Spring整合SpringSecurity

SpringSecurity基础使用

SpringSecurity是一个安全框架，主要功能是认证和授权

从Spring入手SpringSecurity

1. Spring整合SpringSecurity

applicationContext.xml

<beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:context="http://www.springframework.org/schema/context"xmlns:mvc="http://www.springframework.org/schema/mvc"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context.xsdhttp://www.springframework.org/schema/mvchttp://www.springframework.org/schema/mvc/spring-mvc.xsd"><context:component-scan base-package="com.shaoby.service"></context:component-scan><import resource="spring-security.xml"/>
</beans>

spring-mvc.xml

<beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:context="http://www.springframework.org/schema/context"xmlns:mvc="http://www.springframework.org/schema/mvc"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context.xsdhttp://www.springframework.org/schema/mvchttp://www.springframework.org/schema/mvc/spring-mvc.xsd"><!-- 启用注解扫描 --><context:component-scan base-package="com.shaoby.controller" /><!-- 配置视图解析器 --><bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"><property name="prefix" value="/WEB-INF/views/" /><property name="suffix" value=".jsp" /></bean><!-- 启用Spring MVC的注解 --><mvc:annotation-driven /><!-- 定义控制器 -->
<!--    <bean name="/example" class="com.shaoby.controller.ExampleController" />--></beans>

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd"><http auto-config="true"><intercept-url pattern="/login.jsp" access="permitAll()"/><intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /><form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/><remember-metoken-validity-seconds="60"remember-me-parameter="remember-me"/><access-denied-handler error-page="/error.jsp"/></http><authentication-manager><authentication-provider><user-service><user name="user" password="{noop}123" authorities="ROLE_USER" /></user-service></authentication-provider></authentication-manager></beans:beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"version="4.0"><display-name>Archetype Created Web Application</display-name>
<!--  初始化web容器--><context-param><param-name>contextConfigLocation</param-name><param-value>classpath:applicationContext.xml</param-value></context-param><!--配置Spring的监听器，默认只加载WEB-INF目录下的applicationContext.xml配置文件--><listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener>
<!--乱码--><filter><filter-name>characterEncodingFilter</filter-name><filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class><init-param><param-name>encoding</param-name><param-value>UTF-8</param-value></init-param><init-param><param-name>forceEncoding</param-name><param-value>true</param-value></init-param></filter><filter-mapping><filter-name>characterEncodingFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping>
<!--security--><filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter><filter-mapping><filter-name>springSecurityFilterChain</filter-name><url-pattern>/*</url-pattern></filter-mapping>
<!--前端控制器--><servlet><servlet-name>dispatcherServlet</servlet-name><servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class><init-param><param-name>contextConfigLocation</param-name><param-value>classpath:spring-mvc.xml</param-value></init-param><load-on-startup>1</load-on-startup></servlet><servlet-mapping><servlet-name>dispatcherServlet</servlet-name><url-pattern>/</url-pattern></servlet-mapping>
</web-app>

2. 认证操作

2.1 自定义登录页面

自定义登录页面只需要在security配置文件中指定登录页面即可

<beans:beans xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd"><http auto-config="true"><intercept-url pattern="/login.jsp" access="permitAll()"/><intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /><!--指定登录页面或登录成功页面等，都在这个标签中可以指定--><form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/><!-- 错误页面--><access-denied-handler error-page="/error.jsp"/></http><authentication-manager><authentication-provider><user-service><user name="user" password="{noop}123" authorities="ROLE_USER" /></user-service></authentication-provider></authentication-manager>
</beans:beans>

2.2 关闭CSRF认证

使用csrf标签指定disabled = 'true’即可

<beans:beans xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd"><http auto-config="true"><intercept-url pattern="/login.jsp" access="permitAll()"/><intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /><!--指定登录页面或登录成功页面等，都在这个标签中可以指定--><form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/><!-- 错误页面--><access-denied-handler error-page="/error.jsp"/><!--关闭CSRF认证--><csrf disabled="true"/></http><authentication-manager><authentication-provider><user-service><user name="user" password="{noop}123" authorities="ROLE_USER" /></user-service></authentication-provider></authentication-manager>
</beans:beans>

如果在JSP页面中也可以通过引入标签解决

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
-#引入
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<html>
<head><title>登录</title>
</head>
<body>
<h1>登录页面</h1>
<form action="/login" method="post">账号：<input type="text" name="username"/> <br>密码：<input type="password" name="password"/> <br>-#使用标签<security:csrfInput/><input type="submit" value="登录">
</form>
</body>
</html>

2.3 持久层认证

认证一般是通过持久层查询进行认证的，这里暂时没有链接数据库，将数据写死。
ecurity实现持久层的认证只需要实现UserDetailsService,重写loadUserByUserName，返回一个UserDetails对象即可,这个UserDetails对象可以通过任何方式获得，一般是数据库根据登录用户名查询。
需要注意的是，如果密码没有采用加密方式，密码前必须拼接{noop}字符串。
将写好的实现类给Security指定

@Service
public class UserServiceImpl implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {List<GrantedAuthority> list = new ArrayList<>();list.add(new SimpleGrantedAuthority("ROLE_USER"));UserDetails user = new User("admin", "{noop}123456", list);return user;}
}

<beans:beans xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd"><http auto-config="true"><intercept-url pattern="/login.jsp" access="permitAll()"/><intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /><!--指定登录页面或登录成功页面等，都在这个标签中可以指定--><form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/><!-- 错误页面--><access-denied-handler error-page="/error.jsp"/><!--关闭CSRF认证--><csrf disabled="true"/></http><authentication-manager><!--指定认证的类--><authentication-provider user-service-ref="userServiceImpl"></authentication-provider></authentication-manager>
</beans:beans>

2.4 密码加密

密码加密的方式有很多，比如MD5、MD4、BCryptPasswordEncoder等
如果使用加密的方式，一般是在持久层存储的就是加密后的数据
使用加密的方法
将加密的方式注入到spring容器中
然后给Security指定加密方式

<beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:context="http://www.springframework.org/schema/context"xmlns:mvc="http://www.springframework.org/schema/mvc"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context.xsdhttp://www.springframework.org/schema/mvchttp://www.springframework.org/schema/mvc/spring-mvc.xsd"><context:component-scan base-package="com.shaoby.service"></context:component-scan>
<!--使用的加密方式的类--><bean name="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/><import resource="spring-security.xml"/>
</beans>

<beans:beans xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd"><http auto-config="true"><intercept-url pattern="/login.jsp" access="permitAll()"/><intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /><!--指定登录页面或登录成功页面等，都在这个标签中可以指定--><form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/><!-- 错误页面--><access-denied-handler error-page="/error.jsp"/><!--关闭CSRF认证--><csrf disabled="true"/></http><authentication-manager><!--指定认证的类--><authentication-provider user-service-ref="userServiceImpl"><!--给security指定加密的方式--><password-encoder ref="bCryptPasswordEncoder"/></authentication-provider></authentication-manager>
</beans:beans>

2.5 remember me

这个功能是在页面勾选’记住我‘的勾选框后，下次再次访问页面不需要再次登录
实现的原理是，在登录成功后回返回给前端一个token，并存放在一张持久层表中或则内存中，前端存放在Cookie中，下次登录只要携带Cookie，security就直接通过存储的token比对，不需要重新认证
如果指定了数据源，就存放在持久层，如果没有指定则存放在内存中
token的过期时间是可以设置的
实现步骤：
开启记住我功能
如果指定数据源则存放在数据库中，如果没有指定则存放在内存中
页面请求时候要传入一个参数

<beans:beans xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd"><http auto-config="true"><intercept-url pattern="/login.jsp" access="permitAll()"/><intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /><!--指定登录页面或登录成功页面等，都在这个标签中可以指定--><form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/><!-- 错误页面--><access-denied-handler error-page="/error.jsp"/><!--关闭CSRF认证--><csrf disabled="true"/><!--开启remember功能 token-validity-seconds表示过期时间，单位秒；remember-me-parameter="remember-me"表示传入的参数名；data-source-ref="dataSource"表示指定的数据源--><remember-metoken-validity-seconds="60"remember-me-parameter="remember-me"data-source-ref="dataSource"/></http><authentication-manager><!--指定认证的类--><authentication-provider user-service-ref="userServiceImpl"><!--给security指定加密的方式--><password-encoder ref="bCryptPasswordEncoder"/></authentication-provider></authentication-manager>
</beans:beans>