一句话介绍
Spring Security 是基于Spring AOP和Servlet过滤器的安全框架,安全主要包括两个操作“认证”与“验证”(有时候也会叫做权限控制)
开始使用
引入类库,例子中使用到的security版本是3.1
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<org.springframework-version>4.1.4.RELEASE</org.springframework-version>
<org.slf4j-version>1.7.8</org.slf4j-version>
</properties>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${org.springframework-version}</version>
<exclusions>
<!-- Exclude Commons Logging in favor of SLF4j -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Logging -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${org.slf4j-version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${org.slf4j-version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${org.slf4j-version}</version>
</dependency>
<!-- Spring security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
</dependencies>
配置web.xml
<!-- security过滤所有请求 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 载入security配置文件 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
在WEB-INF下创建spring文件夹并新建一个security的配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd ">
<!-- Spring Security 3.1 基于Spring AOP和Servlet过滤器的安全框架 -->
<!-- pattern需要控制的url access 权限级别 这里指定的权限级别是管理员权限 -->
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
</security:http>
<!-- AuthenticationManager用于配置认证身份 -->
<security:authentication-manager>
<security:authentication-provider>
<!-- 这里配置两个不同权限账户测试 -->
<security:user-service>
<security:user name="user" password="user" authorities="ROLE_USER" />
<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
启动项目
可以看到的是由于我们并没有登录(Session中没有登录信息),Spring 会给我们一个登录页面,即我们的安全框架生效了。使用user/user 登录会跳403(没有访问权限) ;admin/admin 会跳 index 首页。
那么
我们也没有写这个登录页面,它从哪里来呢?
这时我们需要看security的配置文件
<security:http auto-config="true">
这个配置项即告诉spring,我们使用默认的配置项,框架中的
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter 的 generateLoginPageHtml() 方法会生成这个登录页面,大家可以去查阅一下这部分的源代码
还有一个问题就是这个action是怎么被处理的?
同样的,默认配置中框架中的
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter 的 attemptAuthentication() 会去处理这个请求。