SpringSecurity基础使用
SpringSecurity是一个安全框架,主要功能是认证和授权
从Spring入手SpringSecurity
1. Spring整合SpringSecurity
applicationContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<context:component-scan base-package="com.shaoby.service"></context:component-scan>
<import resource="spring-security.xml"/>
</beans>
spring-mvc.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 启用注解扫描 -->
<context:component-scan base-package="com.shaoby.controller" />
<!-- 配置视图解析器 -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
<!-- 启用Spring MVC的注解 -->
<mvc:annotation-driven />
<!-- 定义控制器 -->
<!-- <bean name="/example" class="com.shaoby.controller.ExampleController" />-->
</beans>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/login.jsp" access="permitAll()"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
<form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
<remember-me
token-validity-seconds="60"
remember-me-parameter="remember-me"
/>
<access-denied-handler error-page="/error.jsp"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="{noop}123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<display-name>Archetype Created Web Application</display-name>
<!-- 初始化web容器-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<!--配置Spring的监听器,默认只加载WEB-INF目录下的applicationContext.xml配置文件-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--乱码-->
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--security-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--前端控制器-->
<servlet>
<servlet-name>dispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-mvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
2. 认证操作
2.1 自定义登录页面
自定义登录页面只需要在security配置文件中指定登录页面即可
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/login.jsp" access="permitAll()"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
<!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
<form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
<!-- 错误页面-->
<access-denied-handler error-page="/error.jsp"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="{noop}123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
2.2 关闭CSRF认证
使用csrf标签指定disabled = 'true’即可
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/login.jsp" access="permitAll()"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
<!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
<form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
<!-- 错误页面-->
<access-denied-handler error-page="/error.jsp"/>
<!--关闭CSRF认证-->
<csrf disabled="true"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="{noop}123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
如果在JSP页面中也可以通过引入标签解决
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
-#引入
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<html>
<head>
<title>登录</title>
</head>
<body>
<h1>登录页面</h1>
<form action="/login" method="post">
账号:<input type="text" name="username"/> <br>
密码:<input type="password" name="password"/> <br>
-#使用标签
<security:csrfInput/>
<input type="submit" value="登录">
</form>
</body>
</html>
2.3 持久层认证
- 认证一般是通过持久层查询进行认证的,这里暂时没有链接数据库,将数据写死。
- ecurity实现持久层的认证只需要实现UserDetailsService,重写loadUserByUserName,返回一个UserDetails对象即可,这个UserDetails对象可以通过任何方式获得,一般是数据库根据登录用户名查询。
- 需要注意的是,如果密码没有采用加密方式,密码前必须拼接{noop}字符串。
- 将写好的实现类给Security指定
@Service
public class UserServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
List<GrantedAuthority> list = new ArrayList<>();
list.add(new SimpleGrantedAuthority("ROLE_USER"));
UserDetails user = new User("admin", "{noop}123456", list);
return user;
}
}
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/login.jsp" access="permitAll()"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
<!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
<form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
<!-- 错误页面-->
<access-denied-handler error-page="/error.jsp"/>
<!--关闭CSRF认证-->
<csrf disabled="true"/>
</http>
<authentication-manager>
<!--指定认证的类-->
<authentication-provider user-service-ref="userServiceImpl">
</authentication-provider>
</authentication-manager>
</beans:beans>
2.4 密码加密
- 密码加密的方式有很多,比如MD5、MD4、BCryptPasswordEncoder等
- 如果使用加密的方式,一般是在持久层存储的就是加密后的数据
- 使用加密的方法
- 将加密的方式注入到spring容器中
- 然后给Security指定加密方式
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<context:component-scan base-package="com.shaoby.service"></context:component-scan>
<!--使用的加密方式的类-->
<bean name="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<import resource="spring-security.xml"/>
</beans>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/login.jsp" access="permitAll()"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
<!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
<form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
<!-- 错误页面-->
<access-denied-handler error-page="/error.jsp"/>
<!--关闭CSRF认证-->
<csrf disabled="true"/>
</http>
<authentication-manager>
<!--指定认证的类-->
<authentication-provider user-service-ref="userServiceImpl">
<!--给security指定加密的方式-->
<password-encoder ref="bCryptPasswordEncoder"/>
</authentication-provider>
</authentication-manager>
</beans:beans>
2.5 remember me
- 这个功能是在页面勾选’记住我‘的勾选框后,下次再次访问页面不需要再次登录
- 实现的原理是,在登录成功后回返回给前端一个token,并存放在一张持久层表中或则内存中,前端存放在Cookie中,下次登录只要携带Cookie,security就直接通过存储的token比对,不需要重新认证
- 如果指定了数据源,就存放在持久层,如果没有指定则存放在内存中
- token的过期时间是可以设置的
- 实现步骤:
- 开启记住我功能
- 如果指定数据源则存放在数据库中,如果没有指定则存放在内存中
- 页面请求时候要传入一个参数
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/login.jsp" access="permitAll()"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
<!--指定登录页面或登录成功页面等,都在这个标签中可以指定-->
<form-login login-page="/login.jsp" login-processing-url="/login" authentication-success-forward-url="/home.jsp"/>
<!-- 错误页面-->
<access-denied-handler error-page="/error.jsp"/>
<!--关闭CSRF认证-->
<csrf disabled="true"/>
<!--开启remember功能 token-validity-seconds表示过期时间,单位秒;remember-me-parameter="remember-me"表示传入的参数名;data-source-ref="dataSource"表示指定的数据源-->
<remember-me
token-validity-seconds="60"
remember-me-parameter="remember-me"
data-source-ref="dataSource"
/>
</http>
<authentication-manager>
<!--指定认证的类-->
<authentication-provider user-service-ref="userServiceImpl">
<!--给security指定加密的方式-->
<password-encoder ref="bCryptPasswordEncoder"/>
</authentication-provider>
</authentication-manager>
</beans:beans>
