说到权限系统,几乎每个系统都要用到,只要涉及到人操作和管理的的系统。而权限系统的核心那就是:授权和认证。 大道至简,根据这个核心所有的第三方还是适合自己的权限系统都围绕此进行。 Spring Security 也是如此,在系统中怎样接入Spring Security呢?主要有以下几步: 1、配置文件 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.spr ingframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http> <intercept-url pattern="/login.htm" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <form-login login-page="/login.htm" login-processing-url="/login_process.htm" authentication-failure-url="/login.htm?error=true" default-target-url="/index.htm" password-parameter="password" username-parameter="username" /> <http-basic /> <logout logout-success-url="/login.htm" logout-url="/logout.htm"/> <remember-me token-validity-seconds="604800" /> <!-- 1 week --> <custom-filter ref="resourceSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="securityManager"> <password-encoder hash="md5"/> </authentication-provider> </authentication-manager> <beans:bean id="securityManager" class="com.apache.platform.service.authorization.SecurityManagerSupport"></beans:bean> <beans:bean id="resourceSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <!-- 认证管理 --> <beans:property name="authenticationManager" ref="authenticationManager"/> <!-- 访问决策 --> <beans:property name="accessDecisionManager" ref="accessDecisionManager"/> <!-- 资源定义 --> <beans:property name="securityMetadataSource" ref="secureResourceFilterInvocationDefinitionSource" /> </beans:bean> <!-- 访问决策器 --> <beans:bean id="accessDecisionManager" class="com.apache.platform.service.authorization.AccessDecisionManager"> </beans:bean> <beans:bean id="secureResourceFilterInvocationDefinitionSource" class="com.apache.platform.service.authorization.SecureResourceFilterInvocationDefinitionSource" /> </beans:beans> 整个权限系统的接入围绕这个配置文件展开。 1》 认证管理 主要提供用户登录访问认证操作 2》 访问决策 对资源访问定义规则和策略 3》 资源定义 根据认证用户加载访问资源 SecurityManagerSupport.java /** * */ package com.apache.platform.service.authorization; import java.util.ArrayList; import java.util.Collection; import javax.servlet.ServletContext; import org.apache.commons.lang.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.web.context.ServletContextAware; import com.apache.platform.common.CommConstant; import com.apache.platform.service.IUserManager; /** * @author tangss * @2013年9月28日 @上午9:19:25 */ public class SecurityManagerSupport implements UserDetailsService, ServletContextAware { @Autowired private IUserManager userManager; ServletContext servletContext; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserDetails user = null; if (StringUtils.isNotEmpty(username) && username.equals("test")) { Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("admin_role")); user = new UserInfo(username, "e10adc3949ba59abbe56e057f20f883e", true, true, true, true, authorities); } else { user = userManager.getUserByUserName(username); } this.servletContext.setAttribute(CommConstant.USER_INFO, user); return user; } /* * (non-Javadoc) * @see org.springframework.web.context.ServletContextAware#setServletContext(javax.servlet.ServletContext) */ @Override public void setServletContext(ServletContext servletContext) { this.servletContext = servletContext; } } AccessDecisionManager.java package com.apache.platform.service.authorization; import java.util.Collection; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; /** * * */ public class AccessDecisionManager implements org.springframework.security.access.AccessDecisionManager { @Override public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException { if (configAttributes == null) { return; } for (ConfigAttribute ca : configAttributes) { String needRole = ((SecurityConfig) ca).getAttribute(); for (GrantedAuthority ga : authentication.getAuthorities()) { if (needRole.equals(ga.getAuthority())) { return; } } } throw new AccessDeniedException("没有权限"); } @Override public boolean supports(ConfigAttribute attribute) { return true; } @Override public boolean supports(Class<?> clazz) { return true; } } SecureResourceFilterInvocationDefinitionSource.java /** * */ package com.apache.platform.service.authorization; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; import java.util.Set; import javax.servlet.ServletContext; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import org.springframework.security.web.util.AntPathRequestMatcher; import org.springframework.security.web.util.RequestMatcher; import org.springframework.web.context.ServletContextAware; import com.apache.platform.common.CommConstant; /** * @author tangss * @2013年9月28日 @上午9:44:38 */ public class SecureResourceFilterInvocationDefinitionSource implements FilterInvocationSecurityMetadataSource, ServletContextAware { private Map<String, String> linkMap; private Map<String, Collection<ConfigAttribute>> resourceMap = new HashMap<String, Collection<ConfigAttribute>>(); // 获得请求资源所需的权限 @Override public Collection<ConfigAttribute> getAttributes(Object filter) throws IllegalArgumentException { if (linkMap == null || linkMap.isEmpty()) { return null; } RequestMatcher matcher = null; Set<Entry<String, String>> linkSet = linkMap.entrySet(); for (Entry<String, String> entry : linkSet) { String url = entry.getKey(); matcher = new AntPathRequestMatcher(url); if (matcher.matches(((FilterInvocation) filter).getRequest())) { Collection<ConfigAttribute> configAttributes = resourceMap.get(url); if (configAttributes != null) { return configAttributes; } // 解析 role String value = entry.getValue(); // split by comma String values[] = value.split(","); configAttributes = new ArrayList<ConfigAttribute>(); for (String attribute : values) { ConfigAttribute configAttribute = new SecurityConfig(attribute); configAttributes.add(configAttribute); } resourceMap.put(url, configAttributes); return configAttributes; } } return null; } @Override public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } @Override public boolean supports(Class<?> clazz) { return true; } @SuppressWarnings("unchecked") @Override public void setServletContext(ServletContext servletContext) { linkMap = (Map<String, String>) servletContext.getAttribute(CommConstant.LINK_MAP); } } 2、登录页面 #set($layout = "/layout/blankLayout.vm") <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <title>登录</title> <script type="text/javascript" src="$!{scriptsPath}scripts/common/jquery-1.10.2.js"></script> <link rel="stylesheet" type="text/css" href="$!{stylesPath}styles/login.css" /> </head> <body> <form method="post" action="login_process.htm"> <div class="login"> <p> 用户名:<input type="text" name="username" /> <p> 密 码:<input type="password" name="password" /> </p> </p> <p> <input type="checkbox" name="_spring_security_remember_me" /> 记住我 </p> <p> <input type="submit" value="登 录" class="btn" /> </p> </div> </form> </body> </html> 3 、web.mxl 配置 <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>*.htm</url-pattern> </filter-mapping> 4、maven pom.xml <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>3.1.4.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>3.1.4.RELEASE</version> </dependency>
相关推荐
spring-security 案例 权限管理 登陆权限
一个比较好的spring security实例
SpringBoot+SpringSecurity案例Demo
spring security 源码案例, 我原来找这样的相关案例,不是没有 就是不能运行。这个只做朋友们参考, 我的这个案例是可以运行的
spring security4登陆
SpringBoot+SpringSecurity整合示例代码,实现了从数据库中获取信息进行登录认证和权限认证。 本项目为idea工程,请用idea2019导入(老版应该也可以)。 本项目用户信息所需sql文件,在工程的resources文件夹下,...
SpringBoot 实现SpringSecurity 对接数据库登录,基础案例
1.SpringSecurity 3.2实例,继承SpringMVC 3.2; 2.默认账户 admin,admin; 3.模拟后台数据加载,未集成数据库;
学习spring security3.0.3的案例,上传文件太大,已将架包删除。本案例试用最小配置,实现了不依赖配置文件对角色、资源进行分配管理
基于用户,角色,权限的spring security完整项目,包括登陆,免登陆,session配置,角色,权限验证等功能
完成的Spring Security实例,其中包括自定义数据库表结构、自定义登陆页面、使用数据库管理资源、自定义的密码编码器、自定义访问拒绝页面、动态管理资源结合自定义登录页面等方面的例子
SPRINGSECURITY 3.2 在WEB应用中的案例源码, 1.如何改造登陆验证 2.如何使用数据库中配置的资源权限信息进行访问控制 3.如何控制对SPRINGBEAN中的类方法的控制
Spring boot+Spring Security Oauth2.0,Sprint cloud+Spring Security Oauth2集成。四种认证方式。附带有代码,和案例,案例,还有视频链接。我保证看完就回,如果视频链接失效,评论回复我,我单独再给你一份。
spingsecurity学习和分析,下载解压后导入到ECLIPSE后可直接运行.含JAR包
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证,可根据注解的格式不同,做到角色权限控制,角色加资源权限控制等,粒度比较细化。 @PreAuthorize("hasAnyRole('ADMIN','USER')"):具有admin或...
权限认证springsecurity案例
Spring-Security结合JWT 实现前后端分离完成权限验证功能案例,案例中,主要完成用户登录获取Token,通过Token访问Rest接口,没有权限或授权失败时返回JSON,前端根据状态码进行重新登录;案例中的用户名称: jake_j...
成功案例和证明:分享一些成功应用Spring Security的案例或者行业领先公司对其重视程度,让学习者看到学习Spring Security的潜在机会和前景。 社区和支持:强调Spring Security社区的活跃程度以及得到的支持,包括...
我基于参考网上一个案例,通过spring security3源代码的修改,使该项目完成了了前台+后台的登录方式。而且可以还可以继续扩展多用户登陆。 (4)项目除了security3的配置使用XML以外,其他基本使用注解配置完成 (5...
按照教程https://blog.csdn.net/ryo1060732496/article/details/78848205 编写的demo程序