一、pom.xml
<!-- spring security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>3.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>3.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>3.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>3.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-acl</artifactId> <version>3.2.2.RELEASE</version> </dependency>
二、web.xml
在原本spring的基础上添加
<context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring.xml,classpath:spring-hibernate.xml,classpath:spring-security.xml</param-value> </context-param> <!-- SpringSecurity filter --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
classpath:maven项目中放在src/main/resources下
三、spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 当指定一个http元素的security属性为none时,表示其对应pattern的filter链为空 --> <http security="none" pattern="/login.jsp"></http> <http auto-config="true"> <form-login login-page="/login.jsp" default-target-url="/hello.jsp" login-processing-url="/login.do" authentication-failure-url="/error.jsp"/> <logout logout-success-url="/login.jsp" /> <access-denied-handler error-page="/error.jsp"/> <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/error.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/**" access="ROLE_USER" /> </http> <!-- 用于认证的AuthenticationManager --> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="userDetailsService" /> </authentication-manager> <beans:bean id="userDetailsService" class="com.shi.core.service.UserDetailsServiceImpl"></beans:bean> </beans:beans>
login-page:自定义登录页面是通过login-page属性来指定的。
login-processing-url:表示登录时提交的地址,默认是“/j-spring-security-check”。这个只是Spring Security用来标记登录页面使用的提交地址,真正关于登录这个请求是不需要用户自己处理的。
default-target-url:通过指定form-login元素的default-target-url属性,我们可以让用户在直接登录后跳转到指定的页面。如果想让用户不管是直接请求登录页面,还是通过Spring Security引导过来的,登录之后都跳转到指定的页面,我们可以通过指定form-login元素的always-use-default-target属性为true来达到这一效果。
authentication-failure-url:认证失败时跳转的页面
error-page:登录失败时跳转的页面
logout-success-url:登陆成功后默认跳转页面
跳过登陆验证可以配置access="IS_AUTHENTICATED_ANONYMOUSLY"来实现
四、UserDetailService.java
@Transactional(readOnly = true) public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private UserManager userManager; @Override public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException { User user = userManager.findUserByLoginName(username); if (user == null) { throw new UsernameNotFoundException("用户" + username + " 不存在"); } // 获得用户所有角色权限 Set<SimpleGrantedAuthority> grantedAuths = obtainGrantedAuthorities(user); // 初始化登录用户信息 OperatorDetails userDetails = new OperatorDetails(user.getName(), user.getPassword(), true, true, true, true, grantedAuths); return userDetails; } /** * 获得用户所有角色的权限. */ private Set<SimpleGrantedAuthority> obtainGrantedAuthorities(User user) { Set<SimpleGrantedAuthority> authSet = new HashSet<SimpleGrantedAuthority>(); for (Role role : user.getRoleList()) { authSet.add(new SimpleGrantedAuthority(role.getRole())); } return authSet; } }
SimpleGrantedAuthority中传String参数 例如ROLE_USER ROLE_ADMIN