2.1.1 使用HttpBasic权限控制
在工程配置文件spring-security.xml中添加Spring Security配置:
以上配置分为两部分,其中上半部分是针对过滤器链的配置:
- “
security:http
”:对应过滤器链的配置
该标签中的内容包括拦截资源路径、目标服务对应的角色权限、认证的定义方式以及可自定义登录页面、请求地址及错误处理等。 - “
security:intercept-url
”:指定权限控制访问规则
pattern — 目标服务url路径样式(可使用正则表达式),如“/**
”指所有路径;
access — 指定请求对应URL的相应权限,可使用逗号“,
”分隔的角色列表;
ROLE_USER — 表示请求的用户角色,“ROLE
”是前缀,可自定义。 - “
<security:http-basic>
”:指登录验证方式使用“http-basic”方式
下半部分是针对于认证管理器的配置:
- “
security:authentication-manager
”:认证管理器的配置
该标签中的内容包括用户名、密码、当前用户权限等认证信息提供方式。 - “
security:authentication-provider
”:认证的提供服务 - “
security:user-service
”:提供用户验证信息
这里可使用“properties配置文件”或“数据库”提供用户信息。
配置完成后配置文件“spring-security.xml”配置文件内容:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http>
<security:intercept-url pattern="/student/studentAdd" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/student/studentDelete" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/student/studentList" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/student/studentUpdate" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/teacher/teacherAdd" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/teacher/teacherDelete" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/teacher/teacherList" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/teacher/teacherUpdate" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/index" access="permitAll()"/>
<security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
<security:http-basic/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="111111" authorities="ADMIN"/>
<security:user name="student" password="123456" authorities="STUDENT"/>
<security:user name="teacher" password="123456" authorities="TEACHER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
2.1.2 使用“form-login
”方式登录认证
对于使用“form-login
”的认证方式需要修改配置文件“spring-security.xml
”中的认证方式:
配置文件“spring-security.xml”中的内容:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http>
<security:intercept-url pattern="/student/studentAdd" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/student/studentDelete" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/student/studentList" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/student/studentUpdate" access="hasAnyAuthority('ADMIN','STUDENT')"/>
<security:intercept-url pattern="/teacher/teacherAdd" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/teacher/teacherDelete" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/teacher/teacherList" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/teacher/teacherUpdate" access="hasAnyAuthority('ADMIN','TEACHER')"/>
<security:intercept-url pattern="/index" access="permitAll()"/>
<security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
<!-- <security:http-basic/>-->
<security:form-login/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="111111" authorities="ADMIN"/>
<security:user name="student" password="123456" authorities="STUDENT"/>
<security:user name="teacher" password="123456" authorities="TEACHER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
启动并访问服务: