SpringSecurity概念
-
SpringSecurity是一个安全管理框架,提供了认证与授权这些基本操作
-
认证: 用户访问系统,系统校验用户身份是否合法的过程就是认证。常见的认证: 登陆认证。
-
授权:用户认证后,访问系统资源,校验用户是否有权限访问系统资源的过程就是授权访问校验,简称为授权。权限校验过程:1.获取用户的权限; 2. 知道访问资源需要的权限;3.拿着访问资源需要的权限去用户权限列表查找,找到则授权访问。否则拒绝访问。
注意
认证与授权,不是属于springsecurity所特有的概念,这些是通用的概念。
常见的权限管理框架:
- springsecurity
- apache shiro
- 自己写代码封装认证授权操作。
.SpringSecurity(二)快速入门
使用步骤:
- 创建web项目
- 添加依赖
- 配置web.xml
- spring-security.xml 配置
- 页面准备
实现
-
创建web项目
-
添加依赖
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>cn.itcast</groupId> <artifactId>spring_security_demo</artifactId> <version>1.0-SNAPSHOT</version> <packaging>war</packaging> <properties> <spring.version>5.0.2.RELEASE</spring.version> <spring.security.version>5.0.1.RELEASE</spring.security.version> </properties> <dependencies> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-test</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> <scope>provided</scope> </dependency> </dependencies> </project> -
配置web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-security.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!--SpringSecurity提高的代理过滤器,拦截请求并且把请求的处理(认证与授权)交给springsecurity框架。--> <!--注意:filter-name 不能随便写,会根据这个名称去容器找对应的对象。--> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app> -
spring-security.xml 配置
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!--1.先指定放行的资源--> <security:http pattern="/login.html" security="none"/> <security:http pattern="/failer.html" security="none"/> <security:http pattern="/favicon.ico" security="none"/> <!--2.配置SpringSecurity拦截的资源、登录表单、退出表单、登录失败对应的页面等。--> <security:http auto-config="true" use-expressions="false"> <!--2.1 指定拦截的资源,以及要求访问这些资源的用户必须具有ROLE_PRIMARY权限。--> <security:intercept-url pattern="/**" access="ROLE_PRIMARY"/> <!--2.2 配置自定义的登录页面--> <security:form-login login-page="/login.html" login-processing-url="/login" username-parameter="username" password-parameter="password" default-target-url="/success.html" authentication-failure-url="/failer.html" /> <!--2.3 配置退出--> <security:logout logout-url="/logout" logout-success-url="/login.html" invalidate-session="true" /> <!--2.3 关闭csrf跨域请求--> <security:csrf disabled="true"/> </security:http> <!--3.认证管理器,配置正确的账号密码,在这里是写死的。--> <security:authentication-manager> <security:authentication-provider> <security:user-service> <security:user name="zhangsan" password="{noop}666" authorities="ROLE_PRIMARY"/> </security:user-service> </security:authentication-provider> </security:authentication-manager> </beans> -
页面准备
页面如下
index.html <body> index... </body> login.html <body> <form action="/login" method="post"> 用户<input type="text" name="username"><br> 密码<input type="password" name="password"><br> <input type="submit" value="登陆"><br> </form> </body> success.html <body> success... <a href="/logout">退出</a> </body> failer.html <body> 登录失败! </body>