Maven设置
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>添加Security XML文件
文件名:applicationContext-security.xml
文件位置:src/main/resource/spring/applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
</beans> 设置web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>最小化配置securityXML
在applicationContext-security.xml中添加如下内容
<http>
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>intercept-url:根据pattern拦截url请求
form-login:使用一个有username和password的表单进行登录
logout:退出系统
添加用户信息用于测试
在applicationContext-security.xml中添加如下内容
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>元素:认证管理器
元素: 认证提供者
元素:用户服务,创建了两个账户,保存在内存中。
注意各元素之间的关系
访问页面
重启服务器,会有一个默认的登录页面
http://localhost/你的项目名当没有指定登录用的表单页面时,Spring Security 会生成一个默认登录低低页面。
编写login.jsp
login.jsp位于项目的根目录(webRoot)下
<body>
<form name="f" action="login" method="post">
<fieldset>
<legend>Please Login</legend>
<label for="username">Username</label>
<input type="text" id="username" name="username" value="${username}"/>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
<div class="form-actions">
<button type="submit" class="btn">Log in</button>
</div>
</fieldset>
</form>
</body>相应的securityXML 设置
<http pattern="/css/**" security="none"/>
<http pattern="/login.jsp*" security="none"/>
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>当元素的属性use-expressions=”false”时,的access属性值为ROLE_USER
当元素的属性use-expressions=”true”或没有此属性时,的access属性值为hasRole(‘USER’)
当不想写login.jsp时
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>这时会弹出一个窗口用于用户登录信息的录入。大概是这样子。
设置登录成功后的跳转页面
<form-login login-page='/login.jsp' default-target-url='/home.jsp'
always-use-default-target='true' />default-target-url:登录成功后跳转页面
always-use-default-target:总是跳转到default-target-url定义的页面
给密码加密
<beans:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager>
<authentication-provider>
<password-encoder ref="bcryptEncoder"/>
<user-service>
<user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
其它问题
当遇到
HTTP Status 403 - Could not verify the provided CSRF token because your session was not found.参考:http://blog.csdn.net/yiifaa/article/details/71744120?utm_source=itdadao&utm_medium=referral
1285
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
