pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.wyc</groupId>
<artifactId>SpringSecurity</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>SpringSecurity Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.10</version>
<scope>test</scope>
</dependency>
<!-- http://mvnrepository.com/artifact/org.springframework/spring-core -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.2.6.RELEASE</version>
</dependency>
<!-- http://mvnrepository.com/artifact/org.springframework/spring-context -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.2.6.RELEASE</version>
</dependency>
<!-- http://mvnrepository.com/artifact/org.springframework/spring-webmvc -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.2.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<!-- 只在编译和测试时运行 -->
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<finalName>SpringSecurity</finalName>
<plugins>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
</plugin>
</plugins>
</build>
</project>
web.xml
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<!-- 此处注意加上hasRole,否则报错,同时单引号内容必须为大写,下同,否则403错误 -->
<intercept-url pattern="/index.jsp" access="hasRole('USER')"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="tom" password="tom" authorities="ROLE_USER"/>
<user name="mike" password="mike" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
以上俩个文件均存放在/WEB-INF目录下
结果如下图:
登录页面(系统自带)
使用tom登录
使用mike登录
当applicationContext.xml(即缺少hasRole)修改如下
<intercept-url pattern="/index.jsp" access="USER"/>
访问时会出现如下错误:
java.lang.IllegalArgumentException: Failed to evaluate expression 'USER'
如果将applicationContext.xml改成如下:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="tom" password="tom" authorities="ROLE_USER"/>
<user name="mike" password="mike" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
暂时不是很明白这样配置的意义,spring security原文如下:
Basic authentication will then take precedence and will be used to prompt for a login when a user attempts to access a protected resource. Form login is still available in this configuration if you wish to use it, for example through a login form embedded in another web page.
结果如下:
若是使用自定义的登录页面,applicationContext.xml修改如下:
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/index.jsp" access="hasRole('USER')"/>
<form-login login-page="/login.jsp" login-processing-url="/check_action"
always-use-default-target="true"
default-target-url="/success.jsp"
username-parameter="username"
password-parameter="password"/>
</http>
其中,login-page属性指的是登录页面,后俩个属性则与登录页面的form表单有关,登录页面login.jsp 内的form表单如下:
<form method="post" action="<c:url value='check_action' />">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input type="submit" value="提交">
</form>
其中,action属性与applicationContext.xml中的login-processing-url属性的值必须相同,前俩个input的name属性的值则对应配置文件的username-parameter和password-parameter的值,第三个input是由于spring security使用了csrf(具体是什么还没有去了解),所以必须加入。
如果加入之后运行程序出现以下错误:
HTTP Status 403 - Could not verify the provided CSRF token because your session was not found in spring security。
则需要修改login.jsp:
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8" isELIgnored="false"%>
加入最后一个属性对,因为报这个错的原因是form表单中的csrf未能解析(可以通过查看源代码发现此时csrf并没有任何变化)