工作流程:
当用户向服务器发送请求时,SpringSecurity会通过过滤器,拦截SpringSecurity配置文件中设置的请求,如果设置了认证页面则跳向自定义的认证页面,否则跳向SpringSecurity提供的认证页面,当提交用户名或密码后SpringSecurity会调用设置的业务层代码,获取到指定的对象,然后SpringSecurity框架会自动对登录的用户进行密码或权限的检查,如果验证通过则跳向指定的验证成功后的页面,否则跳向指定的验证失败后的页面;
SpringSecurity相关配置:
1)、导入SpringSecurity所依赖的jar包;
1)、spring-security-web;
2)、spring-security-config;
2)、配置wen.xml文件;
SpringSecurity底层是通过11个过滤器组成的过滤器链来工作的,所以使用SpringSecurity之前需要在web.xml配置文件中添加SpringSecurity提供的过滤器实现类(过滤器链的入口):
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--通过spring提供的监听器来解析SpringSecurity核心配置文件-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
3)、配置SpringSecurity核心配置文件:
a)、导入配置文件的依赖;
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
</beans>
b)、释放对静态资源拦截或指定文件的拦截
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
SpringSecurity主配置
<security:http auto-config="true" use-expressions="true">
<!--设置所拦截的路径、对指定权限的用户放行-->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
<!--登录相关配置-->
<security:form-login login-page="/login.jsp"
login-processing-url="/login"<!--登录后框架所调用的业务处理层(服务层)-->
default-target-url="/index.jsp"<!--登录成功后跳转的页面-->
authentication-failure-url="/failer.jsp"<!--登录失败后跳转的页面-->
always-use-default-target="true"<!--登录成功后总是跳转到default-target-url所指定的页面-->
/>
<!--退出相关配置-->
<security:logout invalidate-session="true"
logout-url="/logout"<!--注销后框架所调用的业务处理层(服务层)-->
logout-success-url="/login.jsp"/>
<!--关闭csrf拦截-->
<security:csrf disabled="true"/>
</security:http>
c)、为SpringSecurity提供数据认证来源
<bean id="passwordEncode" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></bean>
<security:authentication-manager>
<!--设置SpringSecurity业务处理的实现类对象-->
<security:authentication-provider user-service-ref="userServiceImpl">
<!--设置SpringSecurity用于加密以及用于比较原文与密文是否相同的对象实例-->
<security:password-encoder ref="passwordEncode"/>
</security:authentication-provider>
</security:authentication-manager>
SpringSecurity业务层编写步骤:
1)、实现UserDetailsService接口;
2)、重写loadUserByUsername方法;
a)、 通过传入的username查询数据库获取用户对象;
b)、验证用户是否存在;
c)、将查询到的用户信息封装到UserDetails实例中;
该对象实例的构造方法需要传入username、password、该用户所拥有的角色名集合;
用户的角色名称需要封装到SimpleGrantedAuthority实例中;
然后将所有的SimpleGrantedAuthority实例封装带集合中,传入UserDetails实例;
3)、返回UserDetails对象;
网友评论