博客开发笔记四——Spring Secruity 3最小系统

1、配置

<?xml version="1.0" encoding="UTF-8"?>

<b:beans xmlns="http://www.springframework.org/schema/security"

xmlns:b="http://www.springframework.org/schema/beans"

      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

      xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd

            ">

      <!-- 使用注解 -->

    <global-method-security pre-post-annotations="enabled">

    </global-method-security>

    <http use-expressions="true" auto-config="true" >

      <intercept-url pattern="/**/*" access="permitAll" />

        <form-login login-page="/user/login.page" default-target-url="/index.page" authentication-failure-url="/user/login.page?login_error=1"/>

        <http-basic/>

        <logout logout-success-url="/user/logout.page"/>

        <remember-me />

    </http>

   

    <!-- 密码编码 -->

    <b:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"></b:bean>

   

    <!-- 认证管理，基于数据库 -->

    <authentication-manager>

        <authentication-provider>

           <!-- <password-encoder hash="md5"/>  -->

           <password-encoder ref="passwordEncoder" >

                <salt-source user-property="username" />

               </password-encoder>

           <jdbc-user-service data-source-ref="oracleDataSource"/>

        </authentication-provider>

    </authentication-manager>

</b:beans>

2、数据库Schema

create table users(      username varchar_ignorecase(50) not null primary key,      password varchar_ignorecase(50) not null,      enabled boolean not null);  create table authorities (      username varchar_ignorecase(50) not null,      authority varchar_ignorecase(50) not null,      constraint fk_authorities_users foreign key(username) references users(username));      create unique index ix_auth_username on authorities (username,authority);

3、使用

3.1用户注册

                    //密码进行编码保存

            password = passwordEncoder.encodePassword(password, username);

            Vector<GrantedAuthority> authList = new Vector<GrantedAuthority>(); 

             

        //一定要加Authority，不然登陆不了

             authList.add(new GrantedAuthorityImpl("ROLE_USERS"));

            User user = new User(username, password, true, true, true, true, authList);

            userDetailsManager.createUser(user);

            return "redirect:" + referer;

3.2登陆页面

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"

    pageEncoding="ISO-8859-1"%>

<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<title>Insert title here</title>

</head>

<body>

    <c:if test="${not empty param.login_error}">

      <font color="red">

        Your login attempt was not successful, try again.<br/><br/>

        Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.

      </font>

    </c:if>

    <form name="f" action="<c:url value='/j_spring_security_check'/>" method="POST">

      <table>

        <tr><td>User:</td><td><input type='text' name='j_username' value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>

        <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>

        <tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>

        <tr><td colspan='2'><input name="submit" type="submit"></td></tr>

        <tr><td colspan='2'><input name="reset" type="reset"></td></tr>

      </table>

    </form>

</body>

</html>

3.3应用

<sec:authorize access="hasRole('ROLE_USERS')"><a href="#fast_pub">发表文章</a> <a href="./content/editcatalog.page">管理分类</a> <a href="<c:url value="/j_spring_security_logout"/>">注销</a> </sec:authorize>

上面代码写在jsp页面里面，意思是拥有ROLE_USERS角色的用户才能访问