于三个程序角色(授权服务器、受保护资源服务器和客户端)实现三种 OAuth 2.0 的授权许可类型(资源拥有者凭据许可、客户端凭据许可和授权码许可)。我们先演示了三种授权许可类型的手动流程,然后也演示了如何实现权限控制和单点登录,以及如何使用客户端程序来实现自动的 OAuth 2.0 流程。今天用到的所有代码都放到了 GitHub 上,可以点击这个链接查看。
Spring Security】入门——实现用户注册登录
淮南King的博客
07-21 9917
一、项目框架1. 项目结构2. 选择安装依赖二、数据库三、代码实现1. 配置文件2. Spring Security 是一个功能强大且高度可自定义的身份验证和访问控制框架,它侧重于为 Java 应用程序提供身份验证和授权。 官网传送门:Spring Security官网 本篇文章目的在于快速使用Spring Boot与Spring Security搭建一个项目,实现简单的用户注册登录。 此项目所用知识点: Spring Boot Spring Security Mybatis 一、项目框架 1. 项目.
Spring Security实现登录
不愧是暮言的博客
05-24 3670
Spring SecuritySpring框架下的一个用于身份验证和授权的框架,它可以帮忙管理web应用中的用户认证、授权以及安全性问题。环境准备Spring Security核心概念实现基本登录功能添加Spring Security的数据库认证Spring Security是一个非常好用的身份认证和授权框架,可以有效保证应用的安全性。本文介绍了如何使用Spring Security实现基本的登录功能和数据库认证,希望这篇文章能够帮助到你。。
SpringSecurity登录流程
weixin_45802793的博客
09-27 4161
SpringSecurity登录流程 1.无处不在的Authentication 实现类中,我们最常用的是UsernamePasswordAuthenticationToken 2.登录流程 Spring Security中,认证和授权的校验都是在一系列过滤器链完成的,和认证相关的过滤器就是UsernamePasswordAuthenticationFilter public Authentication attemptAuthentication(HttpServletRequest reque
【记录笔记,大佬勿喷】 关于SpringSecurity的登录流程,结合尚硅谷以及若依的项目分析
qq_17593727的博客
03-13 1326
Spring Security基于Spring框架,提供了一套Web应用安全性的完整解决方案。Web应用的安全性包括用户认证(Authentication) 和 用户授权(Authonzation),这两点也是Spring Security重要核心功能。用户认证:验证某个用户是否为系统中的合法主体,也就是说用户能否访问该系统。用户认证一般要求用户提供用户名和密码,系统通过校验用户名和密码来完成认证过程。通俗点说就是系统认为用户是否能登录。用户授权:验证某个用户是否有权限执行某个操作。
SpringBoot + SpringSecurity + JPA 实现用户角色权限登录认证
09-10
在这个项目中,SpringSecurity被用来处理用户登录、角色权限分配和防止非法请求。 3. **JPA**:Java Persistence API是Java平台上的ORM(对象关系映射)规范,它允许开发者以面向对象的方式操作数据库,将数据对象...
Spring Security在标准登录表单中添加一个额外的字段
08-26
Spring Security在标准登录表单中添加一个额外的字段 在本文中,我们将探讨如何在Spring Security的标准登录表单中添加一个额外的字段。我们将重点关注两种不同的方法,以展示框架的多功能性以及我们可以使用它的...
spring security acl 实例
12-01
spring security acl 代码实例 spring security acl 代码实例spring security acl 代码实例spring security acl 代码实例spring security acl 代码实例spring security acl 代码实例
Spring security用户URL权限FilterSecurityInterceptor使用解析
08-25
Spring Security框架中,`FilterSecurityInterceptor`是一个关键组件,用于控制用户对应用程序不同URL的访问权限。这个拦截器在用户发起HTTP请求时介入,基于预定义的安全策略判断用户是否被授权访问请求的资源。...
Spring Security 中定义多种登录方式,比如邮箱、手机验证码登录
xxxzzzqqq_的博客
03-21 3668
自定义认证方式总体来说还是很简单的;需要从头重写的也就三个类,然后就是将其配置到Spring Security 中。如果需要再自定义手机号验证码登录,按照上述流程再走一遍就行。其实也是 copy 一份,然后进行小幅度的修改即可。
SpringSecurity之二:web自定义用户登录
铃萌的博客
05-01 2638
官方文档:Hello Spring Security :: Spring Security 一、认证流程 先了解下SpringSecurity认证的流程,如下图(图片来自官网): step1:用户提交请求,AbstractAuthenticationProcessingFilter会从请求信息中生成Authentication对象,Authentication对象根据AbstractAuthenticationProcessingFilter子类决定; step2:通过Authentication.
spring security 使用示例
红衣女妖仙的博客
08-19 2129
用户名密码认证、短信验证码认证、踢人下线、 AuthorizationFilter 授权、FilterSecurityInterceptor url / expression 授权、登出、分布式配置。 2、SecurityConfig   先添加一个 SecurityConfig 配置类,作为整个 spring security 的核心配置,后续的认证、授权等功能都将在整个配置类中完成。 3、用户名密码认证   用户名密码认证主要是自定义实现 UserDetails、UserDetailsService、A
Spring Security实例
weixin_63769623的博客
01-07 828
Spring Security实例
Spring Security - 案例
chrismurphy的博客
08-28 389
Spring Security是针对Spring项目的安全框架,也是SpringBoot底层安全模块默认的技术选型,他可以实现强大的Web安全控制,对于安全控制,我们仅需要引入spring-boot-starter-security模块,进行少量的配置,即可实现强大的安全管理!
(新)Spring Security如何实现登录认证(实战篇)
最新发布
weixin_55772633的博客
06-15 2840
①编写实现类去实现UserDetailsService接口,然后重写里面的loadUserByUsername()方法,用来用来在数据库中查询用户信息并且封装到UserDetail对象中。其中UserDetail是个接口,我们需要编写相应的实体类去实现这个接口。详细内容如4.2.1、4.2.2②更改密码加密存储模式,这时我们就可以使用Spring Security默认提供的登录接口localhost:8080/login来尝试登陆。详细内容如:4.2.3③如何登陆接口?
Spring Security 登录流程
CHENFU_ZKK的博客
09-26 1841
Spring Security 登录流程
Spring Security 应用实践
qq_38454776的博客
01-19 344
概述 Spring SecuritySpring 在安全方面的推出的框架,是采用责任链的设计模式,基于 Spring AOP 和 Servlet 过滤器进行实现。这篇文章记录认证授权的一些概念,以及如何使用其进行扩展保护我们的应用。 认证与授权的概念 认证:我是谁 授权:有哪些访问权限 在系统安全方面,我们面临的两个问题是: 1、如何保护需要访问权限的资源? 在 Java 中我们一般使用过滤器对我们的资源进行保护,使用拦截器对方法的访问进行控制。 2、用户的登录状态要如何传递? 如何让服务器意识到
Spring Security 实现单终端登录:自动踢除前一个用户
这里提到的方法有两类:一是"后来的登录自动踢掉前面的登录",如在社交应用如QQ中常见,用户一旦新设备登录,旧设备的会话将被终止;二是"如果用户已经登录,则不允许后来者登录",这是一种更为严格的权限控制策略。...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值