Spring Security 权限:
依赖:
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-remoting</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
Webxml:
<!-- SpringSecurity必须的filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- spring整合 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:beans.xml
classpath:spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- Spring-Security 的配置 -->
<security:http pattern="/home.action" security="none" />
<security:http auto-config="true" use-expressions="true" >
<security:intercept-url pattern="/home.action" access="permitAll"/>
<!-- <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')"/> -->
<!-- login-page:登录页面
authentication-failure-url:登录失败后跳转的页面
default-target-url:登录成功后跳转的页面 -->
<security:form-login login-page="/home.action" authentication-failure-url="/home.action?error"
default-target-url="/fmain.action"/>
<security:logout logout-success-url="/home.action?logout"/>
<!-- 配置session 让当前这个session的控制量最大是1-->
<security:session-management session-fixation-protection="migrateSession">
<security:concurrency-control max-sessions="1"/>
</security:session-management>
</security:http>
<!--启用jsr250注解,为了控制方法的权限 -->
<security:global-method-security jsr250-annotations="enabled"/>
<!-- 指定一个自定义的authentication-manager :customUserDetailsServiceImpl -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="customUserDetailsServiceImpl">
<!-- <security:password-encoder ref="passwordEncoder"/> -->
</security:authentication-provider>
</security:authentication-manager>
<!-- 对密码进行MD5编码 -->
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
</beans>
Controller:
package cn.it.controller;
import java.util.List;
import javax.annotation.Resource;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import cn.it.entity.User;
@Controller
public class HomeController {
@Resource
private SessionRegistry sessionRegistry;
// 系统首页模块
@RequestMapping(value = { "/", "/home" })
// 配合web下<url-pattern>/</url-pattern>
public String login( @RequestParam(value = "error", required = false) String error,@RequestParam(value = "logout", required = false) String logout,Model model,ModelMap mm,HttpSession httpSession) {
//获取session
List<Object> principals=sessionRegistry.getAllPrincipals();
for (Object principal : principals) {
List<SessionInformation> sessionInformationList = sessionRegistry.getAllSessions(principal, false);
for(SessionInformation sessionInfo : sessionInformationList){
//System.out.println(sessionInfo.getPrincipal());
User user=(User) sessionInfo.getPrincipal();
httpSession.setAttribute("user", user.getUsername());
}
}
mm.put("number", sessionRegistry);
if (error != null) {
model.addAttribute("errorMag", "无效的用户名和密码!");
}
if (logout != null) {
model.addAttribute("toMsg", "你已经登录成功");
}
return "/index.jsp";
}
@RequestMapping(value = "/fmain")
public String fmain() {
return "/home/fmain.jsp";
}
}
customUserDetailsServiceImpl:
package cn.it.service.impl;
import javax.annotation.Resource;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import cn.it.dao.UserDao;
import cn.it.entity.User;
/**
* 一个自定义的service用来和数据库进行操作. 即以后我们要通过数据库保存权限.则需要我们继承UserDetailsService
*
* @author liukai
*
*/
@Service
public class CustomUserDetailsServiceImpl implements UserDetailsService{
@Resource
private UserDao userDao;
public UserDetails loadUserByUsername(String arg0)
throws UsernameNotFoundException {
User user=this.userDao.getName(arg0);
return user;
}
}
User:
public class User implements Serializable,UserDetails{
public Collection<? extends GrantedAuthority> getAuthorities() {
List<GrantedAuthority> authorities=new ArrayList<GrantedAuthority>();
GrantedAuthority authority=new SimpleGrantedAuthority(role);
authorities.add(authority);
return authorities;
}
public boolean isAccountNonExpired() { //是否未过期
return true;
}
public boolean isAccountNonLocked() { //是否未被锁定
return true;
}
public boolean isCredentialsNonExpired() { //凭据是否过期
return true;
}
public boolean isEnabled() { //是否可用
return true;
}
}
Jsp:
<form id="loginForm" class="nc-login-form" action="j_spring_security_check" method="post">
<dl>
<dt>账 号:</dt>
<dd>
<input type="text" class="text" name="j_username" autocomplete="off" placeholder="手机号/会员名/邮箱">
</dd>
</dl>
<dl>
<dt>密 码:</dt>
<dd>
<input type="password" class="text" name="j_password" placeholder="输入账户密码" autocomplete="off"/>
</dd>
</dl>
<div class="handle-div"> <span class="auto">
<input type="checkbox" value="1" class="checkbox" id="autoLogin" name="autoLogin">
七天自动登录<em style="display: none;">请勿在公用电脑上使用</em> </span><a href="http://java.shopnctest.com/web/findpwd" class="forget">忘记密码</a></div>
<div class="submit-div">
<button class="submit" id="loginSubmit">登录</button>
</div>
</form>
方法上面设置权限:
@RolesAllowed(“ROLE_USER”)
控制页面元素:
①导入标签
<%@ taglib prefix=”sec” uri=”http://www.springframevork.org/security/tags”%>
②控制元素
<sec:authorize accss=”hasRole(‘ROLE_USER’)”>
//这里是要控制的元素,括起来之后只有拥有ROLE_USER权限的人登录后才能看到
</sec:authorize>