项目结构如下:
项目中使用到了springmvc和spring security,导入相关的jar包
一、创建控制器HelloController.java
①url="/welcome" 或 "/",跳转到hello.jsp
②url="/admin" 跳转到admin.jsp
代码如下:
package com.study.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class HelloController {
@RequestMapping(value={"/","welcome**"},method = RequestMethod.GET)
public ModelAndView welcomePage(){
ModelAndView model = new ModelAndView();
model.addObject("title","Spring Security Hello World.");
model.addObject("message","This is welcome page.");
model.setViewName("hello");
return model;
}
@RequestMapping(value="/admin**",method=RequestMethod.GET)
public ModelAndView adminPage(){
ModelAndView model = new ModelAndView();
model.addObject("title","Spring Security Hello World.");
model.addObject("message","this is protected page");
model.setViewName("admin");
return model;
}
}
二、hello.jsp和admin.jsp
hello.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1>Title:${title }</h1>
<h1>Message:${message }</h1>
</body>
</html>
admin.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1>Title:${title }</h1>
<h1>Message:${message }</h1>
<c:if test="${pageContext.request.userPrincipal.name != null }">
<h2>Welcome:${pageContext.request.userPrincipal.name}</h2>
<a href="<c:url value="/j_spring_security_logout"/>">logout</a>
</c:if>
</body>
</html>
三、springmvc配置文件mvc-dispatcher-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan base-package="com.study.*" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
</beans>
四、spring security配置文件spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <http auto-config="true"> <intercept-url pattern="/admin**" access="ROLE_USER" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="moneyZhong" password="123456" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
由文件可以看到只有“moneyZhong”允许访问/admin
五、在spring mvc 中集成spring security 只需要定义DelegatigFilterProxy 过滤器来拦截请求,web.xml代码如下:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Spring MVC Application</display-name>
<!-- Spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<!-- Loads Spring Security config file -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
六、演示
①访问http://localhost:8080/springsecurity01/welcome
②访问admin.jsp,
这是spring security对请求进行了拦截,跳转至/spring_security_login,有spring security提供的登录界面
当输入错误的用户密码时,错误提示将显示
当用户输入正确的用户名密码 moneyZhong /123456时,将会跳转到admin.jsp
ps:
1.在web.xml中配置spring security时是通过DelegatingFilterProxy过滤器进行,拦截了所有请求。在spring-security.xml配置文件中了,设置了哪些拦截拦截的ur需要相应的权限。/welcome进行了拦截但是它不需要权限,/admin需要ROLE_User权限。
2.当用户访问的url需要某种权限时,但用户未进行登录,会跳转到spring security提供的登录界面,该登录界面的源码如下:
<html><head><title>Login Page</title></head><body onload=‘document.f.j_username.focus();‘>
<h3>Login with Username and Password</h3><form name=‘f‘ action=‘/springsecurity01/j_spring_security_check‘ method=‘POST‘>
<table>
<tr><td>User:</td><td><input type=‘text‘ name=‘j_username‘ value=‘‘></td></tr>
<tr><td>Password:</td><td><input type=‘password‘ name=‘j_password‘/></td></tr>
<tr><td colspan=‘2‘><input name="submit" type="submit" value="Login"/></td></tr>
</table>
</form></body></html>
3.如何自定义登录界面?(见二)