Spring Security入门Demo

一、spring Security简介

SpringSecurity，这是一种基于Spring AOP和Servlet过滤器的安全框架。它提供全面的安全性解决方案，同时在Web请求级和方法调用级处理身份确认和授权。在Spring Framework基础上，Spring Security充分利用了依赖注入（DI，Dependency Injection）和面向切面技术。

二、建立工程

用第二种方法创建名为spring-security-demo的Maven工程。

工程的最终目录结构为

三、源代码

1 pom.xml里引入所需要的包

1. 1. 
      
2. <project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0http://maven.apache.org/xsd/maven-4.0.0.xsd">
3. <modelVersion>4.0.0</modelVersion>
4. <groupId>spring-security-demo</groupId>
5. <artifactId>spring-security-demo</artifactId>
6. <version>0.0.1-SNAPSHOT</version>
7. <packaging>war</packaging>
8. <name>spring-security-demo</name>
9. <description/>
10. <properties>
11. <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
12. </properties>
13. <dependencies>
14. <dependency>
15. <groupId>javax</groupId>
16. <artifactId>javaee-api</artifactId>
17. <version>7.0</version>
18. <scope>provided</scope>
19. </dependency>
20. <dependency>
21. <groupId>jstl</groupId>
22. <artifactId>jstl</artifactId>
23. <version>1.2</version>
24. </dependency>
25. <dependency>
26. <groupId>org.springframework</groupId>
27. <artifactId>spring-webmvc</artifactId>
28. <version>3.2.9.RELEASE</version>
29. <type>jar</type>
30. <scope>compile</scope>
31. </dependency>
32. <dependency>
33. <groupId>org.springframework</groupId>
34. <artifactId>spring-context</artifactId>
35. <version>3.2.9.RELEASE</version>
36. </dependency>
37. <dependency>
38. <groupId>org.springframework.security</groupId>
39. <artifactId>spring-security-config</artifactId>
40. <version>3.1.6.RELEASE</version>
41. <type>jar</type>
42. <scope>compile</scope>
43. </dependency>
44. <dependency>
45. <groupId>org.springframework.security</groupId>
46. <artifactId>spring-security-taglibs</artifactId>
47. <version>3.1.6.RELEASE</version>
48. <type>jar</type>
49. <scope>compile</scope>
50. </dependency>
51. <dependency>
52. <groupId>log4j</groupId>
53. <artifactId>log4j</artifactId>
54. <version>1.2.15</version>
55. <type>jar</type>
56. <scope>compile</scope>
57. </dependency>
58. </dependencies>
59. 
    
60. </project>

60. 1. 
       
61. <?xml version="1.0" encoding="UTF-8"?>
62. <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
63. <display-name>spring-security-demo</display-name>
64. <filter>
65. <filter-name>springSecurityFilterChain</filter-name>
66. <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
67. </filter>
68. <filter-mapping>
69. <filter-name>springSecurityFilterChain</filter-name>
70. <url-pattern>/*</url-pattern>
71. </filter-mapping>
72. 
    
73. <context-param>
74. <param-name>contextConfigLocation</param-name>
75. <param-value>
76. /WEB-INF/spring-security.xml
77. /WEB-INF/applicationContext.xml
78. </param-value>
79. </context-param>
80. 
    
81. <servlet>
82. <servlet-name>spring</servlet-name>
83. <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
84. <load-on-startup>1</load-on-startup>
85. </servlet>
86. <servlet-mapping>
87. <servlet-name>spring</servlet-name>
88. <url-pattern>/</url-pattern>
89. </servlet-mapping>
90. 
    
91. <listener>
92. <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
93. </listener>
94. </web-app>
    1. 
       

这里两处关于springsecurity的配置表示项目中所有路径的资源都要经过Spring Security。

注意：最好是将DelegatingFilterProxy写在DispatcherServlet之前，否则Spring Security可能不会正常工作。

3 spring-servlet.xml

​​​​

1. 1. 
      
2. <?xml version="1.0" encoding="UTF-8"?>
3. <beans xmlns="http://www.springframework.org/schema/beans"
4. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
5. xsi:schemaLocation="http://www.springframework.org/schema/beans
6. http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
7. 
   
8. <!-- 定义一个视图解析器 -->
9. <bean id="viewResolver"
10. class="org.springframework.web.servlet.view.InternalResourceViewResolver"
11. p:prefix="/WEB-INF/jsp/" p:suffix=".jsp" />
12. </beans>
    1. 
       

这个XML配置声明一个视图解析器.在控制器中会根据JSP名映射到/WEB-INF/jsp中相应的位置。

4 applicationContext.xml​​

1. 1. 
      
2. <?xml version="1.0" encoding="UTF-8"?>
3. <beans xmlns="http://www.springframework.org/schema/beans"
4. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5. xmlns:context="http://www.springframework.org/schema/context"
6. xmlns:mvc="http://www.springframework.org/schema/mvc"
7. xsi:schemaLocation="http://www.springframework.org/schema/beans
8. http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
9. http://www.springframework.org/schema/context
10. http://www.springframework.org/schema/context/spring-context-3.0.xsd
11. http://www.springframework.org/schema/mvc
12. http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
13. 
    
14. <!-- 激活spring的注解. -->
15. <context:annotation-config />
16. 
    
17. <!-- 扫描注解组件并且自动的注入spring beans中.
18. 例如,他会扫描@Controller 和@Service下的文件.所以确保此base-package设置正确. -->
19. <context:component-scan base-package="com.demo" />
20. 
    
21. <!-- 配置注解驱动的Spring MVC Controller 的编程模型.注:次标签只在 Servlet MVC工作! -->
22. <mvc:annotation-driven />
23. 
    
24. </beans>
    1. 
       

5 spring-security.xml

1. <?xml version="1.0" encoding="UTF-8"?>
2. <beans xmlns="http://www.springframework.org/schema/beans"
3. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4. xmlns:security="http://www.springframework.org/schema/security"
5. xsi:schemaLocation="http://www.springframework.org/schema/beans
6. http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
7. http://www.springframework.org/schema/security
8. http://www.springframework.org/schema/security/spring-security-3.1.xsd">
9. 
   
10. <!-- Spring-Security 的配置 -->
11. <!-- 注意use-expressions=true.表示开启表达式,否则表达式将不可用.
12. see:http://www.family168.com/tutorial/springsecurity3/html/el-access.html
13. -->
14. <security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
15. 
    
16. <security:intercept-url pattern="/auth/login" access="permitAll"/>
17. <security:intercept-url pattern="/main/admin" access="hasRole('ROLE_ADMIN')"/>
18. <security:intercept-url pattern="/main/common" access="hasRole('ROLE_USER')"/>
19. 
    
20. <security:form-login
21. login-page="/auth/login"
22. authentication-failure-url="/auth/login?error=true"
23. default-target-url="/main/common"/>
24. 
    
25. <security:logout
26. invalidate-session="true"
27. logout-success-url="/auth/login"
28. logout-url="/auth/logout"/>
29. 
    
30. </security:http>
31. 
    
32. <!-- 指定一个自定义的authentication-manager :customUserDetailsService -->
33. <security:authentication-manager>
34. <security:authentication-provider user-service-ref="customUserDetailsService">
35. <security:password-encoder ref="passwordEncoder"/>
36. </security:authentication-provider>
37. </security:authentication-manager>
38. 
    
39. <!-- 对密码进行MD5编码 -->
40. <bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
41. 
    
42. <!--
43. 通过 customUserDetailsService,Spring会自动的用户的访问级别.
44. 也可以理解成:以后我们和数据库操作就是通过customUserDetailsService来进行关联.
45. -->
46. <bean id="customUserDetailsService" class="com.demo.service.CustomUserDetailsService"/>
47. 
    
48. </beans>
    1. 
       

分析：

（一）

这里/auth/login的权限为permitAll，表示所有人都可以访问此页面；/main/admin的权限为ROLE_ADMIN，表示属于ROLE_ADMIN角色的用户才有权访问此页面；/main/common的权限为ROLE_USER，表示属于ROLE_USER的用户才有权访问此页面。

需要注意的是我们使用了SpringEL表达式来指定角色的访问.

以下是表达式对应的用法：

hasRole([role])返回 true 如果当前主体拥有特定角色。

hasAnyRole([role1,role2])返回 true 如果当前主体拥有任何一个提供的角色 （使用逗号分隔的字符串队列）

principal 允许直接访问主体对象，表示当前用户

authentication允许直接访问当前 Authentication对象 从SecurityContext中获得

permitAll 一直返回true

denyAll 一直返回false

isAnonymous()如果用户是一个匿名登录的用户 就会返回 true

isRememberMe()如果用户是通过remember-me 登录的用户 就会返回true

isAuthenticated()如果用户不是匿名用户就会返回true

isFullyAuthenticated()如果用户不是通过匿名也不是通过remember-me登录的用户时， 就会返回true。

（二）

1. <security:form-login
2. login-page="/auth/login"
3. authentication-failure-url="/auth/login?error=true"
4. default-target-url="/main/common"/>
   1. 
      

表示通过 /auth/login这个映射进行登录.

如果验证失败则返回一个URL:/auth/login?error=true 

如果登录成功则默认指向:/main/common

（三）

1. <security:logout
2. invalidate-session="true"
3. logout-success-url="/auth/login"
4. logout-url="/auth/logout"/>
   1. 
      

这里我们开启了session失效功能。注销URL为:/auth/logout；注销成功后转向:/auth/login。

（四）​​​​

1. 1. 
      
2. <bean id="customUserDetailsService" class="com.demo.service.CustomUserDetailsService"/>
   1. 
      

一个自定义的CustomUserDetailsService,是实现SpringSecurity的UserDetailsService接口,但我们重写了他即便于我们进行​​数据库​​操作.

​

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> <%@ taglib uri="http://www.springframework.org/tags/form" prefix="form"%> <%@ taglib uri="http://www.springframework.org/tags" prefix="spring"%>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Insert title here</title> </head> <body>
<h1>Login</h1>
<div id="login-error">${error}</div>
<form action="../j_spring_security_check" method="post">
<p> <label for="j_username">Username</label> <input id="j_username" name="j_username" type="text" /> </p>
<p> <label for="j_password">Password</label> <input id="j_password" name="j_password" type="password" /> </p>
<input type="submit" value="Login" />
</form>
</body> </html>

37. 1. 
       
38. <%@ page language="java" contentType="text/html; charset=UTF-8"
39. pageEncoding="UTF-8"%>
40. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
41. <html>
42. <head>
43. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
44. <title>Insert title here</title>
45. </head>
46. <body>
47. <h1>Common Page</h1>
48. <p>每个人都能访问的页面.</p>
49. <a href="/spring-security-demo/main/admin"> Go AdminPage </a>
50. <br />
51. <a href="/spring-security-demo/auth/login">退出登录</a>
52. 
    
53. </body>
54. </html>
    1. 
       

1. <%@ page language="java" contentType="text/html; charset=UTF-8"
2. pageEncoding="UTF-8"%>
3. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
4. <html>
5. <head>
6. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
7. <title>Insert title here</title>
8. </head>
9. <body>
10. <h1>Admin Page</h1>
11. <p>管理员页面</p>
12. <a href="/spring-security-demo/auth/login">退出登录</a>
13. </body>
14. </html>
    1. 
       

1. <%@ page language="java" contentType="text/html; charset=UTF-8"
2. pageEncoding="UTF-8"%>
3. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
4. <html>
5. <head>
6. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
7. <title>Insert title here</title>
8. </head>
9. <body>
10. <h1>你的权限不够!</h1>
11. <p>只有拥有Admin权限才能访问!</p>
12. <a href="/spring-security-demo/auth/login">退出登录</a>
13. </body>
14. </html>
    1. 
       

10 数据模型DbUser.​

1. package com.demo.domain;
2. 
   
3. public class DbUser {
4. 
   
5. private String username;
6. private String password;
7. private Integer access;
8. 
   
9. public String getUsername() {
10. return username;
11. }
12. 
    
13. public void setUsername(String username) {
14. this.username = username;
15. }
16. 
    
17. public String getPassword() {
18. return password;
19. }
20. 
    
21. public void setPassword(String password) {
22. this.password = password;
23. }
24. 
    
25. public Integer getAccess() {
26. return access;
27. }
28. 
    
29. public void setAccess(Integer access) {
30. this.access = access;
31. }
32. 
    
33. }
    1. 
       

11 UserDao.java，通过一个初始化的List来模拟数据库操作

1. package com.demo.dao;
2. 
   
3. import java.util.ArrayList;
4. import java.util.List;
5. 
   
6. import org.apache.log4j.Logger;
7. import com.demo.domain.DbUser;
8. 
   
9. public class UserDao {
10. 
    
11. protected static Logger logger = Logger.getLogger("dao");
12. 
    
13. public DbUser getDatabase(String username) {
14. 
    
15. List<DbUser> users = internalDatabase();
16. 
    
17. for (DbUser dbUser : users) {
18. if (dbUser.getUsername().equals(username) == true) {
19. logger.debug("User found");
20. return dbUser;
21. }
22. }
23. logger.error("User does not exist!");
24. throw new RuntimeException("User does not exist!");
25. 
    
26. }
27. 
    
28. /**
29. * 初始化数据
30. */
31. private List<DbUser> internalDatabase() {
32. 
    
33. List<DbUser> users = new ArrayList<DbUser>();
34. DbUser user = null;
35. 
    
36. user = new DbUser();
37. user.setUsername("admin");
38. 
    
39. // "admin"经过MD5加密后
40. user.setPassword("21232f297a57a5a743894a0e4a801fc3");
41. user.setAccess(1);
42. 
    
43. users.add(user);
44. 
    
45. user = new DbUser();
46. user.setUsername("user");
47. 
    
48. // "user"经过MD5加密后
49. user.setPassword("ee11cbb19052e40b07aac0ca060c23ee");
50. user.setAccess(2);
51. 
    
52. users.add(user);
53. 
    
54. return users;
55. 
    
56. }
57. }
    1. 
       

12 CustomUserDetailsService.java，自定义UserDetailsService,可以通过继承UserDetailsService来达到灵活的自定义UserDetailsService

1. package com.demo.service;
2. 
   
3. import java.util.ArrayList;
4. import java.util.Collection;
5. import java.util.List;
6. 
   
7. import org.apache.log4j.Logger;
8. import com.demo.dao.UserDao;
9. import com.demo.domain.DbUser;
10. import org.springframework.dao.DataAccessException;
11. import org.springframework.security.core.GrantedAuthority;
12. import org.springframework.security.core.authority.GrantedAuthorityImpl;
13. import org.springframework.security.core.userdetails.User;
14. import org.springframework.security.core.userdetails.UserDetails;
15. import org.springframework.security.core.userdetails.UserDetailsService;
16. import org.springframework.security.core.userdetails.UsernameNotFoundException;
17. 
    
18. /**
19. * 一个自定义的service用来和数据库进行操作. 即以后我们要通过数据库保存权限.则需要我们继承UserDetailsService
20. *
21. */
22. public class CustomUserDetailsService implements UserDetailsService {
23. 
    
24. protected static Logger logger = Logger.getLogger("service");
25. 
    
26. private UserDao userDAO = new UserDao();
27. 
    
28. public UserDetails loadUserByUsername(String username)
29. throws UsernameNotFoundException, DataAccessException {
30. 
    
31. UserDetails user = null;
32. 
    
33. try {
34. 
    
35. // 搜索数据库以匹配用户登录名.
36. // 我们可以通过dao使用JDBC来访问数据库
37. DbUser dbUser = userDAO.getDatabase(username);
38. 
    
39. // Populate the Spring User object with details from the dbUser
40. // Here we just pass the username, password, and access level
41. // getAuthorities() will translate the access level to the correct
42. // role type
43. 
    
44. user = new User(dbUser.getUsername(), dbUser.getPassword()
45. .toLowerCase(), true, true, true, true,
46. getAuthorities(dbUser.getAccess()));
47. 
    
48. } catch (Exception e) {
49. logger.error("Error in retrieving user");
50. throw new UsernameNotFoundException("Error in retrieving user");
51. }
52. 
    
53. return user;
54. }
55. 
    
56. /**
57. * 获得访问角色权限
58. *
59. * @param access
60. * @return
61. */
62. public Collection<GrantedAuthority> getAuthorities(Integer access) {
63. 
    
64. List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
65. 
    
66. // 所有的用户默认拥有ROLE_USER权限
67. logger.debug("Grant ROLE_USER to this user");
68. authList.add(new GrantedAuthorityImpl("ROLE_USER"));
69. 
    
70. // 如果参数access为1.则拥有ROLE_ADMIN权限
71. if (access.compareTo(1) == 0) {
72. logger.debug("Grant ROLE_ADMIN to this user");
73. authList.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
74. }
75. 
    
76. return authList;
77. }
78. }
    1. 
       

13 控制器LoginController.java

1. package com.demo.controller;
2. 
   
3. import org.apache.log4j.Logger;
4. import org.springframework.stereotype.Controller;
5. import org.springframework.ui.ModelMap;
6. import org.springframework.web.bind.annotation.RequestMapping;
7. import org.springframework.web.bind.annotation.RequestMethod;
8. import org.springframework.web.bind.annotation.RequestParam;
9. 
   
10. @Controller
11. @RequestMapping("auth")
12. public class LoginController {
13. protected static Logger logger = Logger.getLogger("controller");
14. 
    
15. /**
16. * 指向登录页面
17. */
18. @RequestMapping(value = "/login", method = RequestMethod.GET)
19. public String getLoginPage(
20. @RequestParam(value = "error", required = false) boolean error,
21. ModelMap model) {
22. 
    
23. logger.debug("Received request to show login page");
24. 
    
25. if (error == true) {
26. // Assign an error message
27. model.put("error",
28. "You have entered an invalid username or password!");
29. } else {
30. model.put("error", "");
31. }
32. return "loginpage";
33. }
34. 
    
35. /**
36. * 指定无访问额权限页面
37. *
38. * @return
39. */
40. @RequestMapping(value = "/denied", method = RequestMethod.GET)
41. public String getDeniedPage() {
42. 
    
43. logger.debug("Received request to show denied page");
44. 
    
45. return "deniedpage";
46. }
47. }
    1. 
       

该controller有两个mapping映射

main/common

main/admin

现在我们将同过Spring Security框架实现成功登陆的人都能访问到main/common，但只有拥有admin权限的用户才能访问main/admin。

14 控制器MainController.java

1. package com.demo.controller;
2. 
   
3. import org.apache.log4j.Logger;
4. import org.springframework.stereotype.Controller;
5. import org.springframework.web.bind.annotation.RequestMapping;
6. import org.springframework.web.bind.annotation.RequestMethod;
7. 
   
8. @Controller
9. @RequestMapping("/main")
10. public class MainController {
11. protected static Logger logger = Logger.getLogger("controller");
12. 
    
13. /**
14. * 跳转到commonpage页面
15. *
16. * @return
17. */
18. @RequestMapping(value = "/common", method = RequestMethod.GET)
19. public String getCommonPage() {
20. logger.debug("Received request to show common page");
21. return "commonpage";
22. }
23. 
    
24. /**
25. * 跳转到adminpage页面
26. *
27. * @return
28. */
29. @RequestMapping(value = "/admin", method = RequestMethod.GET)
30. public String getAadminPage() {
31. logger.debug("Received request to show admin page");
32. return "adminpage";
33. 
    
34. }
35. 
    
36. }
    1. 
       

四、运行结果

1 启动spring-security-demo程序

2 在浏览器里输入​​http://localhost:8080/spring-security-demo/auth/login​​

3 输入用户名admin密码admin后，点击“Login”按纽

4 点击“​​Go​​ AdminPage”链接，因为有权限，所以可看到管理员页面

5 点击“退出登录”，返回登录页

6 输入用户名user密码user并登录

7 点击Go AdminPage链接，因为没有权限，所以看到权限不够的提示

8 退出登录，返回登录页