SpringSecurity管理自己的项目——权限管理！！！

本文章主要使用到了SpringSecurity的以下功能：

1)使用了默认的表结构管理权限
2)使用了MD5盐值加密密码
3)自定义错误页面
4)禁止重复登录
5)自定义登录页面
6)控制用户信息

使用到的是spring-security-2.0.5.zip版本！下面开始记录怎么做：

 

第一步：把spring-security-2.0.5.zip加压开，里面dist目录下面的jar包和两个例子spring-security-samples-contacts-2.0.5.RELEASE.war和spring-security-samples-tutorial-2.0.5.RELEASE.war里面的jar包全部加到项目里面去。本例子中会使用oracle数据库，所以还有就是要加入oracle的驱动。一共32个jar包。

aopalliance-1.0.jar aspectjrt-1.5.4.jar backport-util-concurrent-3.1.jar classes12.jar commons-codec-1.3.jar commons-collections-3.2.jar commons-logging-1.1.1.jar ehcache-1.4.1.jar hessian-3.0.1.jar hsqldb-1.8.0.7.jar jsr107cache-1.0.jar jstl-1.1.2.jar log4j-1.2.14.jar spring-aop-2.0.8.jar spring-beans-2.0.8.jar spring-context-2.0.8.jar spring-core-2.0.8.jar spring-dao-2.0.8.jar spring-jdbc-2.0.8.jar spring-remoting-2.0.8.jar spring-security-acl-2.0.5.RELEASE.jar spring-security-cas-client-2.0.5.RELEASE.jar spring-security-core-2.0.5.RELEASE.jar spring-security-core-tiger-2.0.5.RELEASE.jar spring-security-ntlm-2.0.5.RELEASE.jar spring-security-openid-2.0.5.RELEASE.jar spring-security-portlet-2.0.5.RELEASE.jar spring-security-taglibs-2.0.5.RELEASE.jar spring-support-2.0.8.jar spring-web-2.0.8.jar spring-webmvc-2.0.8.jar standard-1.1.2.jar

 

第二步：在项目src下面放一个log4j的配置文件，免得启动项目的时候有警告。

log4j.rootLogger=ERROR,stdout log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=[QC] %p [%t] %C.%M(%L) | %m%n

 

第三步：在web.xml中加入如下配置：

<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/applicationContext.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener>

 

第四步：在oracle数据库中运行脚本：

drop table authorities; drop table users; create table users( username varchar(50) not null primary key, password varchar(50) not null, enabled char(1) not null ); create table authorities ( username varchar(50) not null, authority varchar(50) not null, constraint fk_authorities_users foreign key(username) references users(username) ); insert into users values('admin','ceb4f32325eda6142bd65215f4c0f371','1'); insert into users values('user','47a733d60998c719cf3526ae7d106d13','1'); insert into authorities values('admin','ROLE_ADMIN'); insert into authorities values('admin','ROLE_USER'); insert into authorities values('user','ROLE_USER'); commit;

 

第五步：新建一个applicationContext.xml和web.xml放在一起，里面的内容如下：

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <!-- 自定义错误页面：access-denied-page="/fail.jsp" --> <http auto-config="true" access-denied-page="/fail.jsp"> <!-- 禁止重复登录 --> <concurrent-session-control exception-if-maximum-exceeded="true"/> <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" /> <intercept-url pattern="/**" access="ROLE_USER" /> <!-- 自定义登录页面 --> <form-login login-page="/login.jsp" default-target-url="/index.jsp" always-use-default-target="true" /> </http> <authentication-provider> <!-- MD5加密 --> <password-encoder hash="md5"> <!-- 盐值密码:把用户名和密码连起来加密存储 --> <salt-source user-property="username"/> </password-encoder> <!-- 使用默认表结构管理权限 --> <jdbc-user-service data-source-ref="dataSource"/> </authentication-provider> <!-- 数据源：数据库使用的是oracle9i --> <beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <beans:property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/> <beans:property name="url" value="jdbc:oracle:thin:@127.0.0.1:1521:orcl"/> <beans:property name="username" value="scott"/> <beans:property name="password" value="tiger"/> </beans:bean> </beans:beans>

 

第六步：新建jsp文件：

 

admin.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Admin</title> </head> <body> <div align="center"> <h1><a href="index.jsp" mce_href="index.jsp">Index</a></h1> </div> </body> </html>

 

fail.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Fail</title> <mce:style type="text/css"><!-- div.error { width: 260px; border: 2px solid red; background-color: yellow; text-align: center; } --></mce:style><style type="text/css" mce_bogus="1"> div.error { width: 260px; border: 2px solid red; background-color: yellow; text-align: center; }</style> </head> <body> <div align="center"> <h1>Access Denied</h1> <br/> <div class="error"> 访问被拒绝<br> ${requestScope['SPRING_SECURITY_403_EXCEPTION'].message} </div> </div> </body> </html>

 

index.jsp

 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Index</title> </head> <body> <div align="center"> <h1> <a href="admin.jsp" mce_href="admin.jsp">Admin</a><br/> <sec:authentication property="name"/>，欢迎您！！！<br/> </h1> </div> </body> </html>

 

login.jsp

 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Login</title> </head> <body > <div align="center"> <div>${sessionScope['SPRING_SECURITY_LAST_EXCEPTION'].message}</div> <form name='f' action="${pageContext.request.contextPath}/j_spring_security_check" method="post" style="width:260px;text-align:center;"> <fieldset> <legend>登陆</legend> 用户： <input type="text" name="j_username" style="width:150px;"/><br/> 密码： <input type="password" name="j_password" style="width:150px;"/><br/> <input type="checkbox" name="_spring_security_remember_me"/>两周之内不必登陆<br/> <input type="submit" name="submit" value="登陆"/> <input type="reset" name="reset" value="重置"/> </fieldset> </form> </div> </body> </html>