web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>//该filter-name值不可改变
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping >
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springSecurity.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
springSecurity.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 权限配置 auto-config表示自动配置过滤器 access-denied-page表示拒绝访问跳转的页面 -->
<http auto-config="true" access-denied-page="/403.jsp">
<!-- access表示允许访问pattern所匹配资源的角色 filters为none表示该pattern不经过springSecurity的拦截
https与http相比就是https是经过SSL更加安全,当访问requires-channel值为https的URL时将会跳转到https://中去
-->
<intercept-url pattern="/index.jsp" access="ROLE_user,ROLE_ADMIN" />
<intercept-url pattern="/login.jsp" filters="none"/>
<intercept-url pattern="/index2.jsp" access="ROLE_tom"/>
<!-- 自定义的登陆 login-page表示自定义的登陆页面 authentication-failure-url登录失败跳转的页面
default-target-url默认登陆成功后跳转的页面 login-processing-url表示自定义请求登陆的URL 即请求到该URL就表示要登陆 默认URL为/j_spring_security_check always-use-default-target表示身份验证后总是跳转到指定的target
登陆成功后用户信息将会被自动存储在session中 -->
<form-login login-page="/login.jsp" authentication-failure-url="/403.jsp"
default-target-url="/index.jsp" login-processing-url="/j_login"
always-use-default-target="true"/>
<!-- 完成退出功能 logout-success-url表示退出成功后跳转的页面 logout-url表示匹配请求退出的URL
即请求到该URL就表示要退出登陆 默认/j_spring_security_logout invalidate-session表示退出登陆后是否销毁session-->
<logout logout-success-url="/login.jsp"
logout-url="/j_spring_security_logo" invalidate-session="false"/>
<!--设定同一账号同时登陆的次数 max-sessions表示最多同时登陆的次数-->
<session-management invalid-session-url="/403.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"
/>
</session-management>
</http>
<!-- 以下表示用户认证,user-service与jdbc-user-service不能同时存在 否则后者将不会起作用 -->
<authentication-manager>
<authentication-provider>
<!-- <user-service> 固定的用户名、密码验证 authorities表示角色
<user name="tom" authorities="ROLE_user" password="tom"/>
<user name="tim" authorities="ROLE_tom" password="tim"/>
</user-service> -->
<!-- 使用数据库进行验证用户 查询结果必须为username,password,enabled -->
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select username , password ,
enabled from users where username=? and enabled=1"
authorities-by-username-query="SELECT users.username ,role.rname FROM
users JOIN u_r ON users.uid = u_r.uid JOIN role ON role.rid = u_r.rid WHERE users.username =?"
/>
<!-- authorities-by-username-query 获取用户名与用户角色名-->
</authentication-provider>
</authentication-manager>
<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver "> </beans:property>
<beans:property name="url" value="jdbc:mysql://localhost:3306/springsecurity"> </beans:property>
<beans:property name="username" value="root"></beans:property>
<beans:property name="password" value="123456"></beans:property>
</beans:bean>
</beans:beans>
表结构:
user
uid | username | password | enabled |
1 | zhangsan | zhangsan | 1 |
2 | lisi | lisi | 1 |
3 | wangwu | wangwu | 1 |
role
rid | rname |
1 | ROLE_ADMIN |
2 | ROLE_user |
3 | ROLE_tom |
u_r
rid | uid |
1 | 1 |
2 | 1 |
1 | 2 |
2 | 3 |
login.jsp
<form action="<%=path %>/j_login" method="post">
USERNAME:<input type="text" name="j_username" //固定框架认定名value="${sessionScope['SPRING_SECURITY_LAST_USERNAME']}" /><br/>
PASSWORD:<input type="password" name="j_password" value="" /><br/>
<input type="checkbox" name="_spring_security_remember_me" />两周之内不必登陆<br/>
<input type="submit">
</form>