- 今天在配置spring安全框架的时候英文没有注意细节导致项目多次启动失败,所以开个帖子记录以下配置,以免日后遗忘。
一、依赖的jar包
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.2.0.RELEASE</version>
</dependency>
二、security配置文件:
- 这个配置文件要被主配置文件引入
– <import resource="classpath:spring-security.xml"/>
- 或者注入到全局参数(TomCat为例)
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
<security:http pattern="/*.html" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/js/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<security:http pattern="/seller/add.do" security="none"/>
<security:http use-expressions="false">
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
<security:intercept-url pattern="/**" access="ROLE_ADMIN"/>
<security:form-login default-target-url="/admin/index.html" login-page="/shoplogin.html"
always-use-default-target="true"
authentication-failure-url="/shoplogin.html"/>
<security:logout logout-url="/logout"/>
<security:csrf disabled="true"/>
</security:http>
<bean id="passwordEncoder"
class="org.springframework.security.crypto.password.NoOpPasswordEncoder"/>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userAuth">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
</beans>
三、自定的验证实现类
@Component
public class UserAuth implements UserDetailsService {
@Reference
SellerService sellerService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if (username == null) {
return null;
}
List<Seller> sellers = sellerService.selectById(username);
if (sellers.size() > 0) {
Seller seller = sellers.get(0);
LinkedList<GrantedAuthority> grantedAuthorities = new LinkedList<>();
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
return new User(seller.getSellerId(), seller.getPassword(), grantedAuthorities);
}
return null;
}
}