springsecurity入门教程
1. springsecurity介绍
Spring 是一个非常流行和成功的 Java 应用开发框架。Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性的完整解决方案。Web 应用的安全性包括用户认证(Authentication)和用户授权(Authorization)两个部分。
2. springsecurity入门
2.1 创建一个maven工程(war)
2.1.1 导入pom依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>cn.hqlearn</groupId>
<artifactId>springsecurity_demo01</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<!-- 添加Spring支持 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jms</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.8.6</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.8.6</version>
</dependency>
<!-- 添加Servlet支持 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>javax.servlet.jsp-api</artifactId>
<version>2.3.1</version>
</dependency>
<!-- 添加jtl支持 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!--json相关依赖-->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.7.5</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.7.5</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>2.7.5</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-core-asl</artifactId>
<version>1.9.4</version>
</dependency>
<!--springsecurity相关依赖-->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<!--mysql-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.13</version>
</dependency>
<!--数据库连接池-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.12</version>
</dependency>
</dependencies>
</project>
2.1.2 web.xml配置
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!-- 在Spring框架中是如何解决从页面传来的字符串的编码问题的呢?
下面我们来看看Spring框架给我们提供过滤器CharacterEncodingFilter
这个过滤器就是针对于每次浏览器请求进行过滤的,然后再其之上添加了父类没有的功能即处理字符编码。
其中encoding用来设置编码格式,forceEncoding用来设置是否理会 request.getCharacterEncoding()方法,设置为true则强制覆盖之前的编码格式。-->
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--springsecurity过滤器,做资源权限的拦截和验证-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--使用Spring MVC,配置DispatcherServlet是第一步。DispatcherServlet是一个Servlet,,所以可以配置多个DispatcherServlet-->
<!--DispatcherServlet是前置控制器,配置在web.xml文件中的。拦截匹配的请求,Servlet拦截匹配规则要自已定义,把拦截下来的请求,依据某某规则分发到目标Controller(我们写的Action)来处理。-->
<servlet>
<servlet-name>DispatcherServlet
</servlet-name><!--在DispatcherServlet的初始化过程中,框架会在web应用的 WEB-INF文件夹下寻找名为[servlet-name]-servlet.xml 的配置文件,生成文件中定义的bean。-->
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<!--指明了配置文件的文件名,不使用默认配置文件名,而使用dispatcher-servlet.xml配置文件。-->
<init-param>
<param-name>contextConfigLocation</param-name>
<!--其中<param-value>**.xml</param-value> 这里可以使用多种写法-->
<!--1、不写,使用默认值:/WEB-INF/<servlet-name>-servlet.xml-->
<!--2、<param-value>/WEB-INF/classes/dispatcher-servlet.xml</param-value>-->
<!--3、<param-value>classpath*:dispatcher-servlet.xml</param-value>-->
<!--4、多个值用逗号分隔-->
<param-value>classpath:spring/springmvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup><!--是启动顺序,让这个Servlet随Servletp容器一起启动。-->
</servlet>
<servlet-mapping>
<!--这个Servlet的名字是dispatcher,可以有多个DispatcherServlet,是通过名字来区分的。每一个DispatcherServlet有自己的WebApplicationContext上下文对象。同时保存的ServletContext中和Request对象中.-->
<!--ApplicationContext是Spring的核心,Context我们通常解释为上下文环境,我想用“容器”来表述它更容易理解一些,ApplicationContext则是“应用的容器”了:P,Spring把Bean放在这个容器中,在需要的时候,用getBean方法取出-->
<servlet-name>DispatcherServlet</servlet-name>
<!--Servlet拦截匹配规则可以自已定义,当映射为@RequestMapping("/user/add")时,为例,拦截哪种URL合适?-->
<!--1、拦截*.do、*.htm, 例如:/user/add.do,这是最传统的方式,最简单也最实用。不会导致静态文件(jpg,js,css)被拦截。-->
<!--2、拦截/,例如:/user/add,可以实现现在很流行的REST风格。很多互联网类型的应用很喜欢这种风格的URL。弊端:会导致静态文件(jpg,js,css)被拦截后不能正常显示。 -->
<url-pattern>*.shtml</url-pattern> <!--会拦截URL中带“/”的请求。-->
</servlet-mapping>
<welcome-file-list><!--指定欢迎页面-->
<welcome-file>index.html</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
2.1.3 加入springmvc配置
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- 自动扫描的包名 -->
<context:component-scan base-package="cn.hqlearn.controller" />
<!-- 默认的注解映射的支持 -->
<mvc:annotation-driven />
<!-- 视图解释类 -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/view/"/>
<property name="suffix" value=".jsp"/>
</bean>
<!--引入SpringSecurity配置文件-->
<import resource="spring-security.xml" />
</beans>
2.1.4 加入springsecurity配置
<?xml version="1.0" encoding="UTF-8" ?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<!--取消对应请求路劲的安全策略-->
<http pattern="/images/**" security="none"/>
<http pattern="/login.shtml" security="none"/>
<http pattern="/login/fail.shtml" security="none"/>
<http pattern="/register.shtml" security="none"/>
<!--
auto-config : 表示引入了SpringSecurity相关的过滤器
use-expressions : 是否使用SpEl表达式
-->
<http auto-config="true" use-expressions="false">
<!--所有请求都需要ROLE_ADMIN权限-->
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
<!--<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>-->
<!--自定义登录界面-->
<form-login login-page="/login.shtml"
default-target-url="/admin/user/list.shtml"
authentication-failure-url="/login/fail.shtml"
always-use-default-target="true"
username-parameter="username1"
password-parameter="password1"/>
<!--关闭CSRF攻击功能-->
<csrf disabled="true"/>
<!--登出成功配置-->
<logout logout-success-url="/images/1.png"/>
</http>
<!--授权认证管理器-->
<authentication-manager>
<authentication-provider user-service-ref="userDetailsServiceImpl">
<!--硬编码方式创建用户并授权-->
<!-- <user-service>
<user name="zzhua" authorities="ROLE_ADMIN" password="123456" disabled="false"/>
</user-service>-->
<!--引用加密对象-->
<password-encoder ref="encoder"/>
<!--从数据源查找账号密码-->
<!-- <jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT * FROM users WHERE username=?"/>-->
</authentication-provider>
</authentication-manager>
<!--加密工具-->
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="9"/>
</beans:bean>
<!--数据库驱动-->
<beans:bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" destroy-method="close">
<beans:property name="url"
value="jdbc:mysql://127.0.0.1:3306/springsecuritydb?characterEncoding=utf8&serverTimezone=GMT%2B8"/>
<beans:property name="username" value="root"/>
<beans:property name="password" value="root"/>
<beans:property name="driverClassName" value="com.mysql.cj.jdbc.Driver"/>
<beans:property name="maxActive" value="10"/>
<beans:property name="minIdle" value="5"/>
</beans:bean>
<!--自定义登陆校验器-->
<beans:bean class="cn.hqlearn.service.UserDetailsServiceImpl" id="userDetailsServiceImpl"/>
</beans:beans>
2.2 springsecurity入门学习
2.2.1 案例介绍
2.2.1.1 创建UserController
package cn.hqlearn.controller;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping(value = "/admin/user")
public class UserController {
@RequestMapping(value = "/list")
public String list(){
return "user_list";
}
}
2.2.1.2 在/WEB-INF/view添加user_list.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>欢迎来到SpringSecurity的世界</title>
</head>
<body>
<table>
<h2>欢迎来到SpringSecurity的世界!</h2><br>
<tr>
<td>用户ID</td>
<td>姓名</td>
<td>年龄</td>
</tr>
<tr>
<td>1</td>
<td>张三</td>
<td>12</td>
</tr>
<tr>
<td>2</td>
<td>李四</td>
<td>21</td>
</tr>
<tr>
<td>3</td>
<td>王五</td>
<td>22</td>
</tr>
<tr>
<td>4</td>
<td>王麻子</td>
<td>34</td>
</tr>
</table>
<div>
<a href="/logout">退出</a>
</div>
</body>
</html>
2.2.1.3 实现对/admin进行拦截校验
在spring-security.xml配置文件中
<http auto-config="true" use-expressions="false">
<!--所有/admin/**请求都需要ROLE_ADMIN权限-->
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
</http>
2.2.1.4 添加授权用户数据库表
use springsecuritydb;
CREATE TABLE users(
username VARCHAR(50) NOT NULL,
password VARCHAR(50) NOT NULL,
enable VARCHAR(50) not null,
PRIMARY KEY (username)
)ENGINE=INNODB DEFAULT CHARSET = utf8;
INSERT into users(username,PASSWORD ,enable)VALUES('zzhua','123456','true');
CREATE table authorities(
username VARCHAR(50) NOT NULL,
authority VARCHAR(50) NOT NULL,
PRIMARY KEY (username)
)ENGINE=INNODB DEFAULT CHARSET = utf8;
INSERT into authorities(username,authority)VALUES('zzhua','ROLE_ADMIN');
2.2.2 springsecurity常用配置
2.2.2.1 取消安全校验
在spring-security.xml配置文件中
<http auto-config="true" use-expressions="false">
<!--关闭CSRF攻击功能-->
<csrf disabled="true"/>
</http>
2.2.2.2 自定义登录页面和 登录错误信息处理
自定义登录jsp界面
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>登录</title>
</head>
<body>
<h2>欢迎登录</h2>
<form name="f" action="/login" method="post">
<table>
<tr>
<td>用户名:</td>
<td><input name="username1" type="text" value=""></td>
</tr>
<tr>
<td>密码:</td>
<td><input name="password1" type="password"></td>
</tr>
<tr>
<td colspan="2"><input name="submit" type="submit" value="LOGIN"></td>
</tr>
<tr>
<td colspan="2">${msg}</td>
</tr>
</table>
</form>
</body>
</html>
在spring-security.xml配置文件中
<http auto-config="true" use-expressions="false">
<!--自定义登录界面-->
<form-login login-page="/login.shtml"
default-target-url="/admin/user/list.shtml"
authentication-failure-url="/login/fail.shtml"
always-use-default-target="true"
username-parameter="username1"
password-parameter="password1"/>
</http>
自定义LoginController
package cn.hqlearn.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class LoginController {
/**
* /login.shtml
* 跳转到登录界面
*
* @return
*/
@RequestMapping(value = "/login")
public String login() {
return "login";
}
@RequestMapping(value = "/login/fail")
public String loginfail(Model model) {
model.addAttribute("msg", "账号或密码不正确");
return "login";
}
}
2.2.2.3 加密密码匹配
在spring-security.xml配置文件中
<!--授权认证管理器-->
<authentication-manager>
<authentication-provider user-service-ref="userDetailsServiceImpl">
<!--引用加密对象-->
<password-encoder ref="encoder"/>
</authentication-provider>
</authentication-manager>
<!--加密工具-->
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="9"/>
</beans:bean>
2.2.2.4 登出
在spring-security.xml配置文件中
<http auto-config="true" use-expressions="false">
<!--登出成功配置-->
<logout logout-success-url="/images/1.png"/>
</http>
2.2.2.5 自定义用户校验
实现org.springframework.security.core.userdetails.UserDetailsService接口 重写loadUserByUsername()
package cn.hqlearn.service;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.ArrayList;
import java.util.List;
/**
* @author zzh
*/
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
String password = "$2a$10$xK7b5GRqsZuOlrbz2iZ9DOWQORWmgMXEpLHEqimAHgCRWH3wAqDjy";
List<GrantedAuthority> grantedList = new ArrayList<>();
grantedList.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
grantedList.add(new SimpleGrantedAuthority("ROLE_USER"));
User user = new User(username, password, grantedList);
return user;
}
}
在spring-security.xml配置文件中引入
<!--授权认证管理器-->
<authentication-manager>
<authentication-provider user-service-ref="userDetailsServiceImpl">
</authentication-provider>
</authentication-manager>
</beans:bean>