Spring Security (一)

一、pom.xml

<!-- spring security -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>3.2.2.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>3.2.2.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>3.2.2.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>3.2.2.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-acl</artifactId>
            <version>3.2.2.RELEASE</version>
        </dependency>

pom.xml

二、web.xml

在原本spring的基础上添加

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>classpath:spring.xml,classpath:spring-hibernate.xml,classpath:spring-security.xml</param-value>
  </context-param>
<!-- SpringSecurity filter -->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  

web.xml

classpath：maven项目中放在src/main/resources下

三、spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd">

    <!-- 当指定一个http元素的security属性为none时，表示其对应pattern的filter链为空 -->
    <http security="none" pattern="/login.jsp"></http>
    <http auto-config="true">
        <form-login login-page="/login.jsp" default-target-url="/hello.jsp"
            login-processing-url="/login.do" authentication-failure-url="/error.jsp"/>
        <logout logout-success-url="/login.jsp" />
        <access-denied-handler error-page="/error.jsp"/>

        <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/error.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="ROLE_USER" />
    </http>

    <!-- 用于认证的AuthenticationManager -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsService" />
    </authentication-manager>

    <beans:bean id="userDetailsService" class="com.shi.core.service.UserDetailsServiceImpl"></beans:bean>

</beans:beans>

spring-security.xml

login-page:自定义登录页面是通过login-page属性来指定的。

login-processing-url：表示登录时提交的地址，默认是“/j-spring-security-check”。这个只是Spring Security用来标记登录页面使用的提交地址，真正关于登录这个请求是不需要用户自己处理的。

default-target-url:通过指定form-login元素的default-target-url属性，我们可以让用户在直接登录后跳转到指定的页面。如果想让用户不管是直接请求登录页面，还是通过Spring Security引导过来的，登录之后都跳转到指定的页面，我们可以通过指定form-login元素的always-use-default-target属性为true来达到这一效果。

authentication-failure-url:认证失败时跳转的页面

error-page：登录失败时跳转的页面

logout-success-url：登陆成功后默认跳转页面

跳过登陆验证可以配置access="IS_AUTHENTICATED_ANONYMOUSLY"来实现

四、UserDetailService.java

@Transactional(readOnly = true)
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserManager userManager;

    @Override
    public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException {

        User user = userManager.findUserByLoginName(username);

        if (user == null) {
            throw new UsernameNotFoundException("用户" + username + " 不存在");
        }

        // 获得用户所有角色权限
        Set<SimpleGrantedAuthority> grantedAuths = obtainGrantedAuthorities(user);

        // 初始化登录用户信息
        OperatorDetails userDetails = new OperatorDetails(user.getName(), user.getPassword(),
                true, true, true, true,
                grantedAuths);

        return userDetails;
    }

    /**
     * 获得用户所有角色的权限.
     */
    private Set<SimpleGrantedAuthority> obtainGrantedAuthorities(User user) {
        Set<SimpleGrantedAuthority> authSet = new HashSet<SimpleGrantedAuthority>();
        for (Role role : user.getRoleList()) {
            authSet.add(new SimpleGrantedAuthority(role.getRole()));
        }
        return authSet;
    }

}

UserDetailsServiceImpl.java

SimpleGrantedAuthority中传String参数   例如ROLE_USER  ROLE_ADMIN