SpringSecurity-day01-初始SpringSecurity

2024-03-17 15:07:46

一.初识Spring Security

1.1 Spring Security概念

Spring Security 是 spring 采用 AOP 思想,基于 servlet 过滤器实现的安全框架。它提供了完善的认证机制和方法级的授权功能。是一款非常优秀的权限管理框架。

1.2 Spring Security简单入门

Spring Security博大精深,设计巧妙,功能繁杂,一言难尽,咱们还是直接上代码吧!

1.2.1 创建web工程并导入jar

  1. spring-security-core.jar  核心包,任何Spring Security功能都需要此包

  2. spring-security-web.jar web工程必备,包含过滤器和相关的Web安全基础结构代码。

  3. spring-security-config.jar 用于解析xml配置文件,用到Spring Security的xml配置文件的就要用到此包。

  4. spring-security-taglibs.jar Spring Security提供的动态标签库,jsp页面可以用。

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>5.1.5.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>5.1.5.RELEASE</version>
</dependency>

1.2.2 配置web.xml 

<!--配置SpringSecurity-->
<!--SpringSecurity核心过滤器链-->
<!--springSecurityFilterChain名词不能修改-->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

1.2.3 配置spring-security.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:aop="http://www.springframework.org/schema/aop"
        xmlns:tx="http://www.springframework.org/schema/tx"
        xmlns:mvc="http://www.springframework.org/schema/mvc"
        xmlns:security="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
             http://www.springframework.org/schema/beans/spring-beans.xsd
             http://www.springframework.org/schema/context
             http://www.springframework.org/schema/context/spring-context.xsd
             http://www.springframework.org/schema/aop
             http://www.springframework.org/schema/aop/spring-aop.xsd
             http://www.springframework.org/schema/tx
             http://www.springframework.org/schema/tx/spring-tx.xsd
             http://www.springframework.org/schema/mvc
             http://www.springframework.org/schema/mvc/spring-mvc.xsd
                http://www.springframework.org/schema/security
             http://www.springframework.org/schema/security/spring-security.xsd">

    <!--释放静态资源-->
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/img/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>
    <security:http pattern="/failer.jsp" security="none"/>
    <!--配置springSecurity-->
    <!--
    auto-config="true"  表示自动加载springsecurity的配置文件
    use-expressions="true" 表示使用spring的el表达式来配置springsecurity
    -->
    <security:http auto-config="true" use-expressions="true">
        <!--让认证页面可以匿名访问-->
        <security:intercept-url pattern="/login.jsp" access="permitAll()"/>
        <!--拦截资源-->
        <!--
        pattern="/**" 表示拦截所有资源
        access="hasAnyRole('ROLE_USER')" 表示只有ROLE_USER角色才能访问资源
        -->
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')"/>
        <!--配置认证信息-->
        <security:form-login login-page="/login.jsp"
                             login-processing-url="/login"
                             default-target-url="/index.jsp"
                             authentication-failure-url="/failer.jsp"/>
        <!--配置退出登录信息-->
        <security:logout logout-url="/logout"
                         logout-success-url="/login.jsp"/>
        <!--去掉csrf拦截的过滤器-->
        <!--<security:csrf disabled="true"/>-->
    </security:http>

    <!--把加密对象放入的IOC容器中-->
    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
    <!--设置Spring Security认证用户信息的来源-->
    <!--
    springsecurity默认的认证必须是加密的,加上{noop}表示不加密认证。
    -->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="userServiceImpl">
            <security:password-encoder ref="passwordEncoder"/>
        </security:authentication-provider>
    </security:authentication-manager>



<!--    &lt;!&ndash;设置Spring Security认证用户信息的来源&ndash;&gt;-->
<!--    &lt;!&ndash;SpringSecurity默认的认证必须是加密的,加上{noop}表示不加密认证&ndash;&gt;-->
<!--    <security:authentication-manager>-->
<!--        <security:authentication-provider>-->
<!--            <security:user-service> <security:user name="user" password="{noop}user" authorities="ROLE_USER" />-->
<!--                <security:user name="admin" password="{noop}admin" authorities="ROLE_ADMIN" />-->
<!--            </security:user-service> </security:authentication-provider>-->
<!--    </security:authentication-manager>-->

</beans>

1.2.4 spring-security.xml配置文件引入到applicationContext.xml 

<!--引入springsecurity的配置文件-->
<import resource="classpath:spring-security.xml"/>

1.2.5 运行结果

SpringSecurity-day01-初始SpringSecurity

 

上一篇:利用SpringSecurity和JWT实现mymes认证和授权(二)


下一篇:springSecurity 学习(一)创建springSecurity项目