Hello Spring Security Java Config
使用配置类的方式使用SpringSecurity
pom文件的导入
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.12.RELEASE</version>
</dependency>
</dependencies>
编写springSecuity的配置文件
src/main/java/org/springframework/security/samples/config/SecurityConfig.java
package org.springframework.security.samples.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.*;
//说明,不使用@EnableWebSecurity不生效
@EnableWebSecurity
public class SecurityConfig {
//AuthenticationManagerBuilder重要的类
//方法名你可以随意改。
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
springSecutiy配置,
1.要求对每个请求都进行验证
2.它与以下Servlet API集成
https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()
https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()
https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)
https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)
https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()
注册Spring Security到web中
创建文件注册
src/main/java/org/springframework/security/samples/config/SecurityWebApplicationInitializer.java
package org.springframework.security.samples.config;
import org.springframework.security.web.context.*;
//定义一个类去继承AbstractSecurityWebApplicationInitializer
//如果已使用spring去管理,就需要继承AbstractContextLoaderInitializer或AbstractDispatcherServletInitializer
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
//无参构造器调用父类的构造器
public SecurityWebApplicationInitializer() {
super(SecurityConfig.class);
}
}
注册后它会完成一下操作
1. 为应用程序中的每个URL自动注册springSecurityFilterChain过滤器
2.添加一个ContextLoaderListener来加载SecurityConfig。
spring的初始化配置文件是用ContextLoaderListener来加载配置自己的配置文件
注意:
1.因为我们还没有使用Spring,所以这是一个添加SecurityConfig的简单方法。
2.如果我们已经在使用Spring,那么我们应该添加SecurityConfig并重置Spring配置(即AbstractContextLoaderInitializer或AbstractDispatcherServletInitializer的子类),并使用默认构造函数。
使用SpringBoot结合SpringSecurity
引入依赖
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.12.RELEASE</version>
</dependency>
//引入这个依赖是因为使用thymeleaf模板引擎
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
<version>2.1.2.RELEASE</version>
</dependency>
</dependencies>
定义配置类
src/main/java/org/springframework/security/samples/config/SecurityConfig.java
package org.springframework.security.samples.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity(必须的)或者可以使用@EnableGlobalMethodSecurity, or @EnableGlobalAuthentication
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//继承WebSecurityConfigurerAdapter重写它的configure方法
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/index").permitAll() //与/css/**和/index匹配的请求是完全可访问的
//与/user/**匹配的请求要求对用户进行身份验证,并且必须与用户角色关联
.antMatchers("/user/**").hasRole("USER")
.and()
.formLogin()
.loginPage("/login").failureUrl("/login-error"); //使用自定义登录页面和失败url启用基于表单的身份验证
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
Spring Security Xml Config
依赖引入
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.12.RELEASE</version>
</dependency>
</dependencies>
编写配置文件
src/main/webapp/WEB-INF/spring/security.xml
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
<http />
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</b:beans>
配置web.xml文件
src/main/webapp/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
https://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!--
- Location of the XML file that defines the root application context
- Applied by ContextLoaderListener.
-->
<context-param>
//指定配置文件加载位置
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/*.xml
</param-value>
</context-param>
//定义过滤器
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
- Loads the root application context of this web app at startup.
- The application context is then available via
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
//使用spring 的监听器加载配置文件
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>