教你搭建SpringSecurity3框架(附源码)
源码下载地址:http://pan.baidu.com/s/1qWsgIg0
一、web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <!-- 字符编码过滤器最好放最上面,最先加载,防止乱码 --> <filter> <filter-name>characterEncodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <description>强制进行转码 </description> <param-name>forceEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>characterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- log4j --> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:config/log4j.properties</param-value> </context-param> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:config/applicationContext.xml,classpath:config/spring-security.xml</param-value> </context-param> <!-- SpringSecurity必须的核心过滤器优先配置,让SpringSecurity先加载,防止SpringSecurity拦截失效 --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <!-- 在web.xml下面配置好监听,让服务器启动时就初始化该类,可以得到request --> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> </listener> <!-- Spring需要加载的配置文件 --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- SpringMVC 默认所对应的配置文件是WEB-INF下的{servlet-name}-servlet.xml,这里便是:mvc-servlet.xml 这里可以用 / 但不能用 /* ,拦截了所有请求会导致静态资源无法访问,所以要在servlet.xml中配置mvc:resources --> <servlet> <servlet-name>MVC</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:config/mvc-servlet.xml</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>MVC</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>/index.jsp</welcome-file> </welcome-file-list> <context-param> <param-name>webAppRootKey</param-name> <param-value>Security.root</param-value> </context-param> <session-config> <session-timeout>30</session-timeout> </session-config> </web-app>
二、applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd"> <!-- org.springframework.context.i18n.LocaleContextHolder --> <!-- <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> <property name="basename" value="classpath:org/springframework/security/messages"/> </bean> --> </beans>
三、spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <!-- Spring-Security 的配置 --> <security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied"> <security:intercept-url pattern="/auth/login" access="permitAll" /> <security:intercept-url pattern="/main/common" access="ROLE_ADMIN,ROLE_USER" /> <security:intercept-url pattern="/main/admin" access="ROLE_ADMIN" /> <security:form-login login-page="/auth/login" authentication-failure-url="/auth/login?error=true" default-target-url="/main/common" /> <security:logout invalidate-session="true" logout-success-url="/auth/login" logout-url="/auth/logout" /> <security:custom-filter ref="customSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" /> </security:http> <!-- 认证过滤器 --> <bean id="customSecurityInterceptor" class="com.candy.common.utils.security.CustomSecurityInterceptor"> <!-- 用户拥有的权限 --> <property name="authenticationManager" ref="customAuthenticationManager" /> <!-- 用户是否拥有所请求资源的权限 --> <property name="accessDecisionManager" ref="customAccessDecisionManager" /> <!-- 资源与权限对应关系 --> <property name="securityMetadataSource" ref="customSecurityMetadataSource" /> </bean> <!-- 实现了UserDetailsService的Bean --> <security:authentication-manager alias="customAuthenticationManager"> <security:authentication-provider user-service-ref="customUserDetailsService"> <security:password-encoder hash="md5" /> </security:authentication-provider> </security:authentication-manager> <!-- 通过 customUserDetailsService,Spring会自动的用户的访问级别. 也可以理解成:以后我们和数据库操作就是通过customUserDetailsService来进行关联. --> <bean id="customUserDetailsService" class="com.candy.common.utils.security.CustomUserDetailsService"></bean> <!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 --> <bean id="customAccessDecisionManager" class="com.candy.common.utils.security.CustomAccessDecisionManager"></bean> <!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 --> <bean id="customSecurityMetadataSource" class="com.candy.common.utils.security.CustomSecurityMetadataSource"></bean> </beans>
spring-security.xml命名空间配置,官方提供了两种配置方案
第一种、命名空间用beans开头,但是在配置中一直需要用<security:*>来配置。
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> ... </beans>
第二种、命名空间用security开头,在配置中不需要security前缀,但是bean的配置需要用<beans:bean>配置。
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> ... </beans:beans>
四、mvc-servlet.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd"> <!-- 激活spring的注解. --> <context:annotation-config /> <!-- 扫描注解组件并且自动的注入spring beans中. 例如,他会扫描@Controller 和@Service下的文件.所以确保此base-package设置正确. --> <context:component-scan base-package="com.candy.controller" /> <!-- 配置注解驱动的Spring MVC Controller 的编程模型.注:次标签只在 Servlet MVC工作! --> <!-- SpringMVC通过JACKSON包,将responsebody中的对象转换为JSON --> <mvc:annotation-driven> <mvc:message-converters register-defaults="false"> <bean id="jacksonMessageConverter" class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter" /> </mvc:message-converters> </mvc:annotation-driven> <!-- 定义一个视图解析器 --> <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver" p:prefix="/WEB-INF/jsp/" p:suffix=".jsp" /> <!-- 处理静态资源 --> <mvc:default-servlet-handler /> </beans>