spring security已经成为企业软件中应用最为广泛的Java安全框架之一,它可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC(依赖注入,也称控制反转)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。它提供了全面的认证、授权、基于实例的访问控制、channel安全及人类用户检验能力。
Spring Security 2.0构建在Acegi Security坚实的基础之上,并在此基础上增加了许多新特性,现在本文的重点是要讲spring security简化的基于命名空间的配置,旧式配置可能需要上百行的XML.
通过下面的例子,你会了解到基于命名空间的配置是如何的简单。
spring security 2.0 例子:
开发环境:MyEclipse 6.0
服务器 :tomcat 6.x
开发架构:struts 1.2 + spring 2.5
spring security 版本:2.0
1.首先要搭好应用的款架,struts和spring(省略)
2.在web.xml里把spring-security 的配置文件路径添加进来
3.在web.xml中添加过spring的过滤器代理
4.添加相关的监听器,以便spring的监听管理
具体web.xml文件如下:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- 装载spring配置文件 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security-ns.xml
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<!--bean的名字是springSecurityFilterChain,这是由命名空间创建的用于处理web安全的一个内部机制 -->
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
- Loads the root application context of this web app at startup.
- The application context is then available via
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
- Publishes events for session creation and destruction through the application
- context. Optional unless concurrent session control is being used.
-->
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>3</param-value>
</init-param>
<init-param>
<param-name>detail</param-name>
<param-value>3</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>403</error-code>
<location>/error.html</location>
</error-page>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
5.创建spring-security-ns.xml配置文件(具体看配置文件):
<?xml version="1.0" encoding="UTF-8"?>
<!--
- 基于名称空间配置
-->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<global-method-security secured-annotations="enabled" >
<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
-->
</global-method-security>
<http access-denied-page="/error.jsp" access-decision-manager-ref="accessDecisionManager"
session-fixation-protection="newSession" auto-config="true" path-type="ant" ><!--session-fixation-protection属性可以防止session固定攻击 -->
<!-- 权限入口的顺序十分重要,注意必须把特殊的URL权限写在一般的URL权限之前。 -->
<intercept-url pattern="/acegiTest.do" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/roleA/**.jsp" access="ROLE_A"/>
<intercept-url pattern="/roleB/**.jsp" access="ROLE_B"/>
<intercept-url pattern="/roleC/**.jsp" access="ROLE_C"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<!--
x509认证
<x509 />
-->
<!-- All of this is unnecessary if auto-config="true"
<form-login />
<anonymous />
<http-basic />
<logout />
<remember-me />
-->
<form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?login_error=1" />
<anonymous key="cookie_key" username="ananoymous" granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"/>
<logout invalidate-session="true" />
<!-- session并发控制 -->
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /><!-- exception-if-maximum-exceeded="true" 第二次登入失效 -->
</http>
<!-- 访问决策管理 -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="allowIfAllAbstainDecisions" value="true"/>
<beans:property name="decisionVoters"><!-- 投票者列表 -->
<beans:list>
<beans:bean class="org.springframework.security.vote.RoleVoter"/>
<beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<authentication-provider><!-- user-service-ref="userDetailsService" -->
<!-- 基于内存存储用户 -->
<user-service>
<user name="admin" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B, ROLE_C, ROLE_SUPERVISOR"/>
<user name="userab" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B"/>
<user name="usera" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A"/>
<user name="userb" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_B"/>
</user-service>
<!--密码md5加密-->
<password-encoder hash="md5"/>
<!--
<jdbc-user-service data-source-ref="f3CenterDS"
users-by-username-query="select name as 'username',password`,'true' as 'enabled' from users where name = ?"
authorities-by-username-query="select name as 'username',authorities as 'authority' from authentication where name = ?"
/>
-->
</authentication-provider>
<!--用户信息存在在数据库的验证-->
<!--
<beans:bean id="userDetailsService"
class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
<beans:property name="dataSource" ref="f3CenterDS" />
<beans:property name="usersByUsernameQuery">
<beans:value>
select name as 'username',password,'true' as 'enabled' from users where name = ?
</beans:value>
</beans:property>
<beans:property name="authoritiesByUsernameQuery">
<beans:value>
select name as 'username',authorities as 'authority' from authentication where name = ?
</beans:value>
</beans:property>
</beans:bean>
-->
</beans:beans>
6.创建相关的jsp页面和action,见附件.
有兴趣的可以下载附件运行看看!
附件中还包含了spring-security 的jar包
分享到:
相关推荐
Spring-Security2.0 和3.0 的中文使用文档。
Spring Security 2.0.x完全中文参考文档 学习Asegi Security 的不可或缺的东西! 完全版文档,绝无仅有!
spring cloud2.0 eureka server spring security配置,与spring cloud1.X还是有很大区别
博文链接:https://snz.iteye.com/blog/221280
终于实现了spring security 2.0 基于数据库的配置,可以连接数据库了,呵呵,由于加入了spring,jar包有些大,没有上传jar,或者新建一个工程,加入spring,然后将jar考过来或者从其他模块中考入jar, 这个工程下的...
Spring Security OAuth2.0学习笔记 什么是认证、授权、会话。 Java Servlet为支持http会话做了哪些事儿。 基于session认证机制的运作流程。 基于token认证机制的运作流程。 理解Spring Security的工作原理,Spring ...
spring security2.0.x chm 包含 1. spring security2.0.x api 2. spring security2.0.x 参考手册 3. spring security2.0.x 安全权限管理手册
Spring Security 2.0 中文参考文档 喜欢的请下载
Spring boot+Spring Security Oauth2.0,Sprint cloud+Spring Security Oauth2集成。四种认证方式。附带有代码,和案例,案例,还有视频链接。我保证看完就回,如果视频链接失效,评论回复我,我单独再给你一份。
Spring Security 2.0 参考手册.pdf
Spring Security 2.0.x Sample Code
spring oauth2.0 例子 myeclipse工程
CollectionDemo.rar 基于Spring2.0的Collection配置使用例子
Spring Security2.0.x中文参考手册.CHM
通过此PPT可进行Acegi的配置,最新Spring security2.0的安全构建JAVA系统
从Spring-2.0开始可以使用命名空间的配置方式。 使用它呢,可以通过附加xml架构,为传统的spring beans应用环境语法做补充。 你可以在spring参考文档得到更多信息。 命名空间元素可以简单的配置单个bean,或使用更...
spring security oauth2.0 需要的基础 sql 文件
NULL 博文链接:https://ReturnOfKing.iteye.com/blog/255089
博文链接:https://snz.iteye.com/blog/229915