SpringSecurity入门例子及遇到的问题解决

最近学习《Spring 实战》学习到了SpringSecurity，觉得书本上的例子过于复杂，而且不喜欢它基于java配置，更喜欢用xml文件进行配置

于是在极客学院网上学习，感觉挺不错的，由浅入深，推荐，附上网址：http://wiki.jikexueyuan.com/project/spring-security/first-experience.html

我的例子是看上面了，自己在进行了简单的配置。

我的项目是基于maven的，所以添加依赖成为了关键

spring security需要spring-security-config,spring-security-web即可，肯能是例子过于简单，并没有用到spring security的另外两个常用jar包spring-security-taglibs和spring-security-core

另外，还需要加入commons-logging，这是spring需要的jar包，否则将会报错：错误如下

 At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.

 

具体的pom.xml文件如下：

 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>SpringSecurity</groupId>
   <artifactId>SpringSecurity</artifactId>
   <packaging>war</packaging>
   <version>1.0-SNAPSHOT</version>
   <name>SpringSecurity Maven Webapp</name>
   <url>http://maven.apache.org</url>

   <!--classpath-->
   <build>
     <resources>
       <resource>
         <directory>src/main/java</directory>
       </resource>
       <resource>
         <directory>src/main/resources</directory>
         <includes>
           <include>**/*.xml</include>
           <include>**/*.properties</include>
         </includes>
       </resource>
     </resources>
   </build>

   <dependencies>

     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-web</artifactId>
       <version>3.1.0.RELEASE</version>
     </dependency>

     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-config</artifactId>
       <version>3.1.0.RELEASE</version>
     </dependency>

     <dependency>
       <groupId>commons-logging</groupId>
       <artifactId>commons-logging</artifactId>
       <version>1.1.1</version>
     </dependency>

     <dependency>
       <groupId>javax.servlet</groupId>
       <artifactId>servlet-api</artifactId>
       <version>2.5</version>
     </dependency>

     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
       <version>4.12</version>
       <scope>test</scope>
     </dependency>

   </dependencies>

 </project>

　　

更重要的还有spring security的配置文件和web.xml

先讲web.xml

spring配置文件需要加载spring security的配置文件，一般是在web.xml中指定它为spring的初始配置文件，通过<context-param/>元素

还需要定义filter用来拦截需要给spring security处理的请求，注意，该filter一定要定义在其他拦截器之前

<listener>用来加载spring的配置文件

完整的web.xml代码如下：

 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://xmlns.jcp.org/xml/ns/javaee"
          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
          id="WebApp_ID" version="3.1">
     <context-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>classpath:spring-security.xml</param-value>
     </context-param>

     <filter>
         <filter-name>springSecurityFilterChain</filter-name>
         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>springSecurityFilterChain</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>

     <listener>
         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
     </listener>
 </web-app>

在讲一下spring-security.xml配置文件
spring-security配置文件需要配置两样东西
1)配置权限控制的规则
里面的元素简介
security：是用命名空间的一个前缀
intercept-ref:定义权限控制的柜子
pattern：表示对哪些url进行权限控制
access：表示在请求对应url时需要什么权限
role前缀：提示spring是用基于角色的检查的标记
2)配置认证
user-service用于获取用户信息
里面配置一些登陆的用户密码和用户名

具体的spring-security配置文件如下

 <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:security="http://www.springframework.org/schema/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">
     <security:http auto-config="true">
         <security:intercept-url pattern="/**" access="ROLE_USER"/>
     </security:http>

     <security:authentication-manager>
         <security:authentication-provider>
             <security:user-service>
                 <security:user name="user" password="user" authorities="ROLE_USER"/>
                 <security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/>
             </security:user-service>
         </security:authentication-provider>
     </security:authentication-manager>

 </beans>

当指定 http 元素的 auto-config=”true” 时，就相当于如下内容的简写:

  <security:http>
       <security:form-login/>
       <security:http-basic/>
       <security:logout/>
    </security:http>

<security:form-login/>的优先级高于<security:http-basic/>，所以两者都存在时会采用<security:form-login/>

<security:http-basic/>是弹窗效果的表单验证