#SSM整合SpringSecurity之securityConfig
web.xml
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-servlet.xml</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
</web-app>
spring-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!--开启静态资源访问-->
<mvc:default-servlet-handler/>
<!--SecurityConfig类需要被扫描到-->
<context:component-scan base-package="com.jysof.jqr"/>
</beans>
SecurityWebApplicationInitializer.java
package com.tianshouzhi.security;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}
SecurityConfig.java
package com.jysoft.jqr.controller;
import com.jysoft.jqr.dao.UsersDao;
import com.jysoft.jqr.entity.WhUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.ArrayList;
import java.util.List;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UsersDao usersDao;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin").password("admin").roles("USER");//自定义的账号密码,不从数据库进行读取
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login.html").permitAll()//访问index.html不要权限验证
.antMatchers("/jqr/assets/img/**").permitAll()//取消样式拦截
.antMatchers("/jqr/assets/css/**").permitAll()//取消样式拦截
.antMatchers("/jqr/assets/js/**").permitAll()//取消样式拦截
.antMatchers("/jqr/assets/plugins/**").permitAll()//取消样式拦截
.antMatchers("/jqr/assets/layui-v2.4.5/**").permitAll()//取消样式拦截
.antMatchers("/answer/addWhUser.do").permitAll()//注册页面方法取消拦截
.antMatchers("/register.html").permitAll()//注册页面取消拦截
.anyRequest().authenticated()//其他所有路径都需要权限校验
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login.html")
.invalidateHttpSession(true)
.and()
.csrf().disable()//默认开启,这里先显式关闭
.userDetailsService(new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
List<GrantedAuthority> grantAuths = new ArrayList();
grantAuths.add(new SimpleGrantedAuthority("USER"));
WhUser whUser = usersDao.getWhUserByUsername(username);
return new WhUser(whUser.getUsername(),whUser.getPassword(),grantAuths);
}
})//开启数据库连接,从数据库验证账号密码
.formLogin() //内部注册 UsernamePasswordAuthenticationFilter
.loginPage("/login.html") //表单登录页面地址
.loginProcessingUrl("/login")//form表单POST请求url提交地址,默认为/login
.passwordParameter("password")//form表单用户名参数名
.usernameParameter("username") //form表单密码参数名
/* .successForwardUrl("/success.html") //登录成功跳转地址*/
.defaultSuccessUrl("/jqr/zl.html")
//.failureForwardUrl("/error.html") //登录失败跳转地址
.failureUrl("/login.html")
//.defaultSuccessUrl()//如果用户没有访问受保护的页面,默认跳转到页面
//.failureUrl()
//.failureHandler()
//.successHandler(AuthenticationSuccessHandler)
//.failureUrl("/login?error")
.permitAll();//允许所有用户都有权限访问登录页面
}
}
WhUser .java
若开启从数据库查询账号密码,需自定义一个pojo实现userDetails
需要注意的是,自定的pojo在重写userDetails的方法时,有四个方法的return false建议改成true,否则会不成功。(本人遇到的是usercount is locked) 四个方法已在代码内标出。
package com.jysoft.jqr.entity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.io.Serializable;
import java.util.Collection;
import java.util.List;
public class WhUser implements Serializable , UserDetails {
private String id;
private String username;
private String password;
private String phoneNumber;
private String sex;
private String type;
private String create_time;
private List<Role> roles;
public WhUser() {
}
public WhUser(String username, String password, List<GrantedAuthority> simpleGrantedAuthority) {
this.username = username;
this.password = password;
}
public List<Role> getRoles() {
return roles;
}
public void setRoles(List<Role> roles) {
this.roles = roles;
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
//此处为四个方法开始
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
public void setUsername(String username) {
this.username = username;
}
//此处为四个方法结束
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return null;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getPhoneNumber() {
return phoneNumber;
}
public void setPhoneNumber(String phoneNumber) {
this.phoneNumber = phoneNumber;
}
public String getSex() {
return sex;
}
public void setSex(String sex) {
this.sex = sex;
}
public String getType() {
return type;
}
public void setType(String type) {
this.type = type;
}
public String getCreate_time() {
return create_time;
}
public void setCreate_time(String create_time) {
this.create_time = create_time;
}
@Override
public String toString() {
return "WhUser{" +
"id='" + id + '\'' +
", username='" + username + '\'' +
", password='" + password + '\'' +
", phoneNumber='" + phoneNumber + '\'' +
", sex='" + sex + '\'' +
", type='" + type + '\'' +
", create_time='" + create_time + '\'' +
'}';
}
}
完成以上步骤的编写,springsecurity整合ssm其一方法应已实现。谢谢。
本人部分代码参考http://www.tianshouzhi.com/api/tutorials/spring_security_4/265,外加自己实现中遇到的问题及补充。谢谢
如需转载请注明出处。