小試Spring Security 2

以後可能要涉及到Spring Security ,在網上找資料挺多，因爲第一次弄，搞的我看到後忘了前面，最後看了官方的tutorial，參考後研究出了
最基本的使用方法，暫時不去考慮高級用法,Spring Security使用了AOP思想，所以對安全方面使用起來很方便，加去自如。
我看了下通過提供role和auth,於url和method上提供許多驗證機制(Provider)，驗證數據可以基於SQL或是LDAP等,
我寫了下一個簡單的基本配置的用戶登錄應用使用ss2(Spring Security 2進行了包裝,使配置更加簡化):

一.加載Spring security Filter
二.配置Security Information

下面詳細講解:
1.導入spring所需jar包,和spring security 2所需jar , 從官方下載後從裏面tutorial的lib裏拷就行了
2.配置web.xml:

 

<!-- Spring security Filter --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Spring security Filter End --> <!-- listener for defend login many times --> <listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener>/

 

3.配置applicationContext-security.xml
參考tutorial裏的文件作一些修改

 

 

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" /> <global-method-security secured-annotations="enabled"> <!-- AspectJ pointcut expression that locates our "post" method and applies security that way <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/> --> </global-method-security> <http auto-config="true"> <intercept-url pattern="/login.jsp*" filters="none"/> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true" default-target-url="/index.jsp" /> <logout logout-success-url="/login.jsp"/> <!--<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>--> </http> <!-- All of this is unnecessary if auto-config="true" <form-login /> <anonymous /> <http-basic /> <logout /> <remember-me /> --> <!-- Usernames/Passwords are rod/koala dianne/emu scott/wombat peter/opal --> <authentication-provider> <password-encoder hash="md5"/> <user-service> <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" /> <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" /> <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" /> <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" /> </user-service> </authentication-provider> </beans:beans>

 

 

 

 

主要講一下<http>的內容

    <http auto-config="true">
        <intercept-url pattern="/login.jsp*" filters="none"/>
        <intercept-url pattern="/**" access="ROLE_USER" />
        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true" default-target-url="/index.jsp" />
        <logout logout-success-url="/login.jsp"/>
        <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
    </http>

 

 

首先看 auto-comfig這個東東,把這個設成true,系統會自己加上以下內容

    <form-login />
    <anonymous />
    <http-basic />
    <logout />
    <remember-me />
這些東西,我這裏自己寫了一些,那麼就會覆蓋默認的設置,

<intercept-url /> : 用來告訴ss2哪些url不用Filter去處理了
<form-login/> :去定義一些關於表單的頁面文件
<concurrent-session-control /> :就是控制登錄次數了

 
  <authentication-provider/>
這裏就是設置驗證信息了,你可以從數據庫取得:
  <authentication-provider>
    <jdbc-user-service data-source-ref="securityDataSource"/>
  </authentication-provider>

 這裏的"securityDataSource"就是 DataSource bean在application context裏的名字，它指向了包含着Spring Security用戶信息的表。 另外，你

可以配置一個Spring Security JdbcDaoImpl bean，使用user-service-ref屬性指定：

  <authentication-provider user-service-ref='myUserDetailsService'/>

  <beans:bean id="myUserDetailsService" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
    <beans:property name="dataSource" ref="dataSource"/>
  </beans:bean>
 
 <password-encoder hash="md5"/> :是密碼加密機制還還其它的, 如:sha

 

 

如果是自定義userdetail的話要自己實現UserDetail和UserDetailService兩個接口，告訴ss2如何取得

像上面定義的  用戶名和密碼  代碼如下：

 

實現UserDetailService Interface

 

public class UserDetailsSerivceImpl implements UserDetailsService { //private UserDao userDao; // public UserDao getUserDao() { // return userDao; // } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { // return (User)getUserDao().findByName(username); User userDetails=new User(); // peter/opal userDetails.setUsername("peter"); userDetails.setPassword("22b5c9accc6e1ba628cedc63a72d57f8"); return userDetails; } }

 

我直接設置了值，當然可以從數據庫等地方去獲取User

 

實現UserDetail Interface:

 

public class User implements UserDetails { /** * @author chao.yin */ private static final long serialVersionUID = -8118972725674341185L; private String user_id; private String username; private String password; @Override /** * return roles list */ public GrantedAuthority[] getAuthorities() { //can get data from database List <GrantedAuthority>authorities=new ArrayList<GrantedAuthority>(); authorities.add(new GrantedAuthorityImpl("ROLE_USER")); authorities.add(new GrantedAuthorityImpl("ROLE_SUPERVISOR")); return authorities.toArray(new GrantedAuthority[0]); } @Override public String getPassword() { return password; } @Override public String getUsername() { return username; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } public String getUser_id() { return user_id; } public void setUser_id(String user_id) { this.user_id = user_id; } public void setUsername(String username) { this.username = username; } public void setPassword(String password) { this.password = password; } }

 

 

getAuthorities()裏的autorities 可以從其它你想要的地方獲取

 

如果是上面這種方式的話，applicationContext-security.xml裏我要加下面的東西:

 

 

<authentication-provider user-service-ref="userDatailsService"> <password-encoder hash="md5"/> </authentication-provider> <beans:bean id="userDatailsService" class="impl.UserDetailsSerivceImpl" />

 

 

以前的直接設置帳號的可以comment掉了{

    <!--
    <authentication-provider>
        <password-encoder hash="md5"/>
        <user-service>
            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
            <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
    -->

}

 

以上配置只是最基本的配置,一些高級web特性先沒有弄,一步一步來嘛!從簡單入手.


4.創建頁面

首先  login.jsp 

 

<form name="f" action="<s:url value="/j_spring_security_check"/>" method="POST"> <table> <tr><td>User:</td><td><input type='text' name='j_username' value='<s:if test="${not empty param.error}">${SPRING_SECURITY_LAST_USERNAME}</s:if>'/></td></tr> <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr> <tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Remember Me</td></tr> <tr><td><input name="submit" type="submit" value="Login"></td><td><input name="reset" type="reset"></td></tr> </table> </form>

 

 

注意:要用ss2的功能表單書寫上有講究:

form的action要到 j_spring_security_check
username和password的name分別爲:j_username    j_password


其次  index.jsp  (登錄通過後到的頁面)

 

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <h4>Hello <FONT color="red"><sec:authentication property="principal.username"/></FONT></h4> <p><a href="${pageContext.request.contextPath}/j_spring_security_logout" mce_href="${pageContext.request.contextPath}/j_spring_security_logout"">Logout</a>

 

 

這裏退出要到: j_spring_security_logout

這樣就會按照你配置信息去work了.

好這就是一個最最簡單的應用ss2了.