首先:spring官网
简介
简单介绍:是用来提供安全认证服务的框架,主要有俩个操作
- 认证
- 授权
快速入门
- 首先添加依赖
<dependencies>
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>5.0.1.RELEASE</version> </dependency>
<dependency> <groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.1.RELEASE</version> </dependency>
</dependencies>
-
然后在web.xml中配置servletcontext监听器读取security配置文件,和springSecurityFilterChain(名字必须是这个)对应的类是DelegatingFilterProxy
<context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-security.xml</param-value></context-param><listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener><filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter><filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern></filter-mapping>
-
配置spring security
创建spring-security.xml,
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- auto-config配置后,不需要在配置下面信息 <security:form-login /> 定义登录表单信息 <security:http-basic /> <security:logout /> --> <security:http auto-config="true" use-expressions="false" > <!-- intercept-url 定义一个过滤规则 pattern表示对哪些url进行权限控制, ccess属性表示在请求对应 的URL时需要什么权限, 默认配置时它应该是一个以逗号分隔的角色列表, 请求的用户只需拥有其中的一个角色就能成功访问对应 的URL --> <security:intercept-url pattern="/**" access="ROLE_USER" /> </security:http> <security:authentication-manager> <security:authentication-provider> <!--内存中创建俩个用户,并指定了角色--> <security:user-service> <security:user name="user" password="{noop}user" authorities="ROLE_USER" /> <security:user name="admin" password="{noop}admin" authorities="ROLE_ADMIN" /> </security:user-service> </security:authentication-provider> </security:authentication-manager></beans>
启动服务器访问发现有一个login登录页面,这是配置http auto-config=true时security提供的。
可以通过配置文件中的用户登录
user用户登录自动跳转到index.jsp页面。
admin用户登录因为权限不足就会返回403
设置配置文件不用框架提供的登录页面,跳转到自己的页面。
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 配置不过滤的资源(静态资源及登录相关不进行权限控制) -->
<security:http security="none" pattern="/login.html" />
<security:http security="none" pattern="/failer.html" />
<security:http auto-config="true" use-expressions="false" >
<!-- 表示任意路径都需要ROLE_USER权限 -->
<security:intercept-url pattern="/**" access="ROLE_USER" />
<!-- 自定义登陆页面,login-page: 自定义登陆页面
authentication-failure-url :用户权限校验失败之后才会跳转到这个页面,
如果数据库中没有这个用户则不会跳转到这个页面。
default-target-url :登陆成功后跳转的页面。
注: 登陆页面表单项name属性
username-parameter:用户名username,
password-parameter:密码 password,
login-processing-url: action:login -->
<security:form-login login-page="/login.html"
login-processing-url="/login" username-parameter="username"
password-parameter="password" authentication-failure-url="/failer.html"
default-target-url="/success.html"
/>
<!-- 登出, invalidate-session 是否删除session logout-url:登出处理链接 logout-success-url:登出成功页面
注:登出操作 只需要链接到 logout即可登出当前用户 -->
<security:logout invalidate-session="true" logout-url="/logout"
logout-success-url="/login.jsp" />
<!-- 关闭CSRF,默认是开启的 (跨服务器请求访问)-->
<security:csrf disabled="true" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="{noop}user"
authorities="ROLE_USER" />
<security:user name="admin" password="{noop}admin"