SpringSecurity个人笔记
2017-07-10 本文已影响0人
神棄丶Aria
本次项目中使用了SpringSecurity验证框架来对项目进行一个验证。
以下是对框架的使用做一下记录。
框架搭建
maven配置
主要的是导入三个包:
<!--Spring Security相关-->
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
web.xml配置
主要是配置SpringSecurity的过滤链
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
然后就是SpringSecurity配置文件
我们从最简单的配置开始
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http pattern="/**" auto-config="true">
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:form-login />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="myName" authorities="ROLE_USER" password="123456"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
如果后端配置好的话,运行后的页面会被SpringSecurity拦截到登录页面。这个登录页面是SpringSecurity自动生成的。
Paste_Image.png
在配置文件中我们在<security:authentication-manager></security:authentication-manager>中配置了账号密码 输入 账号:myName 密码:123456 即可登录成功继续访问该系统页面。
自定义登录页面
使用框架自动为我们生成的页面自然不能满足我们的需求,所以我们需要自定义登录页面。
配置文件
修改<security:http>标签
<security:http pattern="/**" auto-config="true">
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/html/myLogin.html" login-processing-url="/myLogin" always-use-default-target="true"
username-parameter="name" password-parameter="password"
default-target-url="/html/home.html"
authentication-failure-url="/html/login_failure.html"
<security:csrf disabled="true"/>
/>
login-page:指定登录页面
login-processing-url:指定登录数据提交的uri,即相当于是提交验证的uri
default-target-url:登陆成功后跳转的页面
authentication-failure-url:登录失败后跳转的页面
always-use-default-target:让用户默认先跳转到target-url,如果没有登录便会强制跳转回登录页面。
parameter元素:指定登录时的用户名和密码所对应的对象名称。
关于csrf 这玩意我玩不转 所以直接禁用了。不禁用的话登录时会多加一步csrf验证。
在配置完<security:http>标签后,我们如果直接运行,则会发现页面在无限地被转发。因为我们自定义了登录页面,而SpringSecurity又会将我们自定义的页面进行拦截跳转,所以而到了登录页面又会被继续拦截跳转,陷入一个死循环中。所以我们需要通知框架 这个页面不需要被拦截。
在配置文件中加入:
<security:http pattern="/html/myLogin.html" security="none"/>
<security:http pattern="/html/login_failure.html" security="none"/>
即完整的配置文件应该是:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http pattern="/html/myLogin.html" security="none"/>
<security:http pattern="/html/login_failure.html" security="none"/>
<security:http pattern="/**" auto-config="true">
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/html/myLogin.html"
login-processing-url="/myLogin"
always-use-default-target="true"
username-parameter="name" password-parameter="password"
default-target-url="/html/home.html"
authentication-failure-forward-url="/html/login_failure.html" />
<security:csrf disabled="true"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="myName" authorities="ROLE_USER" password="123456"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
登录的html
这里的话主要通过一个表单提交
<html lang="en">
<head>
<meta charset="UTF-8">
<title>用户</title>
</head>
<script type="text/javascript" src="/js/jquery.min.js"></script>
<body>
<div>
<form name='f'
action='/myLogin'
method='GET'>
<table class="formtable">
<tr>
<td class="title">输入姓名:</td>
<td><input class="control" type='text' name='name' id="name"></td>
</tr>
<tr>
<td class="title">输入密码:</td>
<td><input class="control" type='password' name='password' id="password"/></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="登录" /></td>
</tr>
</table>
</form>
</div>
</body>
</html>
这样直接运行就可以看到我们自定义的登录页面了
Paste_Image.png
