spring security3使用笔记
先对项目中用到的security进行总结如下:
- sample
熟悉一个example,了解一些security的运行机制
例如参照spring-security-samples-tutorial-3.1.x.war,直接放到tomcat下webapps下
- sample 集成到自己的项目中去
这一步也很简单,就是把sample的配置拷贝到自己的项目中去。web.xml的配置添加进去,追加applicationContext-security.xml文件,只需简单地修改一下intercept-url,也可不修改,都拷贝过去。
- 改造applicationContext-security
由于例子中,使用的都是自动生成的login页面,而且用户信息是在配置文件中指定的,因此需要改造。我主要是从两方面去改造的。首先修改成自己的登录页,其次,从数据库中获取用户信息。
如何修改成自己的登录login页呢?我主要参考了http://www.blogjava.net/youxia/archive/2008/12/07/244883.html,对整个security框架有了个整体了解,其次阅读了http://www.blogjava.net/SpartaYew/archive/2011/06/15/350630.html对security的不同配置方案,了解到security的如何配置。最终我还是查找的springsecurity官方pdf,了解<form-login>元素使用,配置login-page和login-processing-url就可替换成自己的login,default-target-url属性是自动跳转的页面。到目前为止感觉有点乱,实际上很简单的,就是整个form提交的流程,首先是login页面,用户输入信息,其次是login提交的处理的url,就是action的路径,其次就是处理成功跳转和处理失败跳转的页面。因此具体的配置属性可参考文档,如果你的是myeclipse,把鼠标放到<form-login>,可通过properties视图查看到所有的可配置属性,同理退出也需要自定义的页面。
接下来就是如何从数据库读取用户信息?从以上两个网址上已经了解到只要修改UserDetailService,也就是user-service,修改的方式很多种,我直接选择的sql语句。这点我是从http://download.csdn.net/detail/klitao/2764850下载例子,各种各样的配置的例子都有。这样基本的配置基本搞定。参照代码如下:
<http use-expressions="true"> <intercept-url pattern="/login.html" access="permitAll" /> <intercept-url pattern="/loginprocess.html" access="permitAll" /> <intercept-url pattern="/welcome.html" access="isAuthenticated()" /> <intercept-url pattern="/ad/**" access="hasRole('ROLE_SYSTEM')" /> <intercept-url pattern="/account/**" access="hasRole('ROLE_SYSTEM')" /> <intercept-url pattern="/picc/**" access="hasAnyRole('ROLE_SYSTEM','ROLE_PICC')" /> <intercept-url pattern="/**" access="denyAll" /> <form-login login-page="/login.html" authentication-failure-url="/login.html" default-target-url="/" login-processing-url="/loginprocess.html" /> <logout logout-success-url="/login.html" logout-url="/logout.html" /> <remember-me /> <session-management> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> </http> <authentication-manager> <authentication-provider user-service-ref="scskUserDetailsService"> <password-encoder hash="md5"> <salt-source user-property="username" /> </password-encoder> </authentication-provider> </authentication-manager> <beans:bean id="scskUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <beans:property name="dataSource" ref="dataSourceOrcl" /> <beans:property name="usersByUsernameQuery" value="select t.account, t.password, decode(status, 0, 1, 0) as status from U_USERS t where t.account = ?" /> <beans:property name="authoritiesByUsernameQuery" value="select t.account, t.user_role from U_USERS t where t.account = ?" /> </beans:bean>
到目前为止,基本搞定security的简单配置。但是总感觉有点云里雾里的感觉,文档写的太零散,只能做手册查询了。然后到网上搜,总算发现了一本比较的security3书,请参考http://lengyun3566.iteye.com/blog/1068998,这里是中文的翻译,书写得也很好,翻译的也很不错的。大家自己认真读下,我保证收获颇丰!这样就会对security3有个完整清晰的认识!以后想扩展想改造,就不会摸石头过河啦!另外登录页追加验证参照http://www.iteye.com/topic/720867,我的配置如下
<http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint"> <intercept-url pattern="/login.html" access="permitAll" /> <intercept-url pattern="/loginprocess.html" access="permitAll" /> <intercept-url pattern="/upload.html" access="permitAll" /> <intercept-url pattern="/public/**" access="permitAll" /> <intercept-url pattern="/editUpload.html" access="permitAll" /> <intercept-url pattern="/ad/**" access="hasRole('ROLE_SYSTEM')" /> <intercept-url pattern="/account/**" access="hasRole('ROLE_SYSTEM')" /> <intercept-url pattern="/picc/**" access="hasAnyRole('ROLE_SYSTEM','ROLE_PICC')" /> <intercept-url pattern="/**" access="isAuthenticated()" /> <custom-filter ref="scskUserLoginFilter" position="FORM_LOGIN_FILTER" /> <!-- <form-login login-page="/login.html" authentication-failure-url="/login.html" default-target-url="/" login-processing-url="/loginprocess.html" /> --> <logout logout-success-url="/login.html" logout-url="/logout.html" /> <remember-me /> <session-management> <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" /> </session-management> </http> <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:property name="loginFormUrl" value="/login.html"></beans:property> </beans:bean> <beans:bean id="scskUserLoginFilter" class="com.ccc.scsk.filter.UserLoginFilter"> <beans:property name="filterProcessesUrl" value="/loginprocess.html"></beans:property> <beans:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"></beans:property> <beans:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"></beans:property> <beans:property name="authenticationManager" ref="authenticationManager"></beans:property> </beans:bean> <beans:bean id="loginLogAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> <beans:property name="defaultTargetUrl" value="/"></beans:property> </beans:bean> <beans:bean id="simpleUrlAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/login.html"></beans:property> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="scskUserDetailsService"> <password-encoder hash="md5"> <salt-source user-property="username" /> </password-encoder> </authentication-provider> </authentication-manager> <beans:bean id="scskUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <beans:property name="dataSource" ref="dataSourceOrcl" /> <beans:property name="usersByUsernameQuery" value="select t.account, t.password, decode(status, 0, 1, 0) as status from U_USERS t where t.account = ?" /> <beans:property name="authoritiesByUsernameQuery" value="select t.account, t.user_role from U_USERS t where t.account = ?" /> </beans:bean> <beans:bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource"> <beans:property name="basename" value="org/springframework/security/messages" /> </beans:bean>
总之,参考文档,参考实例,多阅读相关的文档,多动手就可搞定的,不过,一定要把基础打牢的,最起码要熟悉一般的流程,对验证的基本流程要熟悉的,推荐要熟悉http://lengyun3566.iteye.com/blog/1103107内容
推荐阅读
-
《Visual C# 从入门到精通》第一章使用变量、操作符和表达式——读书笔记
-
Spring框架学习笔记(3)——SpringMVC框架
-
影响笔记本使用寿命的主要因素是什么?详解保证笔记本电池寿命
-
使用Spring Data JPA进行数据分页与排序
-
ThinkPad SL410笔记本在使用指纹识别功能时提示禁止使用
-
使用笔记本自带的SIM卡槽插入3G卡实现上网
-
python线程池(threadpool)模块使用笔记详解
-
scikit-learn使用笔记与sign prediction简单小结
-
Spring JdbcTemplate之使用详解
-
Vue2.5学习笔记之如何在项目中使用和配置Vue