<?xml version="1.0" encoding="UTF-8"?>spring-security.xml:注意配置文件的顺序问题;
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
<!-- 数据源 -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"
>
<property name="driverClassName" value="com.mysql.jdbc.Driver"></property>
<property name="url">
<value><![CDATA[jdbc:mysql:///security?characterEncoding=UTF-8]]></value>
</property>
<property name="username" value="root"></property>
<property name="password" value="123456"></property>
</bean>
<bean id="userService" class="com.lrq.service.UserService">
<property name="dataSource" ref="dataSource"></property>
</bean>
<!-- <import resource="spring-security.xml"/> -->
</beans>
3 web.xml文件;
<?xml version="1.0" encoding="UTF-8"?>
<bean:beans xmlns="http://www.springframework.org/schema/security"
xmlns:bean="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- 在运行时输出控制台信息 -->
<debug/>
<!-- 应该是打开注解支持功能 -->
<global-method-security pre-post-annotations="enabled"/>
<!-- 以下是security3.1的配置方式,如果使用了springSecurity3.1的版本,则必须要引用3.1的命名空间
以下配置对哪些页面不用过虑,优先级高于 http里面的<intercept-url/>
-->
<http pattern="***.css" security="none"/>
<http pattern="**/*.jpg" security="none"/>
<!-- 配置对登录页面不过虑 -->
<http pattern="/jsps/login.jsp" security="none"/>
<http use-expressions="true" auto-config="true" access-denied-page="/jsps/denied.jsp">
<!-- 配置登录页面 -->
<form-login login-page="/jsps/login.jsp"
default-target-url="/index.jsp"
password-parameter="j_password"
username-parameter="j_username"
authentication-failure-url="/jsps/login.jsp?error=1"
/>
<!-- 配置退出 -->
<logout logout-success-url="/index.jsp"
logout-url="/j_spring_security_logout"/>
<!-- 会自动保存cookie
cookie的名为:SPRING_SECURITY_REMEMBER_ME_COOKIE
需要在页面上提供一个<input type='checkbox' name='_spring_security_remember_me'/>复选框
-->
<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
</http>
<!-- 定义认证管理器,默认名称为org.springframework.security.authenticationManager,可以通过alias取一个别名 -->
<authentication-manager alias="authenticationManager">
<!-- 引用自己的实现 -->
<authentication-provider user-service-ref="userService">
<!-- 引用md5 密算法,并提供一个盐值,以下使用用户名作用盐值 -->
</authentication-provider>
</authentication-manager>
<!-- 定义自己的认证过虑器 -->
<bean:bean id="myFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<bean:property name="authenticationManager" ref="authenticationManager"></bean:property>
<bean:property name="accessDecisionManager">
<bean:bean class="org.springframework.security.access.vote.AffirmativeBased">
<bean:property name="decisionVoters">
<bean:list>
<bean:bean class="org.springframework.security.access.vote.RoleVoter"></bean:bean>
</bean:list>
</bean:property>
</bean:bean>
</bean:property>
<bean:property name="securityMetadataSource" ref="dbSecurityMetadataSource"></bean:property>
</bean:bean>
<!-- 定义自己的安全资源 -->
<bean:bean id="dbSecurityMetadataSource" class="com.lrq.service.DBSecurityMetadataSource " init-method="init">
<bean:property name="dataSource" ref="dataSource"></bean:property>
</bean:bean>
</bean:beans>
<?xml version="1.0" encoding="UTF-8"?>配置文件的顺序要注意文件直接的依赖关系,建议使用import方式引入;
<web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name></display-name>
<!-- 载Spring的配置文件,两个配置文件,beans.xml文件用于配置service,dao等。
而security.xml文件只用于配置安全,这 有利于分文件进行管理
-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-beans.xml,
classpath:spring-security.xml
</param-value>
</context-param>
<!-- Spring的一个工具类,用于过虑字符编 -->
<filter>
<filter-name>encoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter>
<!-- 配置此bean后,必须要有一个bean也叫此名,否则启动不成功 -->
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>encoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 配置 载Spring配置文件的监听器,必须 -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- 配置session的监听器,用于阻止后面的session登录,合并session中的数据或是踢出前一个同名登录的session -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
权限管理的思路:这里的思路是在启动时加载所有的权限对应的角色,也就是说有一个角色信息合计;
当你登录的时候,根据你的用户,查出你拥有的角色相比,如果匹配,说明有权限,允许访问;
反之不允许;
注意:页面上的登录信息字段和配置文件的要一致,否则会出问题;同时注意登录表单的提交;
<script type="text/javascript" id="wumiiRelatedItems"> </script>
210
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
