什么是Spring Security?
Spring Security是一个提供安全解决方案的框架,可在Web请求级别和方法级别上处理身份验证和授权。 Spring安全性通过两种方式处理安全性。 一种是安全的Web请求,另一种是在URL级别限制访问。 Spring Security使用Servlet过滤器。
在这篇文章中,我将创建一个处理登录身份验证和授权的简单Web应用程序。
下载项目: http : //www.mediafire.com/?bb9x88uxvkb0uuv或http://dl.dropbox.com/u/7215751/JavaCodeGeeks/SpringSecurityTutorialPart1/spring-security-login-example.rar
在创建项目之前,需要对mysql执行一些查询以创建一个新的数据库,表并添加一些示例数据。
创建表
CREATE DATABASE IF NOT EXISTS `spring-test`; -- create user CREATE USER 'user'@'localhost' IDENTIFIED BY 'test'; GRANT ALL ON spring-test.* TO 'user'@'localhost'; USE `spring-test`; CREATE TABLE USER_DETAILS ( USERNAME VARCHAR(10) NOT NULL, PASSWORD VARCHAR(32) NOT NULL, PRIMARY KEY (USERNAME) ); CREATE TABLE USER_AUTH ( USERNAME VARCHAR(10) NOT NULL, AUTHORITY VARCHAR(10) NOT NULL, FOREIGN KEY (USERNAME) REFERENCES USER_DETAILS(USERNAME) );测试数据
insert into USER_DETAILS values ('user','123'); insert into USER_DETAILS values ('admin','admin'); insert into USER_AUTH values ('user', 'ROLE_USER'); insert into USER_AUTH values ('admin', 'ROLE_ADMIN');之后,我使用maven创建一个Web项目,并将以下依赖项添加到pom.xml中
<properties><spring.version>3.0.5.RELEASE</spring.version>
</properties><dependencies> <dependency> <groupId>javax.validation</groupId> <artifactId>validation-api</artifactId> <version>1.0.0.GA</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>${spring.version}</version> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-acl</artifactId> <version>${spring.version}</version> </dependency> <!-- jstl --> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <!-- MySQL database driver --> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.9</version> </dependency> <dependency> <groupId>c3p0</groupId> <artifactId>c3p0</artifactId> <version>0.9.1</version> </dependency> </dependencies>之后,像这样更改web.xml
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd' > <web-app> <display-name>spring-security-login</display-name> <servlet> <servlet-name>login</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>login</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/login-servlet.xml, /WEB-INF/login-security.xml, /WEB-INF/login-service.xml </param-value> </context-param> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>login.jsp</welcome-file> </welcome-file-list> </web-app>现在,我需要创建login-servlet.xml,login-security.xml和login-service.xml弹簧配置文件。 在此示例中,我们将c3p0连接池与Mysql数据库一起使用。
这是login-servlet.xml文件
<?xml version='1.0' encoding='UTF-8'?> <beans xmlns='http://www.springframework.org/schema/beans' xmlns:context='http://www.springframework.org/schema/context' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation=' http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd'> <context:component-scan base-package='rd.controller'/> <bean id='internalResourceResolver' class='org.springframework.web.servlet.view.InternalResourceViewResolver'> <property name='prefix' value='/WEB-INF/views/'/> <property name='suffix' value='.jsp'/> </bean> <bean class='org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping'></bean> <bean class='org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter'/> <bean id='placeholderConfig' class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'> <property name='locations'> <list> <value>classpath:login.properties</value> </list> </property> </bean> </beans>这是login-security.xml
<?xml version='1.0' encoding='UTF-8'?> <beans:beans xmlns='http://www.springframework.org/schema/security' xmlns:beans='http://www.springframework.org/schema/beans' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'> <beans:import resource='login-service.xml'/> <http> <intercept-url pattern='/home*' access='ROLE_USER,ROLE_ADMIN' /> <intercept-url pattern='/admin*' access='ROLE_ADMIN' /> <form-login login-page='/login.jsp' default-target-url='/home' authentication-failure-url='/login.jsp?error=true'/> <logout logout-success-url='/login.jsp' /> <anonymous username='guest' granted-authority='ROLE_GUEST'/> <remember-me/> </http> <authentication-manager> <authentication-provider> <!--<user-service>--> <!--<user name='admin' password='secret' authorities='ROLE_ADMIN,ROLE_USER' />--> <!--<user name='user1' password='1111' authorities='ROLE_USER' />--> <!--</user-service>--> <jdbc-user-service data-source-ref='dataSource' users-by-username-query='select username,password, 'true' as enabled from USER_DETAILS where username=?' authorities-by-username-query='select USER_DETAILS.username , USER_AUTH.AUTHORITY as authorities from USER_DETAILS,USER_AUTH where USER_DETAILS.username = ? AND USER_DETAILS.username=USER_AUTH.USERNAME '/> </authentication-provider> </authentication-manager> </beans:beans>这是login-service.xml
<beans xmlns='http://www.springframework.org/schema/beans' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd'> <bean id='dataSource' class='com.mchange.v2.c3p0.ComboPooledDataSource'> <!--Driver name to connect to the database--> <property name='driverClass'> <value>${login.jdbc.driver}</value> </property> <!--DB URL--> <property name='jdbcUrl'> <value>${login.url}</value> </property> <!--DB User used to connect to the schema--> <property name='user'> <value>${login.username}</value> </property> <!--Password required to access for the above user--> <property name='password'> <value>${login.password}</value> </property> <!-- configuration pool via c3p0--> <property name='acquireIncrement'> <value>${login.c3p0.acquireIncrement}</value> </property> <property name='idleConnectionTestPeriod'> <value>${login.c3p0.idleConnectionTestPeriod}</value> <!-- seconds --> </property> <property name='maxPoolSize'> <value>${login.c3p0.maxPoolSize}</value> </property> <property name='maxStatements'> <value>${login.c3p0.maxStatements}</value> </property> <property name='minPoolSize'> <value>${login.c3p0.minPoolSize}</value> </property> <property name='initialPoolSize'> <value>${login.c3p0.initialPoolSize}</value> </property> <property name='maxIdleTime'> <value>${login.c3p0.maxIdleTime}</value> </property> <property name='acquireRetryAttempts'> <value>${login.c3p0.acquireRetryAttempts}</value> </property> <property name='acquireRetryDelay'> <value>${login.c3p0.acquireRetryDelay}</value> </property> <property name='breakAfterAcquireFailure'> <value>${login.c3p0.breakAfterAcquireFailure}</value> </property> </bean> </beans>login.jsp页面如下所示。 (需要放置在webapp目录下。但不在WEB_INF目录下)
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %> <html> <head> <title>Login</title> </head> <body> <c:if test='${not empty param.error}'> <font color='red'> Login error. <br /> Reason : ${sessionScope['SPRING_SECURITY_LAST_EXCEPTION'].message} </font> </c:if> <form method='POST' action='<c:url value='/j_spring_security_check' />'> <table> <tr> <td align='right'>Username</td> <td><input type='text' name='j_username' /></td> </tr> <tr> <td align='right'>Password</td> <td><input type='password' name='j_password' /></td> </tr> <tr> <td colspan='2' align='right'> <input type='submit' value='Login' /> </td> </tr> </table> </form> </body> </html>home.jsp页面
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %> <%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %> <html> <head> <title>Home</title> </head> <body> <a href=<c:url value='/j_spring_security_logout'/>>Logout</a><br/> <sec:authorize ifAnyGranted='ROLE_ADMIN'> <h1>Only admin can see this</h1><br/> <a href='admin'> Admin Home </a> </sec:authorize> <h1>Welcome</h1> </body> </html>admin-home.jsp页面
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %> <%@ page contentType='text/html;charset=UTF-8' language='java' %> <html> <head> <title>Admin</title> </head> <body> <a href=<c:url value='/j_spring_security_logout'/>>Logout</a><br/> <h1>Only Admin allowed here</h1> </body> </html>之后,您需要编写两个控制器来检索主页和admin-home页面。 这是HomeController.java
package rd.controller; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @Controller public class HomeController { @RequestMapping(value = '/home' , method = RequestMethod.GET) public String setUp(Model model){ return 'home'; } }这是AdminController.java
package rd.controller; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @Controller public class AdminController { @RequestMapping(value = '/admin' , method = RequestMethod.GET) public String setUp(Model model){ return 'admin-home'; } } 而已。 运行mvn clean install命令创建war文件。 将war文件复制到tomcat / webapps目录下,然后在您喜欢的浏览器中访问该Web应用程序。
网址:本地主机:<端口> /spring-login/login.jsp
测试案例1:尝试使用用户名123和密码登录。 您将获得用户主页。
测试案例2:尝试使用admin作为用户名admin作为密码登录。 您将获得带有可见管理页面链接的用户主页。
在Spring安全性第2部分中,我将修改此项目并添加“记住我”功能和md5密码加密功能。
在不久的将来,Ill会尝试发布有关CAS集成和LDAP集成的Spring安全性的有趣文章。 敬请关注 :)
参考: Spring Security第1部分–与我们的JCG合作伙伴 Rajith Delantha在带有Rajith…博客的Looping博客中的数据库简单登录应用程序 。
翻译自: https://www.javacodegeeks.com/2012/07/spring-security-part-1-simple-login.html
_迭代器、生成器、列表解析)
》)
)
