Spring Security允许开发人员轻松地将安全功能集成到J2EE Web应用程序中,它通过Servlet过滤器实现“用户自定义”安全检查。
在本教程中,我们将向您展示如何在Spring MVC中集成Spring Security 3.0并安全访问。在集成成功后,当我们查看页面的内容时用户需要先输入正确的“用户名”和“密码”。
1.目录结构
项目最终目录如下所示:
2.Spring Security依赖关系
为了正常运行 Spring security , 你需要加入 “spring-security-core.jar“, “spring-security-web.jar” and “spring-security-config.jar“. 在Maven库中你需要加入Spring配置库
pom.xml
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${org.springframework-version}</version>
</dependency> <dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.springframework-version}</version>
</dependency> <dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.springframework-version}</version>
</dependency>
3.Spring MVC Web应用程序
当访问“/welcome”跳转到“home.jsp”页面,稍后用Spring Security安全访问这个链接。
HomeController.java
package com.jd.vicapp; import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; @Controller
@RequestMapping("/welcome")
public class HomeController {
@RequestMapping(method = RequestMethod.GET)
public String printWelcome(Model model) {
model.addAttribute("message", "Spring Security Hello World");
return "home";
} }
home.jsp
<html>
<body>
<h1>Message : ${message}</h1>
</body>
</html>
4.Spring Secuity:用户验证
创建一个单独的Spring配置文件去定义Spring Security相关的东西。它要实现的是:只有用户输入了正确的用户名“mkyong”和密码“123456”才可以访问“/welcome” 。
下面的Spring配置文件你应该明白是什么意思。
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http auto-config="true">
<intercept-url pattern="/" access="ROLE_USER" />
</http> <authentication-manager>
<authentication-provider>
<user-service>
<user name="victorruan" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager> </beans:beans>
5.整合Spring Security
想要在Web应用程序中整合Spring Security,只需加入“DelegatingFilterProxy”作为Servlet过滤器拦截到来的请求即可。
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml,
/WEB-INF/spring/spring-security.xml </param-value>
</context-param> <!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener> <!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/appServlet/servlet-context.xml
</param-value> </init-param>
<load-on-startup>1</load-on-startup>
</servlet> <servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping> <!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter> <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> </web-app>
6.Demo
就是以上这些配置了
当我们访问“http://localhost:8080/welcome”时,Spring Security 将会自动拦截到“http://localhost:8080/spring_security_login”登陆页面验证身份。
http://localhost:8080/spring_security_login页面如下所示:
如果输错了用户名和密码则页面会显示错误的消息,如下所示:
http://localhost:8080/spring_security_login?login_error
如果我们输对了用户名和密码,Spring Security则会跳转到欢迎页面,如下所示:
http://localhost:8080/welcome