- 5:完善web页面验证规则
- <http auto-config="true">
- <intercept-url pattern="/js/**" filters="none"/>
- <intercept-url pattern="/css/**" filters="none"/>
- <intercept-url pattern="/images/**" filters="none"/>
- <intercept-url pattern="/a.jsp" access="ROLE_A" />
- <intercept-url pattern="/b.jsp" access="ROLE_B" />
- <intercept-url pattern="/c.jsp" access="ROLE_A, ROLE_B" />
- <intercept-url pattern="/**" access="ROLE_USER" />
- </http>
-
<http auto-config="true"> <intercept-url pattern="/js/**" filters="none"/> <intercept-url pattern="/css/**" filters="none"/> <intercept-url pattern="/images/**" filters="none"/> <intercept-url pattern="/a.jsp" access="ROLE_A" /> <intercept-url pattern="/b.jsp" access="ROLE_B" /> <intercept-url pattern="/c.jsp" access="ROLE_A, ROLE_B" /> <intercept-url pattern="/**" access="ROLE_USER" /> </http>
- 6:自定义验证配置
- <!-- 指 定登陆页面、成功页面、失败页面-->
- <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp" />
- <!-- 尝 试访问没有权限的页面时跳转的页面 -->
- <access-denied-handler error-page="/accessDenied.jsp"/>
- <!-- 使 用记住用户名、密码功能,指定数据源和加密的key -->
- <remember-me data-source-ref="dataSource" />
- <!-- logout 页面,logout后清除session -->
- <logout invalidate-session="true" logout-success-url="/login.jsp" />
- <!-- session 失 效后跳转的页面,最大登陆次数 -->
- <session-management invalid-session-url="/sessionTimeout.htm">
- <concurrency-control max-sessions="1" expired-url="/sessionTimeout.htm" />
- </session-management>
- </http>
- 可 以使用SS自带的登陆页面作为login.jsp的模板
-
<http auto-config="true"> <!-- 指定登陆页面、成功页面、失败页面--> <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp" /> <!-- 尝试访问没有权限的页面时跳转的页面 --> <access-denied-handler error-page="/accessDenied.jsp"/> <!-- 使用记住用户名、密码功能,指定数据源和加密的key --> <remember-me data-source-ref="dataSource" /> <!-- logout页面,logout后清除session --> <logout invalidate-session="true" logout-success-url="/login.jsp" /> <!-- session 失效后跳转的页面,最大登陆次数 --> <session-management invalid-session-url="/sessionTimeout.htm"> <concurrency-control max-sessions="1" expired-url="/sessionTimeout.htm" /> </session-management> </http> 可以使用SS自带的登陆页面作为login.jsp的模板
- 7:本地化消息输出
拷贝本地化资源文件后,在配置文件中加载该文件:
- <!-- 加 载错误信息资源文件 -->
- <beans:bean id="messageSource"
- class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
- <beans:property name="basename" value="classpath:messages"/>
- </beans:bean>
- 资 源文件在SS核心包:spring-security-core-3.0.2.RELEASE.jar的orgspringframeworksecurity目录 中
-
<!-- 加载错误信息资源文件 --> <beans:bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> <beans:property name="basename" value="classpath:messages"/> </beans:bean> 资源文件在SS核心包:spring-security-core-3.0.2.RELEASE.jar的orgspringframeworksecurity目录中
- 8:在web页面中获取用户信息
- 方式 一:Java代码
- Authentication auth = SecurityContextHolder.getContext().getAuthentication();
- Collection<GrantedAuthority> col = auth.getAuthorities();
- 方 式二:标签库
- <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
- <sec:authentication property="name“/>
- <sec:authentication property="authorities“/>
-
方式一:Java代码 Authentication auth = SecurityContextHolder.getContext().getAuthentication(); Collection<GrantedAuthority> col = auth.getAuthorities(); 方式二:标签库 <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <sec:authentication property="name“/> <sec:authentication property="authorities“/>
- 9:在web页面进行元素安全控制
- 方式一
- <sec:authorizeifAnyGranted="ROLE_A">
- <a href="a.jsp">你可以访问a.jsp</a>
- </sec:authorize>
- <sec:authorizeifNotGranted="ROLE_A">
- 你 不可以访问a.jsp
- </sec:authorize>
- 方 式二
- <sec:authorizeurl="/a.jsp">
- <a href="a.jsp">你可以访问a.jsp</a>
- </sec:authorize>
-
方式一 <sec:authorizeifAnyGranted="ROLE_A"> <a href="a.jsp">你可以访问a.jsp</a> </sec:authorize> <sec:authorizeifNotGranted="ROLE_A"> 你不可以访问a.jsp </sec:authorize> 方式二 <sec:authorizeurl="/a.jsp"> <a href="a.jsp">你可以访问a.jsp</a> </sec:authorize>
- 10:全局方法安全控制
- <global-method-security pre-post-annotations="enabled">
- <protect-pointcut expression="execution(* com.xasxt.*Service.add*(..))" access="ROLE_A"/>
- <protect-pointcut expression="execution(* com.xasxt.*Service.delete*(..))" access="ROLE_B"/>
- </global-method-security>
- 此 处使用了AspectJ中常用的切入点表达式(百度:AspectJ execution)
-
<global-method-security pre-post-annotations="enabled"> <protect-pointcut expression="execution(* com.xasxt.*Service.add*(..))" access="ROLE_A"/> <protect-pointcut expression="execution(* com.xasxt.*Service.delete*(..))" access="ROLE_B"/> </global-method-security> 此处使用了AspectJ中常用的切入点表达式(百度:AspectJ execution)
- 11:使用注解进行方法安全控制
- public class DemoService {
- @PreAuthorize("hasRole('ROLE_A')")
- public void methodA() {
- }
- @PreAuthorize("hasAnyRole('ROLE_A, ROLE_B')")
- public void methodB() {
- }
- }
- hasRole 与hasAnyRole为SS通用内置表达式(google : spring security Common Built- In Expressions)