欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

权限管理框架-spring-Sercurity概念及快速入门步骤代码详解

程序员文章站 2022-07-12 16:30:17
...

SpringSecurity概念

  1. SpringSecurity是一个安全管理框架,提供了认证与授权这些基本操作

  2. 认证: 用户访问系统,系统校验用户身份是否合法的过程就是认证。常见的认证: 登陆认证。

  3. 授权:用户认证后,访问系统资源,校验用户是否有权限访问系统资源的过程就是授权访问校验,简称为授权。权限校验过程:1.获取用户的权限; 2. 知道访问资源需要的权限;3.拿着访问资源需要的权限去用户权限列表查找,找到则授权访问。否则拒绝访问。

注意

认证与授权,不是属于springsecurity所特有的概念,这些是通用的概念。

常见的权限管理框架:

  1. springsecurity
  2. apache shiro
  3. 自己写代码封装认证授权操作。

.SpringSecurity(二)快速入门

使用步骤:

  1. 创建web项目
  2. 添加依赖
  3. 配置web.xml
  4. spring-security.xml 配置
  5. 页面准备

实现

  1. 创建web项目

  2. 添加依赖

    <?xml version="1.0" encoding="UTF-8"?>
    
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">  
      <modelVersion>4.0.0</modelVersion>  
      <groupId>cn.itcast</groupId>  
      <artifactId>spring_security_demo</artifactId>  
      <version>1.0-SNAPSHOT</version>
      <packaging>war</packaging>
      <properties>
        <spring.version>5.0.2.RELEASE</spring.version>
        <spring.security.version>5.0.1.RELEASE</spring.security.version>
      </properties>
      <dependencies>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-core</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-web</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-webmvc</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-context-support</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-test</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-jdbc</artifactId>
          <version>${spring.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-web</artifactId>
          <version>${spring.security.version}</version>
        </dependency>
        <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-config</artifactId>
          <version>${spring.security.version}</version>
        </dependency>
        <dependency>
          <groupId>javax.servlet</groupId>
          <artifactId>javax.servlet-api</artifactId>
          <version>3.1.0</version>
          <scope>provided</scope>
        </dependency>
      </dependencies>
    
    </project>
    
  3. 配置web.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns="http://java.sun.com/xml/ns/javaee"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
           version="2.5">
    
       <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>classpath:spring-security.xml</param-value>
       </context-param>
       <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
       </listener>
    
       <!--SpringSecurity提高的代理过滤器,拦截请求并且把请求的处理(认证与授权)交给springsecurity框架。-->
       <!--注意:filter-name 不能随便写,会根据这个名称去容器找对应的对象。-->
       <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
       </filter>
       <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
       </filter-mapping>
    </web-app>
    
  4. spring-security.xml 配置

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:security="http://www.springframework.org/schema/security"
           xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
    
        <!--1.先指定放行的资源-->
        <security:http pattern="/login.html" security="none"/>
        <security:http pattern="/failer.html" security="none"/>
        <security:http pattern="/favicon.ico" security="none"/>
    
        <!--2.配置SpringSecurity拦截的资源、登录表单、退出表单、登录失败对应的页面等。-->
        <security:http auto-config="true" use-expressions="false">
            <!--2.1 指定拦截的资源,以及要求访问这些资源的用户必须具有ROLE_PRIMARY权限。-->
            <security:intercept-url pattern="/**" access="ROLE_PRIMARY"/>
    
            <!--2.2 配置自定义的登录页面-->
            <security:form-login login-page="/login.html"
                                 login-processing-url="/login"
                                 username-parameter="username"
                                 password-parameter="password"
                                 default-target-url="/success.html"
                                 authentication-failure-url="/failer.html"
            />
    
            <!--2.3 配置退出-->
            <security:logout
                    logout-url="/logout"
                    logout-success-url="/login.html"
                    invalidate-session="true"
            />
    
            <!--2.3 关闭csrf跨域请求-->
            <security:csrf disabled="true"/>
    
        </security:http>
    
        <!--3.认证管理器,配置正确的账号密码,在这里是写死的。-->
        <security:authentication-manager>
            <security:authentication-provider>
                <security:user-service>
                    <security:user name="zhangsan" password="{noop}666" authorities="ROLE_PRIMARY"/>
                </security:user-service>
            </security:authentication-provider>
        </security:authentication-manager>
    </beans>
    
  5. 页面准备

    页面如下

    index.html
    <body>
        index...
    </body>
    
    login.html
    <body>
    <form action="/login" method="post">
        用户<input type="text" name="username"><br>
        密码<input type="password" name="password"><br>
        <input type="submit" value="登陆"><br>
    </form>
    </body>
    
    success.html
    <body>
    success...   <a href="/logout">退出</a>
    </body>
    
    failer.html
    <body>
    登录失败!
    </body>