Spring Security依赖
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.0.1.RELEASE</version>
</dependency>
</dependencies>
Spring Security快速入门
使用Spring Security默认界面
1.引入依赖
2.配置web.xml
配置过滤器链 和核心监听器
<!--sping核心监听器 监听sping容器创建-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--重新指定加载路径-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
<!--过滤器链-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.Spring-security.xml配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 入门代码 -->
<!-- 配置拦截的规则 auto-config="使用自带的页面" use-expressions="是否使用spel表达式",如果使用表达式:hasRole('ROLE_USER') -->
<security:http auto-config="true" use-expressions="false">
<!-- 配置拦截的请求地址,任何请求地址都必须有ROLE_USER的权限 -->
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
<!-- 在内存中临时提供用户名和密码的数据:{noop}表示不加密 -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="{noop}admin" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
使用自定义界面
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 入门代码 -->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/error.jsp" security="none"/>
<!-- 配置拦截的规则 auto-config="使用自带的页面" use-expressions="是否使用spel表达式",如果使用表达式:hasRole('ROLE_USER') -->
<security:http auto-config="true" use-expressions="false">
<!-- 配置拦截的请求地址,任何请求地址都必须有ROLE_USER的权限 -->
<security:intercept-url pattern="/**" access="ROLE_USER" />
<!-- 配置自定义的页面跳转
login-page:设置登录界面
login-processing-url:设置登录请求地址
default-target-url:设置登录成功默认跳转界面
authentication-failure-url:登录失败跳转界面
always-use-default-target:指定了是否在身份验证通过后总是跳转到default-target-url属性指定的URL。
-->
<security:form-login
login-page="/login.jsp"
login-processing-url="/login"
default-target-url="/success.jsp"
authentication-failure-url="/error.jsp"
always-use-default-target="true"
/>
<!-- 授权不足跳转界面 -->
<security:access-denied-handler error-page="/error.jsp"/>
<!-- 关闭跨越请求 :如果要自定义界面,必须关闭此功能-->
<security:csrf disabled="true"/>
<!-- 退出 -->
<security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp"/>
</security:http>
<!-- 在内存中临时提供用户名和密码的数据 -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!-- //{noop}铭文保存,明文比对 -->
<security:user name="admin" password="{noop}admin" authorities="ROLE_USER" />
<security:user name="user" password="{noop}user" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
使用数据库信息登录
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://code.alibabatech.com/schema/dubbo
http://code.alibabatech.com/schema/dubbo/dubbo.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--开启组件扫描-->
<context:component-scan base-package="com.pinyougou.manager"/>
<!--释放静态资源-->
<security:http security="none" pattern="/login.html"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/img/**"/>
<security:http security="none" pattern="/js/**"/>
<security:http security="none" pattern="/plugins/**"/>
<!---->
<security:http auto-config="true" use-expressions="false">
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<!--自定义登录界面-->
<!--
always-use-default-target 登录成功后总是跳转到default-target-url所指定的路径
-->
<security:form-login login-page="/login.html"
login-processing-url="/login"
default-target-url="/admin/index.html"
authentication-failure-url="/login.html"
always-use-default-target="true"/>
<!--使用了frame需要设置frame策略为同源-->
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
<!--自定义登出界面-->
<security:logout invalidate-session="true"
logout-url="/logout"
logout-success-url="/login.html"/>
<!--释放csrf-->
<security:csrf disabled="true"/>
</security:http>
<!--加密对象-->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<!-- 在内存中临时提供用户名和密码的数据 -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailService">//指明实现类
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!--必须重新从注册中心拿取-->
<dubbo:application name="pinyougou-manager-web" />
<!--访问的路径-->
<dubbo:registry address="zookeeper://192.168.25.128:2181"/>
<!--开启注解的路径 @Reference注入-->
<dubbo:annotation package="com.pinyougou.manager.security" />
</beans>
创建一个类实现UserDetailsService,并重写方法
package com.pinyougou.manager.security;
import com.alibaba.dubbo.config.annotation.Reference;
import com.pinyougou.pojo.TbUser;
import com.pinyougou.sellergoods.service.UserService;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
@Component
public class UserDetailService implements UserDetailsService {
@Reference
private UserService userService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
TbUser tbUser=userService.findByName(username);
if (null==tbUser){
return null;
}
List<SimpleGrantedAuthority> authorities=new ArrayList<SimpleGrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User(username,tbUser.getPassword(),authorities);
}
}