你好,游客 登录 注册 搜索
背景:
阅读新闻

Spring Security 学习笔记

[日期:2016-10-09] 来源:Linux社区  作者:Linux [字体: ]

第一次接触spring security,第一个例子是最简单,实现的功能也仅仅是权限控制一些最基本的功能;

首先是web.xml文件:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <display-name></display-name>   
  <!-- 获取application-security.xml的位置 -->
  <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
  classpath:application*.xml
  </param-value>
  </context-param>
  <!-- 对spring容器进行实例化(监听) -->
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
  <listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
  </listener>
  <!-- SpringSecurity必须的filter -->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <!-- 设置session时间 -->
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
</web-app>

web.xml的配置比较熟悉,所有没有什么太难的。

接下来是核心applicationContext-security.xml

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
            http://www.springframework.org/schema/security 
            http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- 配置保护资源 -->
<security:http auto-config="true" access-denied-page="/deniedpage.jsp">
<!-- 设置同步会话控制 -->
<security:session-management  invalid-session-url="/login.jsp" session-fixation-protection="none">
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTimeout.jsp"/>
</security:session-management>
<!-- http表达验证 -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/success.jsp"/>
<security:logout/>
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/index.jsp" access="ROLE_USER,ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>

</security:http>
<!-- 配置用户 -->
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置数据库信息 -->
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
<property name="driverClass" value="${db.driverClass}"/>
<property name="jdbcUrl" value="${db.jdbcUrl}"/>
<property name="user" value="${db.user}"/>
<property name="password" value="${db.password}"/>
</bean>
<!-- 读取资源文件 -->
<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:constants.properties</value>
</list>
</property>
</bean>
</beans>

注解:

1、从session缓存中获取当前session信息,如果发现过期了,就跳转到expired-url配置的url或者响应session失效提示信息。当前session有哪些情况会导致session失效呢?这里的失效并不是指在web容器中session的失效,而是spring security把登录成功的session封装为SessionInformation并放到注册类缓存中,如果SessionInformation的expired变量为true,则表示session已失效。所以,ConcurrentSessionFilter过滤器主要检查SessionInformation的expired变量的值。

2、如果concurrency-control标签配置了error-if-maximum-exceeded="true",max-sessions="1",那么第二次登录时,是登录不了的。如果error-if-maximum-exceeded="false",那么第二次是能够登录到系统的,但是第一个登录的账号再次发起请求时,会跳转到expired-url配置的url中(如果没有配置,则显示This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).提示信息)

Spring Security3.1高级详细开发指南 PDF http://www.linuxidc.com/Linux/2016-05/131482.htm

Spring Security 学习之数据库认证 http://www.linuxidc.com/Linux/2014-02/97407.htm

Spring Security 学习之LDAP认证 http://www.linuxidc.com/Linux/2014-02/97406.htm

Spring Security 学习之OpenID认证 http://www.linuxidc.com/Linux/2014-02/97405.htm

Spring Security 学习之X.509认证 http://www.linuxidc.com/Linux/2014-02/97404.htm

Spring Security 学习之HTTP基本认证和HTTP摘要认证 http://www.linuxidc.com/Linux/2014-02/97403.htm

Spring Security 学习之HTTP表单验证 http://www.linuxidc.com/Linux/2014-02/97402.htm

Spring Security异常之You must provide a configuration attribute  http://www.linuxidc.com/Linux/2015-02/113364.htm

然后是连接数据库的constants.properties:

db.driverClass=com.mysql,jdbc.Driver
db.jdbcUrl=jdbc:mysql://localhost:3306/springsecurity
db.user=root
db.password=luwenhu

最后就是jsp文件,这个没有什么特别的,比如login.jsp:

<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">
    <title>登录界面</title>
  </head>
  <body onload="document.f.j_username.focus();">
  <c:if test="${not empty param.login_error }">
  <font color="red">
  登录失败,请重试!<br/>
  原因:<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message }"></c:out>
  </font>
  </c:if>
  <form action="/acegi1/j_spring_security_check" method="post">
  username:<input type="text" name="j_username"/><br/>
  password:<input type="password" name="j_password"/></br>
  <input type="checkbox" name="_spring_security_remember_me">两周内自动登录
  <input type="submit" value="用户登录">
  </form>
  </body>
</html>

下一页i继续深入spring security,加入自己的filter。

更多详情见请继续阅读下一页的精彩内容http://www.linuxidc.com/Linux/2016-10/135820p2.htm

linux
本文评论   查看全部评论 (0)
表情: 表情 姓名: 字数

       

评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款