最近对spring-security3做了一些初步了解,搜集了一些配置资料,整理如下:
1、在spring-security官网下载最新jar然后拷贝jar到项目的lib下。
2、然后在web.xml中添加配置,内容如下:
3、xml配置,配置内容如下:
j_spring_security_check : 验证管理器拦截地址默认值;
j_username: 验证用户名;
j_password: 验证密码;
_spring_security_remember_me:记住密码
需了解原理请参阅security源码分析:[url]http://mengqingyu.iteye.com/blog/1477561[/url]
1、在spring-security官网下载最新jar然后拷贝jar到项目的lib下。
2、然后在web.xml中添加配置,内容如下:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3、xml配置,配置内容如下:
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- auto-config = true 则使用from-login. 如果不使用该属性 则默认为http-basic(没有session).access-denied-page:出错后跳转到的错误页面;-->
<!-- intercept-url:拦截器,可以设定哪些路径需要哪些权限来访问. filters=none 不使用过滤,也可以理解为忽略 -->
<http realm="Contacts Realm" auto-config="true">
<anonymous granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/favicon.ico" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/sysmanage/ug/useradd/loginSys" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/debug*" access="ROLE_ADMINISTRATOR" />
<!--
session-management是针对session的管理. 这里可以不配置. 如有需求可以配置.
id登陆唯一.后登陆的账号会挤掉第一次登陆的账号 error-if-maximum-exceeded="true"禁止2次登陆;
session-fixation-protection="none" 防止伪造sessionid攻击.用户登录成功后会销毁用户当前的session.
创建新的session,并把用户信息复制到新session中.
<session-management session-fixation-protection="none"><concurrency-control/></session-management>
-->
<!-- login-page:默认指定的登录页面.authentication-failure-url:出错后跳转页面.default-target-url:成功登陆后跳转页面 -->
<form-login login-page="/login" login-processing-url="/j_spring_security_check" authentication-success-handler-ref="logAuthenticationSuccessHandler"
default-target-url="/manage" authentication-failure-url="/login?login_error=1" />
<http-basic />
<!-- logout-success-url:成功注销后跳转到的页面; -->
<logout logout-success-url="/manage" />
<remember-me />
<!-- 自定义权限过滤器链 需要实例化过滤器 -->
<!-- 可选、自定义用户退出-->
<custom-filter ref="ajaxLogoutFilter" before="LOGOUT_FILTER" />
<!-- 可选、自定义表单验证 ajax返回,带参数-->
<custom-filter ref="ajaxUsernamePasswordAuthenticationFilter" before="FORM_LOGIN_FILTER" />
<!-- 地址拦截 -->
<custom-filter ref="dbFilterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
</http>
<!-- 可选、日志 需要继承 SavedRequestAwareAuthenticationSuccessHandler-->
<b:bean id="logAuthenticationSuccessHandler" class="com.demo.security.LogAuthenticationSuccessHandler"/>
<!-- 权限管理器,全局唯一 -->
<authentication-manager alias="authenticationManager">
<!--userManageService为自定义bean注入需要自定义实现UserDetailsService接口重写loadUserByUsername方法 -->
<authentication-provider user-service-ref="userManageService">
<password-encoder hash="md5" >
<salt-source user-property="username"/>
</password-encoder>
</authentication-provider>
</authentication-manager>
<!-- Automatically receives AuthenticationEvent messages -->
<b:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" />
<!-- 可选、ajax 登录验证器,通过自定义地址拦截,进行验证,需继承UsernamePasswordAuthenticationFilter,重写attemptAuthentication方法 -->
<b:bean id="ajaxUsernamePasswordAuthenticationFilter" class="com.demo.security.AjaxUsernamePasswordAuthenticationFilter">
<b:property name="filterProcessesUrl" value="/j_ajax_security_check"/> <!-- 自定义表单提交地址,和JSP页面表单地址对应 -->
<b:property name="authenticationManager" ref="authenticationManager"/>
<b:property name="authenticationSuccessHandler" ref="ajaxSuccessHandler"/>
<b:property name="authenticationFailureHandler" ref="ajaxFailureHandler"/>
</b:bean>
<!-- 可选、ajax 用户退出,通过自定义地址拦截,需继承LogoutFilter,重写AjaxLogoutFilter,doFilter方法 -->
<b:bean id="ajaxLogoutFilter" class="com.berheley.bi.grp.security.AjaxLogoutFilter">
<b:constructor-arg ref="ajaxLogoutSuccessHandler"/>
<b:constructor-arg>
<b:list>
<b:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/><!-- 默认类,清空session数据 -->
</b:list>
</b:constructor-arg>
<b:property name="filterProcessesUrl" value="/j_ajax_security_logout"/> <!-- 自定义退出地址,和JSP页面地址对应 -->
</b:bean>
<!-- 可选、扩展成功返回方式,需实现LogoutSuccessHandler -->
<b:bean id="ajaxLogoutSuccessHandler" class="com.berheley.bi.grp.security.AjaxLogoutSuccessHandler"/>
<!-- 可选、扩展成功返回方式,需实现AuthenticationSuccessHandler或继承SimpleUrlAuthenticationSuccessHandler -->
<b:bean id="ajaxSuccessHandler" class="com.demo.security.AjaxAuthenticationSuccessHandler"/>
<!-- 可选、扩展失败返回方式,需实现AuthenticationFailureHandler或继承SimpleUrlAuthenticationFailureHandler -->
<b:bean id="ajaxFailureHandler" class="com.demo.security.AjaxAuthenticationFailureHandler"/>
<!-- 需要实现FilterInvocationSecurityMetadataSource 或继承 DefaultFilterInvocationSecurityMetadataSource 实现资源和角色的匹配验证 -->
<b:bean id="dbSecurityMetadataSource" class="com.demo.security.DbSecurityMetadataSource">
<b:property name="userService" ref="userManageService"/>
</b:bean>
<!-- 访问控制验证器Authority -->
<b:bean id="dbFilterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<b:property name="authenticationManager" ref="authenticationManager"/>
<b:property name="accessDecisionManager" ref="accessDecisionManager"/>
<b:property name="objectDefinitionSource" ref="dbSecurityMetadataSource"/>
<b:property name="observeOncePerRequest" value="false"/>
<b:property name="alwaysReauthenticate" value="false"/>
</b:bean>
<!--
httpRequestAccessDecisionManager(投票通过策略管理器)用于管理投票通过策略。Acegi提供三种投票通过策略的实现:
AffirmativeBased(至少一个投票者同意方可通过),ConsensusBased(多数投票者同意方可通过),UnanimousBased(所有投
票者同意方可通过)
allowIfAllAbstainDecisions : 设定是否允许:“没人反对就通过”的投票策略
decisionVoters : 投票者
-->
<b:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<b:property name="allowIfAllAbstainDecisions" value="false"/>
<b:property name="decisionVoters">
<b:list>
<!--必须是以rolePrefix设定的ROLE_开头的才会进行投票,否则为弃权-->
<b:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
<b:bean class="org.springframework.security.access.vote.RoleVoter">
<b:property name="rolePrefix" value="HY_"/>
</b:bean>
<!--扩展投票器,继承RoleVoter-->
<b:bean class="com.demo.security.AnyRoleVote">
<b:property name="rolePrefix" value="AUTH_"/>
</b:bean>
</b:list>
</b:property>
</b:bean>
</b:beans>
j_spring_security_check : 验证管理器拦截地址默认值;
j_username: 验证用户名;
j_password: 验证密码;
_spring_security_remember_me:记住密码
需了解原理请参阅security源码分析:[url]http://mengqingyu.iteye.com/blog/1477561[/url]