初始spring security

Posted 2020-07-08 吊儿郎当地正经着

第一次接触spring security，第一个例子是最简单，实现的功能也仅仅是权限控制一些最基本的功能；

首先是web.xml文件：

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <web-app version="2.5" 
 3     xmlns="http://java.sun.com/xml/ns/javaee" 
 4     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 5     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
 6     http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 7   <display-name></display-name>    
 8    <!-- 获取application-security.xml的位置 -->
 9   <context-param>
10    <param-name>contextConfigLocation</param-name>
11    <param-value>
12    classpath:application*.xml
13    </param-value>
14   </context-param>
15    <!-- 对spring容器进行实例化(监听) -->
16    <listener>
17     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
18     </listener>
19    <listener>
20     <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
21    </listener>
22    <!-- SpringSecurity必须的filter -->
23    <filter>
24     <filter-name>springSecurityFilterChain</filter-name>
25     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
26     </filter>
27     <filter-mapping>
28     <filter-name>springSecurityFilterChain</filter-name>
29     <url-pattern>/*</url-pattern>
30    </filter-mapping>
31    <!-- 设置session时间 -->
32    <session-config>
33    <session-timeout>30</session-timeout>
34    </session-config>
35 </web-app>

web.xml的配置比较熟悉，所有没有什么太难的。

接下来是核心applicationContext-security.xml

 1 <?xml version="1.0" encoding="UTF-8"?>  
 2 <beans xmlns="http://www.springframework.org/schema/beans"  
 3     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   
 4     xmlns:security="http://www.springframework.org/schema/security"  
 5     xsi:schemaLocation="http://www.springframework.org/schema/beans   
 6             http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
 7             http://www.springframework.org/schema/security   
 8             http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
 9 <!-- 配置保护资源 -->
10 <security:http auto-config="true" access-denied-page="/deniedpage.jsp">
11 <!-- 设置同步会话控制 -->
12 <security:session-management  invalid-session-url="/login.jsp" session-fixation-protection="none">
13 <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTimeout.jsp"/>
14 </security:session-management>
15 <!-- http表达验证 -->
16 <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/success.jsp"/>
17 <security:logout/>
18 <security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
19 <security:intercept-url pattern="/index.jsp" access="ROLE_USER,ROLE_ADMIN"/>
20 <security:intercept-url pattern="/**" access="ROLE_USER"/>
21 
22 </security:http>
23 <!-- 配置用户 -->
24 <security:authentication-manager>
25 <security:authentication-provider>
26 <security:jdbc-user-service data-source-ref="dataSource"/>
27 </security:authentication-provider>
28 </security:authentication-manager>
29 <!-- 配置数据库信息 -->
30 <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
31 <property name="driverClass" value="${db.driverClass}"/>
32 <property name="jdbcUrl" value="${db.jdbcUrl}"/>
33 <property name="user" value="${db.user}"/>
34 <property name="password" value="${db.password}"/>
35 </bean>
36 <!-- 读取资源文件 -->
37 <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
38 <property name="locations">
39 <list>
40 <value>classpath:constants.properties</value>
41 </list>
42 </property>
43 </bean>
44 </beans>

注解：

1、从session缓存中获取当前session信息，如果发现过期了，就跳转到expired-url配置的url或者响应session失效提示信息。当前session有哪些情况会导致session失效呢？这里的失效并不是指在web容器中session的失效，而是spring security把登录成功的session封装为SessionInformation并放到注册类缓存中，如果SessionInformation的expired变量为true，则表示session已失效。所以，ConcurrentSessionFilter过滤器主要检查SessionInformation的expired变量的值。

2、如果concurrency-control标签配置了error-if-maximum-exceeded="true"，max-sessions="1"，那么第二次登录时，是登录不了的。如果error-if-maximum-exceeded="false"，那么第二次是能够登录到系统的，但是第一个登录的账号再次发起请求时，会跳转到expired-url配置的url中（如果没有配置，则显示This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).提示信息）

然后是连接数据库的constants.properties:

db.driverClass=com.mysql,jdbc.Driver
db.jdbcUrl=jdbc:mysql://localhost:3306/springsecurity
db.user=root
db.password=luwenhu

最后就是jsp文件，这个没有什么特别的，比如login.jsp：

 1 <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
 2 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 3 <%
 4 String path = request.getContextPath();
 5 String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
 6 %>
 7 
 8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 9 <html>
10   <head>
11     <base href="<%=basePath%>">
12     <title>登录界面</title>
13   </head>
14   <body onload="document.f.j_username.focus();">
15   <c:if test="${not empty param.login_error }">
16   <font color="red">
17   登录失败，请重试！<br/>
18   原因：<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message }"></c:out>
19   </font>
20   </c:if>
21    <form action="/acegi1/j_spring_security_check" method="post">
22    username:<input type="text" name="j_username"/><br/>
23    password:<input type="password" name="j_password"/></br>
24    <input type="checkbox" name="_spring_security_remember_me">两周内自动登录
25    <input type="submit" value="用户登录">
26    </form>
27   </body>
28 </html>

今天就学了这些，明天继续深入spring security，加入自己的filter。