框架是什么,它给你封装了一系列的配置,你按照它的规则按需配置就完事了,就能实现你想要的功能了
查询状态为0的商家,传0就行,springmvc会数据绑定,但是权限角色的增删改查是后端穿过来,前端通过EL表达式进行判断
新建maven项目,我的pom配置文件如下:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.lmj</groupId>
<artifactId>spring-security</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<name>spring-security Maven Webapp</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
<!-- spring版本号 -->
<spring-security.version>4.2.3.RELEASE</spring-security.version>
<spring.version>4.0.2.RELEASE</spring.version>
<!-- mybatis版本号 -->
<mybatis.version>3.2.6</mybatis.version>
<!-- log4j日志文件管理包版本 -->
<slf4j.version>1.7.7</slf4j.version>
<log4j.version>1.2.17</log4j.version>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<!--spring security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring-security.version}</version>
</dependency>
<!-- 导入java ee jar 包 -->
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>7.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/commons-logging/commons-logging -->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
</dependencies>
<build>
<finalName>spring-security</finalName>
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.0.0</version>
</plugin>
<!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.7.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.20.1</version>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.0</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
web.xml中配置security:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>Archetype Created Web Application</display-name>
<!-- 加载springsecurity的配置文件,,,,一个配置文件->-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml </param-value>
</context-param>
<!-- 位于spring-web包下的环境监听器,,,,一个监听器->-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- 添加spring security的过滤器,过滤所有资源,这是过滤器代理类,将请求转到security的类,这是过滤器的入口-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
webapp下创建index.jsp:
<html>
<body>
<h2>Hello World!</h2>
</body>
</html>
webapp下,自定义登陆页面:login.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>登陆</title>
</head>
<body>
<form action="/login" method="post">
用户:<input name="username">
密码:<input name="password">
<button type="submit">登陆</button>
</form>
</body>
</html>
webapp下验证失败页面fail.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
验证失败
</body>
</html>
下面就是最闪耀的spring-security.xml的配置:(在resources下配置)
<?xml version="1.0" encoding="UTF-8"?>
<!--doubo有doubo的前缀,doker有doker前缀,security有security的前缀,beans,spring的前缀也是beans,不过默认省略了,给他配置前缀,不带前缀都是security的配置-->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 相当于WebSecurityConfigurerAdapter中对应的方法. -->
<!-- anto-config 为true将启用自动注册登录表单,基本身份验证,注销的URL,注销服务 -->
<!-- protected void configure(HttpSecurity http) 用于配置路径以及全选. -->
<!-- 页面拦截规则,pattern匹配路径/*不包括根目录,/**指所有,access角色名称,必须大写ROLE_开头这种格式,必须拥有role_user才有权限访问/*的资源
不配user-expression,,不启用spel表达式,则就要写成access="hasRole('ROLE_USER')",默认<http use-expressions="true">,则要写成hasRole('ROLE_USER')
还能匹配ip-->
<!--该页面不登陆也能访问,配置允许授权的页面-->
<http pattern="/login.html" security="none"/>
<http pattern="/fail.html" security="none"/>
<http use-expressions="false">
<!-- 拦截所有的url access 调用一个函数, true为通过,false为拒绝. 这里是要求有ROLE_USER角色 -->
<intercept-url pattern="/**" access="ROLE_USER" />
<!-- 开启表单登陆-->
<!-- 自定义表单登陆的页面,成功跳转后的页面,,将资源地址从/**里面排除掉-->
<form-login login-page="/login.html" default-target-url="/index.jsp" authentication-failure-url="/fail.html"/>
<!-- 头页面要jsp,他能带x-xsfr,,存在跨域,跨站访问,进学校要带牌,证明你是学校的人,防止csrf攻击,html没有x-xsfr,故要关闭小红牌验证机制-->
<csrf disabled="true"/>
</http>
<!-- 相当于 protected void configure(AuthenticationManagerBuilder auth) 主要配置使用什么来进行连接.
认证管理器,authentication-provider认证的提供者,认证什么,提供什么-->
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<!-- 使用内存用户存储提供认证,这里先提前配置了一个系统的权限用户,权限为user的角色
配置当前系统的用户,authorities角色身份-->
<user authorities="ROLE_USER" name="abc" password="abc" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
浏览器运行即可