本文只包涵spring security配置部分,不是一个完整项目,不过可以任意添加到一个web项目中,不需要对原来的程序做任何修改

部分内容来源于网络,如有雷同,毫无意外

1、xml配置文件

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"

    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xmlns:context="http://www.springframework.org/schema/context"

    xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <global-method-security pre-post-annotations="enabled">

    </global-method-security>

    <!-- 不拦截的路径 -->

    <http pattern="/registerPage" security="none" />

    <http pattern="/mainPage" security="none"></http>

    <http pattern="/item/itemid**" security="none"></http>

    <http pattern="/css/**" security="none" />

    <http pattern="/font/**" security="none" />

    <http pattern="/images/**" security="none" />

    <http pattern="/js/**" security="none" />

    <http auto-config="true">

        <!-- 登录配置 -->

        <form-login login-page="/loginPage"

            authentication-failure-url="/login/failure"

            login-processing-url="/login"

            authentication-success-handler-ref="mySuccessHandler"

            username-parameter="username"

            password-parameter="password" />

        <!-- 用户登出 -->

        <logout invalidate-session="true" logout-success-url="/loginPage"

            logout-url="/logout" />

        <!-- 拦截页面 -->

        <intercept-url pattern="/item/**" access="ROLE_USER" />

        <intercept-url pattern="/admin/**" access="ROLE_USER" />

    </http>

    <!-- 登录成功的处理方法 -->

    <beans:bean id="mySuccessHandler" class="security.LoginSuccessHandle" ></beans:bean>

    <!-- 获取UserDettail的bean -->

    <beans:bean id="UserDetailService" class="security.MyUserDetailService"></beans:bean>

    <!-- 在这里也是一个大坑,查询网上的文章,这里都是引用的实现了UserDetailsService的类 -->

    <beans:bean id="UserService" class="security.SecurityProvider"></beans:bean>

    <authentication-manager>

        <authentication-provider ref="UserService">

        </authentication-provider>

    </authentication-manager>

</beans:beans>

2、用户权限信息类

省略相关数据库代码以及dao层代码

package po;

public class UserRole {

    private String username;

    private String password;

    private String role;

    public UserRole(String username, String password, String role) {

        super();

        this.username = username;

        this.password = password;

        this.role = role;

    }

    public String getUsername() {

        return username;

    }

    public void setUsername(String username) {

        this.username = username;

    }

    public String getPassword() {

        return password;

    }

    public void setPassword(String password) {

        this.password = password;

    }

    public String getRole() {

        return role;

    }

    public void setRole(String role) {

        this.role = role;

    }

}

3、MyUserDetail类,实现UserDetail接口,包含用户信息和用户权限类型

package security;

import java.util.Collection;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.userdetails.UserDetails;

import po.UserRole;

public class MyUserDetail implements UserDetails {

    /**

     *

     */

    private static final long serialVersionUID = -5619502406659516775L;

    private UserRole myUser;

    private Collection<? extends GrantedAuthority> authorities;

    public MyUserDetail(UserRole user,Collection<? extends GrantedAuthority> authorities) {

        this.myUser = user;

        this.authorities = authorities;

    }

    public Collection<? extends GrantedAuthority> getAuthorities() {

        return authorities;

    }

    public UserRole getMyUser() {

        return myUser;

    }

    public String getPassword() {

        return myUser.getPassword();

    }

    public String getUsername() {

        return myUser.getUsername();

    }

    public boolean isAccountNonExpired() {

        return false;

    }

    public boolean isAccountNonLocked() {

        return false;

    }

    public boolean isCredentialsNonExpired() {

        return false;

    }

    public boolean isEnabled() {

        return false;

    }

}

4、MyUserDetailService类,实现UserDetailsService接口,用来获取一个UserDetail对象

package security;

import java.util.ArrayList;

import java.util.Collection;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.authority.SimpleGrantedAuthority;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

import org.springframework.stereotype.Service;

import mapper.UserRoleMapper;

import po.UserRole;

@Service

public class MyUserDetailService implements UserDetailsService  {

    @Autowired

    UserRoleMapper userdao;

    public UserDetails loadUserByUsername(String username)

            throws UsernameNotFoundException {

        UserRole user =userdao.getUserByName(username);

        if(user==null)

        {

            throw new  UsernameNotFoundException("找不到该用户");

        }

//        Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();

//        SimpleGrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role);

//        grantedAuthorities.add(grantedAuthority);

        return new MyUserDetail(user, getAuthorities(user.getRole()));

    }

    private Collection<GrantedAuthority> getAuthorities(String role) {

        Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();

        SimpleGrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role);

        grantedAuthorities.add(grantedAuthority);

        return grantedAuthorities;

    }

}

5、SecurityProvider类,实现了AuthenticationProvider,返回一个UsernamePasswordAuthenticationToken

package security;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.authentication.AuthenticationProvider;

import org.springframework.security.authentication.BadCredentialsException;

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.AuthenticationException;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class SecurityProvider implements AuthenticationProvider {

    @Autowired

    private MyUserDetailService userDetailsService;

    public Authentication authenticate(Authentication authentication)

            throws AuthenticationException {

        UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;

        UserDetails userDetails = userDetailsService.loadUserByUsername(token.getName());

        if (userDetails == null) {

            throw new UsernameNotFoundException("找不到该用户");

        }

        if(!userDetails.getPassword().equals(token.getCredentials().toString()))

        {

              throw new BadCredentialsException("用户密码错误");

        }

        return new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(),userDetails.getAuthorities());

    }

    public boolean supports(Class<?> authentication) {

        return UsernamePasswordAuthenticationToken.class.equals(authentication);

    }

}

6、登录成功后自定义处理过程

spring security可以在配置文件中设置登录成功后的跳转页面,或者是直接返回认证前想要访问的页面,但是因为有时候用户是使用ajax请求登录,所以需要自定义一些操作,我是在登录成功后跳转到控制层url,

在url中携带需要跳转的参数,然后在控制层中将url参数返回到ajax,再由前端重新请求控制层跳转

package security;

import java.io.IOException;

import javax.servlet.ServletException;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.springframework.beans.factory.InitializingBean;

import org.springframework.security.core.Authentication;

import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import org.springframework.security.web.savedrequest.HttpSessionRequestCache;

import org.springframework.security.web.savedrequest.RequestCache;

import org.springframework.security.web.savedrequest.SavedRequest;

public class LoginSuccessHandle implements AuthenticationSuccessHandler, InitializingBean {

    private RequestCache requestCache = new HttpSessionRequestCache();

    @Override

    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authen)

            throws IOException, ServletException {

        SavedRequest savedRequest = requestCache.getRequest(request, response);

        // 默认认证后跳转路径

        String targetUrl = "/mainPage";

        // 如果登录前有请求为拦截页面,则验证后跳转到该页面

        if (savedRequest != null) {

            targetUrl = savedRequest.getRedirectUrl();

        }

        // 跳转到认证成功处理控制器

        response.sendRedirect("/loginSuccess?url=" + targetUrl);

    }

    @Override

    public void afterPropertiesSet() throws Exception {

    }

}

spring security的简单应用的更多相关文章

  1. spring security实现简单的url权限拦截

    在一个系统中,权限的拦截是很常见的事情,通常情况下我们都是基于url进行拦截.那么在spring security中应该怎么配置呢. 大致步骤如下: 1.用户登录成功后我们需要拿到用户所拥有的权限,并 ...

  2. Spring Security:简单的保护一个SpringBoot应用程序(总结)

    Spring Security 在 Java类中的配置 在 Spring Security 中使用 Java配置,可以轻松配置 Spring Security 而无需使用 XML . 在Spring ...

  3. Spring Security之简单举例

    核心功能 Spring Security提供了三个核心的功能: 认证(你是谁) 授权(你能干什么) 攻击防护(防止伪造身份) 一个简单例子 默认情况 在前面的开发中,都是将spring securit ...

  4. Spring Boot 2.0 利用 Spring Security 实现简单的OAuth2.0认证方式1

    0. 前言 之前帐号认证用过自己写的进行匹配,现在要学会使用标准了.准备了解和使用这个OAuth2.0协议. 1. 配置 1.1 配置pom.xml 有些可能会用不到,我把我项目中用到的所有包都贴出来 ...

  5. Spring Boot 2.0 利用 Spring Security 实现简单的OAuth2.0认证方式2

    0.前言 经过前面一小节已经基本配置好了基于SpringBoot+SpringSecurity+OAuth2.0的环境.这一小节主要对一些写固定InMemory的User和Client进行扩展.实现动 ...

  6. spring security简单教程以及实现完全前后端分离

    spring security是spring家族的一个安全框架,入门简单.对比shiro,它自带登录页面,自动完成登录操作.权限过滤时支持http方法过滤. 在新手入门使用时,只需要简单的配置,即可实 ...

  7. Spring Security OAuth2 SSO

    通常公司肯定不止一个系统,每个系统都需要进行认证和权限控制,不可能每个每个系统都自己去写,这个时候需要把登录单独提出来 登录和授权是统一的 业务系统该怎么写还怎么写 最近学习了一下Spring Sec ...

  8. 【Spring】12、Spring Security 四种使用方式

    spring security使用分类: 如何使用spring security,相信百度过的都知道,总共有四种用法,从简到深为:1.不用数据库,全部数据写在配置文件,这个也是官方文档里面的demo: ...

  9. Spring Security 源码解析(一)

    上篇 Spring Security基本配置已讲述了Spring Security最简单的配置,本篇将开始分析其基本原理 在上篇中可以看到,在访问 http://localhost:18081/use ...

随机推荐

  1. MapReduce、Hadoop、PostgreSQL、Spark

    分布式数据库 操作指令 如何实现云计算?注:GIS数据集 谷歌集群系统主要包括三个部分:分布式文件系统GFS,分布式并行计算模型map/reduce,以及分布式数据库Bigtable hadoop是g ...

  2. (最优m个候选人 和他们的编号)Jury Compromise (POJ 1015) 难

    http://poj.org/problem?id=1015   Description In Frobnia, a far-away country, the verdicts in court t ...

  3. 如何更改linux文件的拥有者及用户组(chown和chgrp)

    http://blog.csdn.net/hudashi/article/details/7797393 一.基本知识   在Linux中,创建一个文件时,该文件的拥有者都是创建该文件的用户.该文件用 ...

  4. Alpha冲刺 - (10/10)

    Part.1 开篇 队名:彳艮彳亍团队 组长博客:戳我进入 作业博客:班级博客本次作业的链接 Part.2 成员汇报 组员1(组长)柯奇豪 过去两天完成了哪些任务 本人负责的模块(共享编辑)的前端代码 ...

  5. Android listview 侧滑 SwipeListView 详解 实现微信,QQ等滑动删除效果

    转载请标明出处:http://blog.csdn.net/lmj623565791/article/details/28508769 今天看别人项目,看到别人使用了SwipeListView,Goog ...

  6. 动态规划--求最大连续子数组的和(Python实现)&求解最大连续乘积字串(Python实现)

    def MaxSum(self,array,n): sum=array[0] result=array[0] for i in range(0,n): if sum<0: sum=a[i] el ...

  7. Linux下替代grep高效文本搜索工具

    1.ack yum install ack 2.ag git clone https://github.com/ggreer/the_silver_searcher.git yum install a ...

  8. 使用JAVA API 解析ORC File

    使用JAVA API 解析ORC File orc File 的解析过程中,使用FileInputFormat的getSplits(conf, 1)函数, 然后使用 RecordReaderreade ...

  9. 一步步改造wcf,数据加密传输-匿名客户端加密传输(2)

    1         引言 前面的例子中, encodedValue这一串代码是自动生成的,所以在生产环境中,你需要安装一个VS201X,把代码放上去,然后刷新引用!!!就可以了,这么做的话,你可能是只 ...

  10. java多线程面试题整理及答案(2018年)

    1) 什么是线程? 线程是操作系统能够进行运算调度的最小单位,它被包含在进程之中,是进程中的实际运作单位.程序员可以通过它进行多处理器编程,你可以使用多线程对 运算密集型任务提速.比如,如果一个线程完 ...