SpringSecurity安全框架
apache shiro阿帕奇的安全框架
用户发送请求
执行loadUserByUsername(String username)
通过username获取SysUser对象
包装了UserDeatils对象new User(username,password,‘Rold’)
返回UserDeatils, ProviderManager类–>对用户进行验证
验证成功–;进入上一次请求
验证失败–错误页面
###1.添加依赖
<properties>
<spring.security.version>5.0.1.RELEASE</spring.security.version>
</properties>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
###2.配置spring-security.xml
创建spring-security.xml配置文件,配置认证【以后交给CAS】和授权信息
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--配置不拦截的资源-->
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<!--
配置拦截的规则
auto-config="使用自带的页面"
use-expressions="是否使用spel表达式。使用;hasRole('ROLE_USER')"
-->
<security:http auto-config="false" use-expressions="false">
<!--配置拦截的请求地址,任何请求地址都必须有'ROLE_USER'的权限-->
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<!--
指定登录的页面
login-page: 登录页面
login-processing-url:登录请求处理路径, 必须指定表单的路径是login 才可以使用security做验证
default-target-url: 验证成功后的页面
如果安全框架记录你的上一次请求,则登录成功后会自动进入
authentication-failure-url:认证失败后的页面
-->
<security:form-login login-page="/login.jsp"
login-processing-url="/login"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"> </security:form-login>
<!-- 关闭跨域请求伪造 -->
<security:csrf disabled="true"/>
<!-- 退出: 当请求路径为logout的时候 为退出登录 -->
<security:logout invalidate-session="true"
logout-url="/logout" logout-success-url="/login.jsp">
</security:logout>
</security:http>
<!--配置认证信息-->
<security:authentication-manger>
<!--用户对象提供者,从数据库查询-->
<security:authentication-provider user-service-ref="userService">
<!--<security:user-service>-->
<!--<!–name: 账号-->
<!--password: 密码-->
<!--authorities: 认证角色 , ROLE_USER :要想登录,必须有一个用户角色才可以-->
<!--{noop}:不使用加密方式-->
<!--–>-->
<!--<security:user name="admin" password="{noop}admin" authorities="ROLE_USER"/>-->
<!--</security:user-service>-->
</security:authentication-provider>
</security:authentication-manger>
</beans>
###修改web.xml
<!--引入配置文件spring-security.xml-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:spring-security.xml</param-value>
</context-param>
<!--springsecurity委派过滤器-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--加载springsecurity容器-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- springsecutiry拦截器,拦截所有请求 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>