早已久仰Spring Security大名,一直没机会实践,最近计划对其进行系统学习并通过bolg将心得记录与博友们分享!
准备工作:
1. Spring Security 源码和Samples可以从以下链接下载:
https://github.com/spring-projects/spring-security/tree/master/samples
2. 从Spring官网下载STS
3. 学习时使用的版本 -- Spring : 4.0.0.RELEASE,Spring Security : 3.2.0.RELEASE
历史:
前身为“The Acegi Security System for Spring”,始于2006年,项目得到广大认可和适用后更名为Spring Security纳入Spring的项目之一。
适用场景:
JAVA应用安全管理中的认证和授权,特别是使用Spring框架开发的JAVA应用。
基本原理:
Spring的DI和AOP -- Spring Security大量使用AOP以避免对业务逻辑的干涉,并与Spring核心框架深度集成。
javax.servlet.FilterChain -- 目前Spring Security主要用于web应用,在web应用中通过Filter拦截HTTP请求进行安检。
HTTP表单认证:
Spring Security 内置HTTP表单认证支持,使用Security名字空间可以非常简单让Web应用支持HTTP表单认证,基本使用步骤如下:
1. web.xml配置
首先我们需要在web描述符中配置一个Filter名为springSecurityFilterChain供Spring框架使用,这个名称不能自己随便更改,否则Spring框架会找不到。
1
2
3
4
5
6
7
8
|
<
filter
>
<
filter-name
>springSecurityFilterChain</
filter-name
>
<
filter-class
>org.springframework.web.filter.DelegatingFilterProxy</
filter-class
>
</
filter
>
<
filter-mapping
>
<
filter-name
>springSecurityFilterChain</
filter-name
>
<
url-pattern
>/*</
url-pattern
>
</
filter-mapping
>
|
2. Spring bean配置
Spring Security bean配置分两部分,分别是资源访问权限配置和用户定义,部分标签解说:
http标签 :用于创建FilterChainProxy和它将使用的bean。
auto-config="true" :表示以下配置
1
2
3
4
5
|
<
http
>
<
form-login
/>
<
http-basic
/>
<
logout
/>
</
http
>
|
intercept-url :定义被保护资源的访问权限
pattern :指定被保护的资源,可以使用正则表达式
access :访问权限定义,有多种方式,示例中使用角色,角色必须以ROLE_前缀开始。
user :定义用户名密码和拥有的角色,密码可以使用MD5加密。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
beans
xmlns
=
"http://www.springframework.org/schema/beans"
xmlns:xsi
=
"http://www.w3.org/2001/XMLSchema-instance"
xmlns:security
=
"http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<
security:http
auto-config
=
"true"
>
<
security:intercept-url
pattern
=
"/hello"
access
=
"ROLE_ADMIN"
/>
<
security:intercept-url
pattern
=
"/**"
access
=
"ROLE_USER"
/>
</
security:http
>
<
security:authentication-manager
>
<
security:authentication-provider
>
<
security:user-service
>
<
security:user
authorities
=
"ROLE_USER"
name
=
"stevex"
password
=
"stevex"
/>
<
security:user
authorities
=
"ROLE_USER, ROLE_ADMIN"
name
=
"admin"
password
=
"admin"
/>
</
security:user-service
>
</
security:authentication-provider
>
</
security:authentication-manager
>
</
beans
>
|
实践:
有很多安全相关的专业概念,需要自己慢慢认识,我们先创建一个实例,感性认识一下,步骤如下:
1. New-->Spring Project-->选择"Spring MVC Project"模板--Finish
2. 修改pom.xml,将Spring的版本更改为4.0.0.Release,增加Spring Security的依赖
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
<
dependency
>
<
groupId
>org.springframework.security</
groupId
>
<
artifactId
>spring-security-core</
artifactId
>
<
version
>3.2.0.RELEASE</
version
>
</
dependency
>
<
dependency
>
<
groupId
>org.springframework.security</
groupId
>
<
artifactId
>spring-security-config</
artifactId
>
<
version
>3.2.0.RELEASE</
version
>
</
dependency
>
<
dependency
>
<
groupId
>org.springframework.security</
groupId
>
<
artifactId
>spring-security-web</
artifactId
>
<
version
>3.2.0.RELEASE</
version
>
</
dependency
>
|
3. 修改web.xml,增加springSecurityFilterChain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
<
context-param
>
<
param-name
>contextConfigLocation</
param-name
>
<
param-value
>/WEB-INF/spring/root-context.xml /WEB-INF/spring/app-security.xml</
param-value
>
</
context-param
>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<
listener
>
<
listener-class
>org.springframework.web.context.ContextLoaderListener</
listener-class
>
</
listener
>
<
filter
>
<
filter-name
>springSecurityFilterChain</
filter-name
>
<
filter-class
>
org.springframework.web.filter.DelegatingFilterProxy
</
filter-class
>
</
filter
>
<
filter-mapping
>
<
filter-name
>springSecurityFilterChain</
filter-name
>
<
url-pattern
>/*</
url-pattern
>
</
filter-mapping
>
|
4. 增加app-security.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
beans
xmlns
=
"http://www.springframework.org/schema/beans"
xmlns:xsi
=
"http://www.w3.org/2001/XMLSchema-instance"
xmlns:security
=
"http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<
security:http
auto-config
=
"true"
>
<
security:intercept-url
pattern
=
"/hello"
access
=
"ROLE_ADMIN"
/>
<
security:intercept-url
pattern
=
"/**"
access
=
"ROLE_USER"
/>
</
security:http
>
<
security:authentication-manager
>
<
security:authentication-provider
>
<
security:user-service
>
<
security:user
authorities
=
"ROLE_USER"
name
=
"stevex"
password
=
"stevex"
/>
<
security:user
authorities
=
"ROLE_USER, ROLE_ADMIN"
name
=
"admin"
password
=
"admin"
/>
</
security:user-service
>
</
security:authentication-provider
>
</
security:authentication-manager
>
</
beans
>
|
5. 修改HomeController.java,增加hello函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
/**
* Handles requests for the application home page.
*/
@Controller
public
class
HomeController {
private
static
final
Logger logger = LoggerFactory.getLogger(HomeController.
class
);
/**
* Simply selects the home view to render by returning its name.
*/
@RequestMapping
(value =
"/"
, method = RequestMethod.GET)
public
String home(Locale locale, Model model) {
logger.info(
"Welcome home! The client locale is {}."
, locale);
Date date =
new
Date();
DateFormat dateFormat = DateFormat.getDateTimeInstance(DateFormat.LONG, DateFormat.LONG, locale);
String formattedDate = dateFormat.format(date);
model.addAttribute(
"serverTime"
, formattedDate );
return
"home"
;
}
//produces="text/plain" 必须有,否则会有乱码
@RequestMapping
(value =
"/hello"
, method = RequestMethod.GET, produces=
"text/plain"
)
@ResponseBody
public
String hello(){
logger.info(
"request coming!"
);
return
"Hello Stevex, you are so hard!"
;
}
}
|
6. 运行应用进行测试
大功告成!
附件:http://down.51cto.com/data/2364050
本文转自sarchitect 51CTO博客,原文链接:http://blog.51cto.com/stevex/1357939,如需转载请自行联系原作者