第一次接触spring security,第一个例子是最简单,实现的功能也仅仅是权限控制一些最基本的功能;
首先是web.xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
">
<display-name></display-name>
<!-- 获取application-security.xml的位置 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:application*.xml
</param-value>
</context-param>
<!-- 对spring容器进行实例化(监听) -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<!-- SpringSecurity必须的filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 设置session时间 -->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
</web-app>
web.xml的配置比较熟悉,所有没有什么太难的。
接下来是核心applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
">
<!-- 配置保护资源 -->
<security:http auto-config="true" access-denied-page="/deniedpage.jsp">
<!-- 设置同步会话控制 -->
<security:session-management invalid-session-url="/login.jsp" session-fixation-protection="none">
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTimeout.jsp"/>
</security:session-management>
<!-- http表达验证 -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/success.jsp"/>
<security:logout/>
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/index.jsp" access="ROLE_USER,ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
<!-- 配置用户 -->
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置数据库信息 -->
<bean>
<property value="${db.driverClass}"/>
<property value="${db.jdbcUrl}"/>
<property value="${db.user}"/>
<property value="${db.password}"/>
</bean>
<!-- 读取资源文件 -->
<bean>
<property>
<list>
<value>classpath:constants.properties</value>
</list>
</property>
</bean>
</beans>
注解:
1、从session缓存中获取当前session信息,如果发现过期了,就跳转到expired-url配置的url或者响应session失效提示信息。当前session有哪些情况会导致session失效呢?这里的失效并不是指在web容器中session的失效,而是spring security把登录成功的session封装为SessionInformation并放到注册类缓存中,如果SessionInformation的expired变量为true,则表示session已失效。所以,ConcurrentSessionFilter过滤器主要检查SessionInformation的expired变量的值。
2、如果concurrency-control标签配置了error-if-maximum-exceeded="true",max-sessions="1",那么第二次登录时,是登录不了的。如果error-if-maximum-exceeded="false",那么第二次是能够登录到系统的,但是第一个登录的账号再次发起请求时,会跳转到expired-url配置的url中(如果没有配置,则显示This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).提示信息)
Spring Security3.1高级详细开发指南 PDF
Spring Security 学习之HTTP基本认证和HTTP摘要认证
Spring Security异常之You must provide a configuration attribute
然后是连接数据库的constants.properties:
db.driverClass=com.mysql,jdbc.Driver
db.jdbcUrl=jdbc:mysql://localhost:3306/springsecurity
db.user=root
db.password=luwenhu
最后就是jsp文件,这个没有什么特别的,比如login.jsp: