参考资料 documentation doc
web.xml启用spring的filter
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
servlet默认是jsp页面,如果改用html,需要添加filter mapping
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
配置拦截路径,如下用 /** 会拦截所有资源,包括js等静态资源,即使在spring-config.xml中取消了拦截。我这里改用了 /* 配置。
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<logout />
</http>
如果这时候启动,会提示缺少ROLE_USER的声明,需要增加用户配置。
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
这时就可以启动浏览器了,发现浏览器会自动跳到spring生成的jsp
关于这个登录页,doc中说明了是spring自动生成的,当然如果指定了登陆页就不会跳转到spring_security_login这个页面了
指定自定义的login,由于饮用了资源文件,先取消资源文件的拦截
<span style="white-space:pre"> </span><security:http pattern="**.jpg" security="none" />
<security:http pattern="**.png" security="none" />
<security:http pattern="**.gif" security="none" />
<security:http pattern="**.css" security="none" />
<security:http pattern="**.js" security="none" />
<security:form-login
login-page="/login.html"
/>
login.html 就是我自己的登陆页,重启server,效果如下。
实际情况中,肯定需要自定义登录控制
customized user service
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailsService'/>
</authentication-manager>
DB控制
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="securityDataSource"/>
</authentication-provider>
</authentication-manager>
声明具体的实现类,db方式就是spring中的datasource
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailsService'/>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
MD5加密
<password-encoder ref="bcryptEncoder"/>
记住用户
<remember-me key="myAppKey"/>
https证书另外添加配置
<http>
<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
...
</http>
<port-mappings>
<port-mapping http="9080" https="9443"/>
</port-mappings>
session失效跳转
<http>
...
<session-management invalid-session-url="/invalidSession.htm" />
</http>
退出时清理session
<http>
<logout delete-cookies="JSESSIONID" />
</http>
暂且到这里