- 浏览: 305962 次
文章分类
最新评论
-
流年末年:
那四个参数还是没看懂.....能不能解释下showPassst ...
我写的密码强度验证方法(原创) -
kingcs2008:
// 验证pws.jsshowPassstrength(&qu ...
我写的密码强度验证方法(原创) -
h957355152:
请问博主这个怎么用呢?我直接放到jsp里面调用showPass ...
我写的密码强度验证方法(原创) -
qq_15138059:
我写的全国省市县三级联动菜单,拿出来和大家分享了(原创) -
valenon:
评论呢?从MAIL FROM命令开始貌似就出错了:500 Er ...
如何发送伪造的电子邮件
不过一般我们在管理系统时都会分前台与后台,也就是说,前台与后台的登录入口与注销地址都是不一样的,那么该如何使用SpringSecurity实现呢,参考了一些网络上的例子,将之前的小应用做了如下修改:
applicationContext-security.xml
- <? xml version = "1.0" encoding = "UTF-8" ?>
- < beans:beans xmlns = "http://www.springframework.org/schema/security"
- xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns:p = "http://www.springframework.org/schema/p"
- xmlns:aop = "http://www.springframework.org/schema/aop" xmlns:context = "http://www.springframework.org/schema/context"
- xmlns:jee = "http://www.springframework.org/schema/jee" xmlns:tx = "http://www.springframework.org/schema/tx"
- xmlns:util = "http://www.springframework.org/schema/util" xmlns:mvc = "http://www.springframework.org/schema/mvc"
- xmlns:tool = "http://www.springframework.org/schema/tool" xmlns:beans = "http://www.springframework.org/schema/beans"
- xsi:schemaLocation ="
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
- http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
- http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
- http://www.springframework.org/schema/tool http://www.springframework.org/schema/tool/spring-tool-3.0.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"
- default-lazy-init = "true" >
- <!-- 不需要进行认证的资源,3.0之后才改为这样配置 -->
- < http security = "none" pattern = "/**/login.do" />
- <!-- 因为要使用自己的权限验证规则,所以这里要配置access-decision-manager-ref
- 实际上,我只是在accessDecisionManager中增加了一个投票器,其它的属性都比较简单,不多说了 -->
- <!-- 另外,为了实现前后台访问使用不同的登录地址,这里增加了一个entry-point-ref-->
- < http entry-point-ref = "loginUrlEntryPoint" access-decision-manager-ref = "accessDecisionManager" access-denied-page = "/notaccess.jsp" >
- < intercept-url pattern = "/demo.do*" access = "IS_AUTHENTICATED_REMEMBERED" />
- <!-- 后台地址拦截 -->
- < intercept-url pattern = "/admin/**/*.do*" access = "AD_HODLE" />
- <!-- 前台地址拦截 -->
- < intercept-url pattern = "/**/*.do*" access = "HODLE" />
- < session-management >
- < concurrency-control max-sessions = "1" />
- </ session-management >
- <!-- 登录过滤器 -->
- < custom-filter before = "FORM_LOGIN_FILTER" ref = "loginFilter" />
- < custom-filter position = "FORM_LOGIN_FILTER" ref = "adminLoginFilter" />
- <!-- 注销过滤器 -->
- < custom-filter before = "LOGOUT_FILTER" ref = "logoutFilter" />
- < custom-filter position = "LOGOUT_FILTER" ref = "adminLogoutFilter" />
- </ http >
- <!-- 认证切入点,这里使用它的目的是保证当用户登录之前就访问前后台时,会跳转到不同的登录页面 -->
- < beans:bean id = "loginUrlEntryPoint" class = "com.piaoyi.common.security.LoginUrlEntryPoint" />
- <!-- 登录过滤器,验证前台用户 -->
- < beans:bean id = "loginFilter"
- class = "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >
- < beans:property name = "authenticationManager" ref = "authenticationManager" />
- < beans:property name = "authenticationFailureHandler" ref = "failureHandler" />
- < beans:property name = "authenticationSuccessHandler" ref = "successHandler" />
- < beans:property name = "filterProcessesUrl" value = "/j_spring_security_check" />
- </ beans:bean >
- < beans:bean id = "failureHandler"
- class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >
- < beans:property name = "defaultFailureUrl" value = "/login.do?login_error=1" />
- </ beans:bean >
- < beans:bean id = "successHandler"
- class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" >
- < beans:property name = "alwaysUseDefaultTargetUrl" value = "true" />
- < beans:property name = "defaultTargetUrl" value = "/demo.do" />
- </ beans:bean >
- <!-- 登录过滤器,验证后台用户 -->
- < beans:bean id = "adminLoginFilter"
- class = "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >
- < beans:property name = "authenticationManager" ref = "authenticationManager" />
- < beans:property name = "authenticationFailureHandler" ref = "adminFailureHandler" />
- < beans:property name = "authenticationSuccessHandler" ref = "adminSuccessHandler" />
- < beans:property name = "filterProcessesUrl" value = "/j_spring_security_check" />
- </ beans:bean >
- < beans:bean id = "adminFailureHandler"
- class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >
- < beans:property name = "defaultFailureUrl" value = "/admin/login.do?login_error=1" />
- </ beans:bean >
- < beans:bean id = "adminSuccessHandler"
- class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" >
- < beans:property name = "alwaysUseDefaultTargetUrl" value = "true" />
- < beans:property name = "defaultTargetUrl" value = "/admin/frame.do" />
- </ beans:bean >
- <!-- 注销过滤器,完成前台用户注销时的定向功能 -->
- < beans:bean id = "logoutFilter" class = "org.springframework.security.web.authentication.logout.LogoutFilter" >
- < beans:constructor-arg value = "/login.do" />
- < beans:constructor-arg >
- < beans:list >
- < beans:bean class = "org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
- </ beans:list >
- </ beans:constructor-arg >
- < beans:property name = "filterProcessesUrl" value = "/j_spring_security_logout" />
- </ beans:bean >
- <!-- 注销过滤器,完成后台用户注销时的定向功能 -->
- < beans:bean id = "adminLogoutFilter" class = "org.springframework.security.web.authentication.logout.LogoutFilter" >
- < beans:constructor-arg value = "/admin/login.do" />
- < beans:constructor-arg >
- < beans:list >
- < beans:bean class = "org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
- </ beans:list >
- </ beans:constructor-arg >
- < beans:property name = "filterProcessesUrl" value = "/admin/j_spring_security_logout" />
- </ beans:bean >
- <!-- Automatically receives AuthenticationEvent messages -->
- < beans:bean id = "loggerListener"
- class = "org.springframework.security.authentication.event.LoggerListener" />
- <!-- 认证管理器,使用自定义的UserDetailsService,并对密码采用md5加密-->
- < authentication-manager alias = "authenticationManager" >
- < authentication-provider user-service-ref = "userService" >
- < password-encoder hash = "md5" />
- </ authentication-provider >
- </ authentication-manager >
- < beans:bean id = "userService" class = "com.piaoyi.common.security.UserService" />
- <!-- 访问决策管理器,这里使用AffirmativeBased,并加入一个自定义的投票器DynamicRoleVoter -->
- < beans:bean id = "accessDecisionManager"
- class = "org.springframework.security.access.vote.AffirmativeBased" >
- < beans:property name = "decisionVoters" >
- < beans:list >
- < beans:bean class = "org.springframework.security.access.vote.RoleVoter" />
- < beans:bean
- class = "org.springframework.security.access.vote.AuthenticatedVoter" />
- < beans:bean class = "com.piaoyi.common.security.DynamicRoleVoter" />
- </ beans:list >
- </ beans:property >
- </ beans:bean >
- </ beans:beans >
说明:
1.为了实现不同的登录验证,这里显示声明了登录过滤器与注销过滤器,并指定相应过滤器的位置。
2.因为我们自己来指定了登录过滤器与注销过滤器,所以就不能在<http>中设置auto-config="true"
3.为了区分开不同的登录页面,就需要在<http>中配置认证切入点“entry-point-ref”,认证切入点的作用是当请求被拦截时该如何处理,这里处理为跳转到各自的登录页面
4.这里理想化的将前台用户与后台用户都使用同一个userService进行管理,即表示都存储在同一张用户表中,对于前后台用户不在同一张表中的处理,笔者也在研究中。
LoginUrlEntryPoint.java
- public class LoginUrlEntryPoint implements AuthenticationEntryPoint {
- public void commence(HttpServletRequest request, HttpServletResponse response,
- AuthenticationException authException) throws IOException, ServletException {
- String targetUrl = null ;
- String url = request.getRequestURI();
- if (url.indexOf( "admin" ) != - 1 ){
- //未登录而访问后台受控资源时,跳转到后台登录页面
- targetUrl = "/admin/login.do" ;
- }else {
- //未登录而访问前台受控资源时,跳转到前台登录页面
- targetUrl = "/login.do" ;
- }
- targetUrl = request.getContextPath() + targetUrl;
- response.sendRedirect(targetUrl);
- }
-
}
发表评论
-
spring-security3 配置和使用(二)承上
2011-12-22 06:42 10622、xml配置,配置内容如下: Xml代码 ... -
spring-security3 配置和使用 (一)(转载)
2011-12-22 06:43 954最近项目中要使用到spring-security,可能研究 ... -
SpringSecurity3.X--一个简单实现(转载)
2011-12-22 06:43 2675作者对springsecurity研究不深,算是个初学者吧,最 ... -
SpringSecurity3.X--验证码(转载)
2011-12-22 06:44 1069一般来说,登录时都会要求用户输入验证码,以防止恶意登录。 可 ... -
SpringSecurity3.X--remember-me(转载)
2011-12-22 06:44 1747笔者在SpringSecurity中配置remember-me ... -
《Spring Security3》第六章第七部分翻译(认证事件处理与小结)
2011-12-23 06:34 1344认证事件处理 ... -
《Spring Security3》第六章第六部分翻译(Spring Security基于bean的高级配置)
2011-12-23 06:34 1056Spring Security 基于bean 的高级配 ... -
《Spring Security3》第六章第五部分翻译(手动配置Spring Security设施的bean)(转载)
2011-12-23 06:34 1028手动配置Spring Security 设施的be ... -
《Spring Security3》第六章第四部分翻译(异常处理)(转载)
2011-12-23 06:34 1247理解和配置异常处理 ... -
《Spring Security3》第六章第三部分翻译(Session的管理和并发)(转载)
2011-12-24 10:20 4230Session 的管理和并发 ... -
《Spring Security3》第六章第二部分翻译(自定义AuthenticationProvider)(转载)
2011-12-24 10:21 1523实现自定义的 AuthenticationProvide ... -
《Spring Security3》第六章第一部分翻译(自定义安全过滤器)(转载)
2011-12-24 10:21 1126第六章 高级配置和扩展 到目前为止,我 ... -
《Spring Security3》第五章第四部分翻译(方法安全的高级知识和小结)(转载)
2011-12-24 10:22 1060方法安全的高级知 ... -
《Spring Security3》第五章第三部分翻译(保护业务层)
2011-12-24 10:22 892保护业务层 到目前为止,在 ... -
《Spring Security3》第五章第二部分翻译下(实现授权精确控制的方法——页面级权限)(转载)
2011-12-25 00:47 1028使用控制器逻辑进行有条件渲染内容 ... -
《Spring Security3》第五章第二部分翻译上(实现授权精确控制的方法——页面级权限)(转载)
2011-12-25 00:47 975实现授权精确控制的方法 精确的授权指的是基于用 ... -
《Spring Security3》第五章第一部分翻译(重新思考应用功能和安全) (转载)
2011-12-25 00:47 951第五章 精确的 ... -
《Spring Security3》第四章第四部分翻译(Remember me后台存储和SSL)(转载)
2011-12-25 00:47 1267将 Remember me 功能 ... -
《Spring Security3》第四章第三部分翻译下(密码加salt)(转载)
2011-12-25 00:48 1813你是否愿意在密码上添加点salt ? 如果安 ... -
《Spring Security3》第四章第三部分翻译上(配置安全的密码)(转载)
2011-12-26 00:41 1029配置安全的密码 我们 ...
相关推荐
赠送jar包:spring-security-core-5.3.9.RELEASE.jar; 赠送原API文档:spring-security-core-5.3.9.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.3.9.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-core-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-core-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-rsa-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-rsa-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-rsa-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-web-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-web-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-jwt-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-jwt-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-jwt-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
赠送jar包:spring-security-jwt-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-jwt-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-jwt-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-core-5.0.7.RELEASE.jar; 赠送原API文档:spring-security-core-5.0.7.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.0.7.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
org.springframework.spring-library-3.0.4.RELEASE.libd org.springframework.test-3.0.4.RELEASE.jar org.springframework.transaction-3.0.4.RELEASE.jar org.springframework.web.portlet-3.0.4.RELEASE.jar ...
org.springframework.spring-library-3.1.RELEASE.libd org.springframework.test-3.1.RELEASE.jar org.springframework.transaction-3.1.RELEASE.jar org.springframework.web.portlet-3.1.RELEASE.jar org....
赠送jar包:spring-security-oauth2-autoconfigure-2.1.8.RELEASE.jar; 赠送原API文档:spring-security-oauth2-autoconfigure-2.1.8.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-autoconfigure-...
包含spring 3.0.5的所有jar文件: org.springframework.aop-3.0.5.RELEASE.jar org.springframework.asm-3.0.5.RELEASE.jar org.springframework.aspects-3.0.5.RELEASE.jar org.springframework.beans-3.0.5.RELEASE...
spring-security-core-2.0.5.RELEASE-sources
赠送jar包:spring-security-config-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-config-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-config-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息...
赠送jar包:spring-security-web-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-web-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-rsa-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-rsa-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-rsa-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-autoconfigure-2.1.8.RELEASE.jar; 赠送原API文档:spring-security-oauth2-autoconfigure-2.1.8.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-autoconfigure-...
赠送jar包:spring-security-web-5.0.7.RELEASE.jar; 赠送原API文档:spring-security-web-5.0.7.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.0.7.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
spring.jar spring-aop.jar spring-aop.jar spring-beans.jar spring-hibernate3.jar spring-jdbc.jar spring-struts.jar spring-web.jar