1,建一个web project,并导入所有需要的lib,这步就不多讲了。
2,配置web.xml,使用Spring的机制装载:
<? xml version="1.0" encoding="UTF-8" ?>
< web-app version ="2.4" xmlns ="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" >
< context-param >
< param-name > contextConfigLocation </ param-name >
< param-value > classpath:applicationContext*.xml </ param-value >
</ context-param >
< listener >
< listener-class >
org.springframework.web.context.ContextLoaderListener
</ listener-class >
</ listener >
< filter >
< filter-name > springSecurityFilterChain </ filter-name >
< filter-class >
org.springframework.web.filter.DelegatingFilterProxy
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > springSecurityFilterChain </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< welcome-file-list >
< welcome-file > login.jsp </ welcome-file >
</ welcome-file-list >
</ web-app >
这个文件中的内容我相信大家都很熟悉了,不再多说了。
2,来看看applicationContext-security.xml这个配置文件,关于Spring Security的配置均在其中:
<? xml version="1.0" encoding="UTF-8" ?>
< beans:beans xmlns ="http://www.springframework.org/schema/security"
xmlns:beans ="http://www.springframework.org/schema/beans"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd" >
< http auto-config="true" use-expression="true"/> <!-- 这样定义,使得可以在 access 中SpEL表达式 -->
< http access-denied-page ="/403.jsp" > <!-- 当访问被拒绝时,会转到403.jsp -->
< intercept-url pattern ="/login.jsp" filters ="none" /> <!-- 设置访问哪里需要什么样的角色权限 -->
<!-- <intercept-url pattern ="/**" access="hasrole('role_admin','admin')" /> --> <!-- 方位所有网页都需要用户拥有“role_admin"或‘admin’权限,使用了SpEL表达式 -->
<!-- <intercept-url pattern ="/**" access="role_admin" /> --> <!-- 方位所有网页都需要用户拥有“role_admin"权限 -->
<!-- <intercept-url pattern ="/**" requires-channel="https" /> --> <!-- 强制请求使用https -->
< form-login login-page ="/login.jsp" <!-- 登陆页设置 -->
authentication-failure-url ="/login.jsp?error=true" <!-- 认证失败,重新定位到登陆页 -->
default-target-url ="/index.jsp" />
< logout logout-success-url ="/login.jsp" /> <!--退出,重定位-->
< http-basic />
<!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
< custom-filter before ="FILTER_SECURITY_INTERCEPTOR"
ref ="myFilter" />
</ http >
</beans>
保护视图级别的元素
获取用户角色权限
启用remember-me
通过注解保护方法调用
1:@secured()
2:@RolesAllowed()注解
3:使用SpEL实现安全方法设置