使用spring security 2.0 和extjs 3.0实现web登录
1开发环境说明
本例使用MyEclipse 6.5作为开发工具,jdk1.5作为编译工具,tomcat6.0作为web运行服务器。
2开发步骤
2.1搭建web项目
关于搭建web项目相关的文档网上有很多,在此略过。搭建成功后项目结构如下图
项目依赖的jar包如下图
2.2编辑登录页面
2.2.1 index.jsp源码
本项目中把index.jsp作为登录页面。代码如下:
|
<%@ taglib prefix='c' uri='http://Java.sun.com/jstl/core_rt' %> <%@ page import="org.springframework.security.ui.AbstractProcessingFilter" %> <%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" %> <%@ page import="org.springframework.security.AuthenticationException" %> <c:set var="ctx" value="${pageContext.request.contextPath}"/> <% String path = request.getContextPath(); String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + path + "/"; String strLocale = request.getParameter("locale"); %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Spring Security + ExtJS Login</title> <!-- Ext JS files --> <link rel="stylesheet" type="text/css" href="${ctx}/ext-3.0.0/resources/css/ext-all.css"/> <script src="${ctx}/ext-3.0.0/adapter/ext/ext-base.js"></script> <script src="${ctx}/ext-3.0.0/ext-all.js"></script> <!-- login form --> <script src="${ctx}/js/login.js"></script> </head> <body> <br><br><br><br><br> <center> <div id="login"></div> </center> </body> </html> |
2.2.2 index.jsp源码说明
在Index.jsp文件中,代码“<link rel="stylesheet" type="text/css" href="${ctx}/ext-3.0.0/resources/css/ext-all.css" />”是引用extjs的样式。代码“<script src="${ctx}/ext-3.0.0/adapter/ext/ext-base.js"></script>”是加载extjs基本包。
代码“<script src="${ctx}/ext-3.0.0/ext-all.js"></script>”是加载extjs核心包。
代码“<script src="${ctx}/js/login.js"></script>”extjs登录表单。关于login.js的内容,将会在后面小节中介绍。
2.2.3 login.js源码
login.js文件中定义的就是extjs登录表单。代码如下:
|
Ext.onReady(function(){ Ext.QuickTips.init(); var login = new Ext.FormPanel({ labelWidth:80, url:'j_spring_security_check', frame:true, title:'Please Login', defaultType:'textfield', width:300, height:150, monitorValid:true, items:[{ fieldLabel:'Username', name:'j_username', allowBlank:false },{ fieldLabel:'Password', name:'j_password', inputType:'password', allowBlank:false }], buttons:[{ text:'Login', formBind: true, handler:function(){ login.getForm().submit({ method:'POST', success:function(){ Ext.Msg.alert('Status', 'Login Successful!', function(btn, text){ if (btn == 'ok'){ window.location = 'main.action'; } }); }, failure:function(form, action){ if(action.failureType == 'server'){ obj = Ext.util.JSON.decode(action.response.responseText); Ext.Msg.alert('Login Failed!', obj.errors.reason); }else{ Ext.Msg.alert('Warning!', 'Authentication server is unreachable : ' + action.response.responseText); } login.getForm().reset(); } }); } }] }); login.render('login'); }); |
2.2.4 index.js源码说明
在index.js中定义了一个login表单,url:'j_spring_security_check'对应spring security的登录验证地址。表单里放了两个输入域'j_username'、'j_password',分别对应用户名和密码。表单中还有一个登录按钮'Login',点击按钮提交到后台执行登录验证。验证成功跳转到'main.action',验证失败则提示失败信息。'main.action'是在spring mvc中定义访问地址。具体见2.3节,配置spring mvc.
2.3配置spring mvc
本项目中的spring mvc用到2个文件,src目录下com.loiane.controller.MainController.java和WEB-INF目录下的spring-security-extjs-login-servlet.xml。
2.3.1 spring-security-extjs-login-servlet.xml源码
|
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd"> <bean name="/*.action" class="com.loiane.controller.MainController"> </bean> </beans> |
2.3.2 spring-security-extjs-login-servlet.xml源码说明
spring-security-extjs-login-servlet.xml用于URL地址映射,把类似"/*.action"的请求地址映射到com.loiane.controller.MainController.java控制器类做进一步处理,文件中有一句代码:“<bean name="/*.action" class="com.loiane.controller.MainController"></bean>”。
2.3.3 com.loiane.controller.MainController.java源码
|
package com.loiane.controller; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.mvc.multiaction.MultiActionController; public class MainController extends MultiActionController { public ModelAndView main(HttpServletRequest request, HttpServletResponse response) throws Exception { return new ModelAndView("main.jsp"); } } |
2.3.4 com.loiane.controller.MainController.java源码说明
com.loiane.controller.MainController.java继承
org.springframework.web.servlet.mvc.multiaction.MultiActionController.java类,跳转到main.jsp。
2.3.5 main.jsp源码
|
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Spring Security + ExtJS Login</title> </head> <body> <h1>You are successfully authenticated!</h1> </body> </html> |
2.4配置spring security
本项目中的spring security用到2个文件,src目录下com.loiane.security.MyAuthenticationProcessingFilter.java和WEB-INF目录下的applicationContext-security.xml。
2.4.1 applicationContext-security.xml源码
|
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd"> <security:global-method-security /> <security:http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint"> <security:intercept-url pattern="/index.jsp" filters="none" /> <security:intercept-url pattern="/*.action" access="ROLE_USER" /> </security:http> <bean id="authenticationProcessingFilter" class="com.loiane.security.MyAuthenticationProcessingFilter"> <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" /> <property name="defaultTargetUrl" value="/main.html" /> <property name="authenticationManager" ref="authenticationManager" /> </bean> |
|
<security:authentication-manager alias="authenticationManager" /> <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl" value="/index.jsp" /> <property name="forceHttps" value="false" /> </bean> <!-- Usernames/Passwords are admin/111111 dianne/111111 scott/111111 peter/111111 These passwords are from spring security app example --> <security:authentication-provider> <security:password-encoder hash="md5"/> <security:user-service> <security:user name=" admin " password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" /> <security:user name="dianne" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER,ROLE_TELLER" /> <security:user name="scott" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" /> <security:user name="peter" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" /> < /security:user-service> </security:authentication-provider> </beans> |
2.4.2 applicationContext-security.xml源码说明
在applicationContext-security.xml文件中配置登录权限验证。
<security:http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">
<security:intercept-url pattern="/index.jsp" filters="none" />
<security:intercept-url pattern="/*.action" access="ROLE_USER" />
</security:http>
这段配置表示:我们要保护应用程序中的/*.action的URL,只有拥有ROLE_USER角色的用户才能访问。任何角色的用户都可以访问/index.jsp。你可以使用多个<intercept-url>元素为不同URL的集合定义不同的访问需求,它们会被归入一个有序队列中,每次取出最先匹配的一个元素使用。所以你必须把期望使用的匹配条件放到最上边。entry-point-ref="authenticationProcessingFilterEntryPoint"表示定义一个权限验证的入口authenticationProcessingFilterEntryPoint。
<bean id="authenticationProcessingFilter" class="com.loiane.security.MyAuthenticationProcessingFilter">
<security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
<property name="defaultTargetUrl" value="/main.html" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
这段配置定义自定义权限处理过滤器com.loiane.security.MyAuthenticationProcessingFilter,defaultTargetUrl指定验证成功或失败后转向的页面,authenticationManager引用权限管理器。
<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/index.jsp" />
<property name="forceHttps" value="false" />
</bean>
这段配置定义权限验证入口,指定登录页面为/index.jsp,不使用https协议。
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:user-service>
<security:user name="admin" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
<security:user name="dianne" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER,ROLE_TELLER" />
<security:user name="scott" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" />
<security:user name="peter" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" />
< /security:user-service>
</security:authentication-provider>
</beans>
这段配置定义了4个用户,密码使用md5加密,admin密码为111111拥有ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER三个角色、dianne密码为111111拥有ROLE_USER,ROLE_TELLER两个角色、scott密码为111111拥有ROLE_USER角色、peter密码为111111拥有ROLE_USER角色。
2.4.3 com.loiane.security.MyAuthenticationProcessingFilter.java源码
|
package com.loiane.security; import java.io.IOException; import java.io.Writer; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponseWrapper; import org.springframework.security.Authentication; import org.springframework.security.AuthenticationException; import org.springframework.security.ui.webapp.AuthenticationProcessingFilter; public class MyAuthenticationProcessingFilter extends AuthenticationProcessingFilter { protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException { super.onSuccessfulAuthentication(request, response, authResult); HttpServletResponseWrapper responseWrapper = new HttpServletResponseWrapper(response); Writer out = responseWrapper.getWriter(); String targetUrl = determineTargetUrl( request ); out.write("{success:true, targetUrl : \'" + targetUrl + "\'}"); out.close(); } protected void onUnsuccessfulAuthentication( HttpServletRequest request, HttpServletResponse response, AuthenticationException failed ) throws IOException { HttpServletResponseWrapper responseWrapper = new HttpServletResponseWrapper(response); Writer out = responseWrapper.getWriter(); out.write("{ success: false, errors: { reason: 'Login failed. Try again.' }}"); out.close(); } } |
2.4.4 com.loiane.security.MyAuthenticationProcessingFilter.java源码说明
com.loiane.security.MyAuthenticationProcessingFilter.java继承于
org.springframework.security.ui.webapp.AuthenticationProcessingFilter.java类,重写了
onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult)和onUnsuccessfulAuthentication( HttpServletRequest request, HttpServletResponse response, AuthenticationException failed )方法。在onSuccessfulAuthentication()方法中返回验证成功后的跳转地址,在onUnsuccessfulAuthentication()方法中返回验证失败的信息。
2.5配置web.xml
2.5.1 web.xml源码
|
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>spring-security-extjs-login</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-security-extjs-login-servlet.xml /WEB-INF/applicationContext-security.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet> <servlet-name>spring-security-extjs-login</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring-security-extjs-login</servlet-name> <url-pattern>*.action</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> |
2.5.1 web.xml源码说明
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security-extjs-login-servlet.xml
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<filter>
这段代码配置spring使用的相关配置文件。/WEB-INF/spring-security-extjs-login-servlet.xml是关于spring mvc的相关配置。/WEB-INF/applicationContext-security.xml是关于登录权限验证相关的配置。
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这段代码配置spring过滤链。处理所有URL地址。
<listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
这段代码注册spring监听器。
<servlet>
<servlet-name>spring-security-extjs-login</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-security-extjs-login</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>
这段代码注册spring mvc,处理*.action的请求。
2.6运行效果
登录页面
登录页面-验证成功提示
登录页面-验证成功后跳转到main.jsp页面
登录页面-验证失败提示
3参考文档
http://loianegroner.com/2010/02/integrating-spring-security-with-extjs-login-page/#comments