什么是Spring Security?
Spring Security是一個提供安全解決方案的框架,可在Web請求級別和方法級別上處理身份驗證和授權。 Spring安全性通過兩種方式處理安全性。 一種是安全的Web請求,另一種是在URL級別限制訪問。 Spring Security使用Servlet過濾器。
在這篇文章中,我將創建一個處理登錄身份驗證和授權的簡單Web應用程序。
下載項目: http : //www.mediafire.com/?bb9x88uxvkb0uuv或http://dl.dropbox.com/u/7215751/JavaCodeGeeks/SpringSecurityTutorialPart1/spring-security-login-example.rar
在創建項目之前,需要對mysql執行一些查詢以創建一個新的數據庫,表并添加一些示例數據。
創建表
CREATE DATABASE IF NOT EXISTS `spring-test`; -- create user CREATE USER 'user'@'localhost' IDENTIFIED BY 'test'; GRANT ALL ON spring-test.* TO 'user'@'localhost'; USE `spring-test`; CREATE TABLE USER_DETAILS ( USERNAME VARCHAR(10) NOT NULL, PASSWORD VARCHAR(32) NOT NULL, PRIMARY KEY (USERNAME) ); CREATE TABLE USER_AUTH ( USERNAME VARCHAR(10) NOT NULL, AUTHORITY VARCHAR(10) NOT NULL, FOREIGN KEY (USERNAME) REFERENCES USER_DETAILS(USERNAME) );測試數據
insert into USER_DETAILS values ('user','123'); insert into USER_DETAILS values ('admin','admin'); insert into USER_AUTH values ('user', 'ROLE_USER'); insert into USER_AUTH values ('admin', 'ROLE_ADMIN');之后,我使用maven創建一個Web項目,并將以下依賴項添加到pom.xml中
<properties><spring.version>3.0.5.RELEASE</spring.version>
</properties><dependencies> <dependency> <groupId>javax.validation</groupId> <artifactId>validation-api</artifactId> <version>1.0.0.GA</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>${spring.version}</version> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-acl</artifactId> <version>${spring.version}</version> </dependency> <!-- jstl --> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <!-- MySQL database driver --> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.9</version> </dependency> <dependency> <groupId>c3p0</groupId> <artifactId>c3p0</artifactId> <version>0.9.1</version> </dependency> </dependencies>之后,像這樣更改web.xml
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd' > <web-app> <display-name>spring-security-login</display-name> <servlet> <servlet-name>login</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>login</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/login-servlet.xml, /WEB-INF/login-security.xml, /WEB-INF/login-service.xml </param-value> </context-param> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>login.jsp</welcome-file> </welcome-file-list> </web-app>現在,我需要創建login-servlet.xml,login-security.xml和login-service.xml彈簧配置文件。 在此示例中,我們將c3p0連接池與Mysql數據庫一起使用。
這是login-servlet.xml文件
<?xml version='1.0' encoding='UTF-8'?> <beans xmlns='http://www.springframework.org/schema/beans' xmlns:context='http://www.springframework.org/schema/context' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation=' http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd'> <context:component-scan base-package='rd.controller'/> <bean id='internalResourceResolver' class='org.springframework.web.servlet.view.InternalResourceViewResolver'> <property name='prefix' value='/WEB-INF/views/'/> <property name='suffix' value='.jsp'/> </bean> <bean class='org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping'></bean> <bean class='org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter'/> <bean id='placeholderConfig' class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'> <property name='locations'> <list> <value>classpath:login.properties</value> </list> </property> </bean> </beans>這是login-security.xml
<?xml version='1.0' encoding='UTF-8'?> <beans:beans xmlns='http://www.springframework.org/schema/security' xmlns:beans='http://www.springframework.org/schema/beans' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'> <beans:import resource='login-service.xml'/> <http> <intercept-url pattern='/home*' access='ROLE_USER,ROLE_ADMIN' /> <intercept-url pattern='/admin*' access='ROLE_ADMIN' /> <form-login login-page='/login.jsp' default-target-url='/home' authentication-failure-url='/login.jsp?error=true'/> <logout logout-success-url='/login.jsp' /> <anonymous username='guest' granted-authority='ROLE_GUEST'/> <remember-me/> </http> <authentication-manager> <authentication-provider> <!--<user-service>--> <!--<user name='admin' password='secret' authorities='ROLE_ADMIN,ROLE_USER' />--> <!--<user name='user1' password='1111' authorities='ROLE_USER' />--> <!--</user-service>--> <jdbc-user-service data-source-ref='dataSource' users-by-username-query='select username,password, 'true' as enabled from USER_DETAILS where username=?' authorities-by-username-query='select USER_DETAILS.username , USER_AUTH.AUTHORITY as authorities from USER_DETAILS,USER_AUTH where USER_DETAILS.username = ? AND USER_DETAILS.username=USER_AUTH.USERNAME '/> </authentication-provider> </authentication-manager> </beans:beans>這是login-service.xml
<beans xmlns='http://www.springframework.org/schema/beans' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd'> <bean id='dataSource' class='com.mchange.v2.c3p0.ComboPooledDataSource'> <!--Driver name to connect to the database--> <property name='driverClass'> <value>${login.jdbc.driver}</value> </property> <!--DB URL--> <property name='jdbcUrl'> <value>${login.url}</value> </property> <!--DB User used to connect to the schema--> <property name='user'> <value>${login.username}</value> </property> <!--Password required to access for the above user--> <property name='password'> <value>${login.password}</value> </property> <!-- configuration pool via c3p0--> <property name='acquireIncrement'> <value>${login.c3p0.acquireIncrement}</value> </property> <property name='idleConnectionTestPeriod'> <value>${login.c3p0.idleConnectionTestPeriod}</value> <!-- seconds --> </property> <property name='maxPoolSize'> <value>${login.c3p0.maxPoolSize}</value> </property> <property name='maxStatements'> <value>${login.c3p0.maxStatements}</value> </property> <property name='minPoolSize'> <value>${login.c3p0.minPoolSize}</value> </property> <property name='initialPoolSize'> <value>${login.c3p0.initialPoolSize}</value> </property> <property name='maxIdleTime'> <value>${login.c3p0.maxIdleTime}</value> </property> <property name='acquireRetryAttempts'> <value>${login.c3p0.acquireRetryAttempts}</value> </property> <property name='acquireRetryDelay'> <value>${login.c3p0.acquireRetryDelay}</value> </property> <property name='breakAfterAcquireFailure'> <value>${login.c3p0.breakAfterAcquireFailure}</value> </property> </bean> </beans>login.jsp頁面如下所示。 (需要放置在webapp目錄下。但不在WEB_INF目錄下)
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %> <html> <head> <title>Login</title> </head> <body> <c:if test='${not empty param.error}'> <font color='red'> Login error. <br /> Reason : ${sessionScope['SPRING_SECURITY_LAST_EXCEPTION'].message} </font> </c:if> <form method='POST' action='<c:url value='/j_spring_security_check' />'> <table> <tr> <td align='right'>Username</td> <td><input type='text' name='j_username' /></td> </tr> <tr> <td align='right'>Password</td> <td><input type='password' name='j_password' /></td> </tr> <tr> <td colspan='2' align='right'> <input type='submit' value='Login' /> </td> </tr> </table> </form> </body> </html>home.jsp頁面
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %> <%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %> <html> <head> <title>Home</title> </head> <body> <a href=<c:url value='/j_spring_security_logout'/>>Logout</a><br/> <sec:authorize ifAnyGranted='ROLE_ADMIN'> <h1>Only admin can see this</h1><br/> <a href='admin'> Admin Home </a> </sec:authorize> <h1>Welcome</h1> </body> </html>admin-home.jsp頁面
<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %> <%@ page contentType='text/html;charset=UTF-8' language='java' %> <html> <head> <title>Admin</title> </head> <body> <a href=<c:url value='/j_spring_security_logout'/>>Logout</a><br/> <h1>Only Admin allowed here</h1> </body> </html>之后,您需要編寫兩個控制器來檢索主頁和admin-home頁面。 這是HomeController.java
package rd.controller; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @Controller public class HomeController { @RequestMapping(value = '/home' , method = RequestMethod.GET) public String setUp(Model model){ return 'home'; } }這是AdminController.java
package rd.controller; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @Controller public class AdminController { @RequestMapping(value = '/admin' , method = RequestMethod.GET) public String setUp(Model model){ return 'admin-home'; } } 而已。 運行mvn clean install命令創建war文件。 將war文件復制到tomcat / webapps目錄下,然后在您喜歡的瀏覽器中訪問該Web應用程序。
網址:本地主機:<端口> /spring-login/login.jsp
測試案例1:嘗試使用用戶名123和密碼登錄。 您將獲得用戶主頁。
測試案例2:嘗試使用admin作為用戶名admin作為密碼登錄。 您將獲得帶有可見管理頁面鏈接的用戶主頁。
在Spring安全性第2部分中,我將修改此項目并添加“記住我”功能和md5密碼加密功能。
在不久的將來,Ill會嘗試發布有關CAS集成和LDAP集成的Spring安全性的有趣文章。 敬請關注 :)
參考: Spring Security第1部分–與我們的JCG合作伙伴 Rajith Delantha在帶有Rajith…博客的Looping博客中的數據庫簡單登錄應用程序 。
翻譯自: https://www.javacodegeeks.com/2012/07/spring-security-part-1-simple-login.html
_迭代器、生成器、列表解析)
》)
)
