（一）如何使用Spring-security来实现登录验证功能（XML配置方式）？

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/qq_36520235/article/details/81812839

先从使用xml的方式来实现用户的权限登录

（1）需要在maven工程中加上关于spring-secutity的jar包的依赖

//spring-securityd 有关的依赖
    <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
        </dependency>

（2）创建一个spirng-security的配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <!-- 设置页面不登陆也可以访问进行访问所有的静态资源。这里可以自行配置 -->
    <http pattern="/*.html" security="none"></http>
    <http pattern="/css/**" security="none"></http>
    <http pattern="/img/**" security="none"></http>
    <http pattern="/js/**" security="none"></http>
    <http pattern="/plugins/**" security="none"></http>

    <!-- 页面的拦截规则    use-expressions:是否启动SPEL表达式 默认是true -->
    <http use-expressions="false" >
        <!-- 当前用户必须有ROLE_USER的角色 才可以访问根目录及所属子目录的资源 -->
        <intercept-url pattern="/**" access="ROLE_ADMIN"/>
        <!-- 开启表单登陆功能 -->
        <form-login  login-page="/login.html" default-target-url="/admin/index.html" authentication-failure-url="/login.html" always-use-default-target="true"/>
        <csrf disabled="true"/>
        <headers>
            <frame-options policy="SAMEORIGIN"/>
        </headers>
        <logout/>
    </http>


    <!-- 认证管理器 -->
    <authentication-manager>
        <authentication-provider>
            <user-service>
            //这个是你配置的可以登录的用户，authorities的值必须是ROLE_XXX的命名方式
                <user name="admin" password="123456" authorities="ROLE_ADMIN"/>
                <user name="sunwukong" password="dasheng" authorities="ROLE_ADMIN"/>
                <user name="wangwei" password="123456" authorities="ROLE_ADMIN"/>
            </user-service>
        </authentication-provider>  
    </authentication-manager>

</beans:beans>

（3）还需要在web.xml文件中进行配置一个springSecurityFilterChain的过滤链

    //这里是把（2）步骤中添加的文件进行引用
     <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring/spring-security.xml</param-value>
     </context-param>
     <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
     </listener>
    <!-- 这个是配置的spring-security过滤链 -->
     <filter>  
        <filter-name>springSecurityFilterChain</filter-name>  
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
     </filter>  
     <filter-mapping>  
        <filter-name>springSecurityFilterChain</filter-name>  
        <url-pattern>/*</url-pattern>  
     </filter-mapping>