`
kong0itey
  • 浏览: 306015 次
社区版块
存档分类
最新评论

SpringSecurity3.X--前台与后台登录认证(转载)

阅读更多

不过一般我们在管理系统时都会分前台与后台,也就是说,前台与后台的登录入口与注销地址都是不一样的,那么该如何使用SpringSecurity实现呢,参考了一些网络上的例子,将之前的小应用做了如下修改:

applicationContext-security.xml

Xml代码  收藏代码
  1. <? xml   version = "1.0"   encoding = "UTF-8" ?>   
  2. < beans:beans   xmlns = "http://www.springframework.org/schema/security"   
  3.     xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"   xmlns:p = "http://www.springframework.org/schema/p"   
  4.     xmlns:aop = "http://www.springframework.org/schema/aop"   xmlns:context = "http://www.springframework.org/schema/context"   
  5.     xmlns:jee = "http://www.springframework.org/schema/jee"   xmlns:tx = "http://www.springframework.org/schema/tx"   
  6.     xmlns:util = "http://www.springframework.org/schema/util"   xmlns:mvc = "http://www.springframework.org/schema/mvc"   
  7.     xmlns:tool = "http://www.springframework.org/schema/tool"   xmlns:beans = "http://www.springframework.org/schema/beans"   
  8.     xsi:schemaLocation ="  
  9.             http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd  
  10.             http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
  11.             http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd  
  12.             http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd  
  13.             http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd  
  14.             http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd  
  15.             http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd  
  16.             http://www.springframework.org/schema/tool http://www.springframework.org/schema/tool/spring-tool-3.0.xsd  
  17.             http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"  
  18.     default-lazy-init = "true" >   
  19.   
  20.     <!-- 不需要进行认证的资源,3.0之后才改为这样配置 -->     
  21.     < http   security = "none"   pattern = "/**/login.do"   />   
  22.   
  23.     <!-- 因为要使用自己的权限验证规则,所以这里要配置access-decision-manager-ref    
  24.             实际上,我只是在accessDecisionManager中增加了一个投票器,其它的属性都比较简单,不多说了 -->     
  25.             <!-- 另外,为了实现前后台访问使用不同的登录地址,这里增加了一个entry-point-ref-->   
  26.     < http   entry-point-ref = "loginUrlEntryPoint"   access-decision-manager-ref = "accessDecisionManager"   access-denied-page = "/notaccess.jsp" >          
  27.         < intercept-url   pattern = "/demo.do*"   access = "IS_AUTHENTICATED_REMEMBERED"   />   
  28.         <!-- 后台地址拦截 -->   
  29.         < intercept-url   pattern = "/admin/**/*.do*"   access = "AD_HODLE"   />   
  30.         <!-- 前台地址拦截 -->   
  31.         < intercept-url   pattern = "/**/*.do*"   access = "HODLE"   />   
  32.                       
  33.         < session-management >   
  34.             < concurrency-control   max-sessions = "1"   />   
  35.         </ session-management >   
  36.           
  37.         <!-- 登录过滤器 -->   
  38.         < custom-filter   before = "FORM_LOGIN_FILTER"   ref = "loginFilter" />   
  39.         < custom-filter   position = "FORM_LOGIN_FILTER"   ref = "adminLoginFilter" />   
  40.   
  41.         <!-- 注销过滤器 -->   
  42.         < custom-filter   before = "LOGOUT_FILTER"   ref = "logoutFilter" />   
  43.         < custom-filter   position = "LOGOUT_FILTER"   ref = "adminLogoutFilter" />   
  44.     </ http >   
  45.       
  46.     <!-- 认证切入点,这里使用它的目的是保证当用户登录之前就访问前后台时,会跳转到不同的登录页面 -->   
  47.     < beans:bean   id = "loginUrlEntryPoint"   class = "com.piaoyi.common.security.LoginUrlEntryPoint"   />   
  48.       
  49.     <!-- 登录过滤器,验证前台用户 -->    
  50.       < beans:bean   id = "loginFilter"       
  51.             class = "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >   
  52.            < beans:property   name = "authenticationManager"   ref = "authenticationManager" />   
  53.            < beans:property   name = "authenticationFailureHandler"   ref = "failureHandler" />   
  54.            < beans:property   name = "authenticationSuccessHandler"   ref = "successHandler" />   
  55.            < beans:property   name = "filterProcessesUrl"   value = "/j_spring_security_check" />   
  56.       </ beans:bean >   
  57.   
  58.       < beans:bean   id = "failureHandler"   
  59.              class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >   
  60.             < beans:property   name = "defaultFailureUrl"   value = "/login.do?login_error=1"   />   
  61.        </ beans:bean >   
  62.   
  63.        < beans:bean   id = "successHandler"   
  64.               class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" >   
  65.              < beans:property   name = "alwaysUseDefaultTargetUrl"   value = "true" />   
  66.              < beans:property   name = "defaultTargetUrl"   value = "/demo.do" />   
  67.        </ beans:bean >   
  68.          
  69.        <!-- 登录过滤器,验证后台用户 -->    
  70.        < beans:bean   id = "adminLoginFilter"   
  71.                class = "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >   
  72.                < beans:property   name = "authenticationManager"   ref = "authenticationManager" />   
  73.                < beans:property   name = "authenticationFailureHandler"   ref = "adminFailureHandler" />   
  74.                < beans:property   name = "authenticationSuccessHandler"   ref = "adminSuccessHandler" />   
  75.                < beans:property   name = "filterProcessesUrl"   value = "/j_spring_security_check" />   
  76.         </ beans:bean >   
  77.   
  78.         < beans:bean   id = "adminFailureHandler"    
  79.                 class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >   
  80.                < beans:property   name = "defaultFailureUrl"   value = "/admin/login.do?login_error=1"   />   
  81.         </ beans:bean >   
  82.   
  83.         < beans:bean   id = "adminSuccessHandler"    
  84.                 class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" >   
  85.                 < beans:property   name = "alwaysUseDefaultTargetUrl"   value = "true" />   
  86.                 < beans:property   name = "defaultTargetUrl"   value = "/admin/frame.do" />   
  87.         </ beans:bean >   
  88.           
  89.           
  90.     <!-- 注销过滤器,完成前台用户注销时的定向功能 -->   
  91.     < beans:bean   id = "logoutFilter"   class = "org.springframework.security.web.authentication.logout.LogoutFilter" >   
  92.         < beans:constructor-arg   value = "/login.do"   />   
  93.         < beans:constructor-arg >   
  94.             < beans:list >   
  95.                 < beans:bean   class = "org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"   />   
  96.             </ beans:list >   
  97.         </ beans:constructor-arg >   
  98.         < beans:property   name = "filterProcessesUrl"   value = "/j_spring_security_logout"   />   
  99.     </ beans:bean >   
  100.       
  101.     <!-- 注销过滤器,完成后台用户注销时的定向功能 -->   
  102.     < beans:bean   id = "adminLogoutFilter"   class = "org.springframework.security.web.authentication.logout.LogoutFilter" >   
  103.         < beans:constructor-arg   value = "/admin/login.do"   />   
  104.         < beans:constructor-arg >   
  105.             < beans:list >   
  106.                 < beans:bean   class = "org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"   />   
  107.             </ beans:list >   
  108.         </ beans:constructor-arg >   
  109.         < beans:property   name = "filterProcessesUrl"   value = "/admin/j_spring_security_logout"   />   
  110.     </ beans:bean >   
  111.   
  112.   
  113.   
  114.     <!-- Automatically receives AuthenticationEvent messages -->   
  115.     < beans:bean   id = "loggerListener"   
  116.         class = "org.springframework.security.authentication.event.LoggerListener"   />   
  117.   
  118.      <!-- 认证管理器,使用自定义的UserDetailsService,并对密码采用md5加密-->     
  119.     < authentication-manager   alias = "authenticationManager" >   
  120.         < authentication-provider   user-service-ref = "userService" >   
  121.             < password-encoder   hash = "md5"   />   
  122.         </ authentication-provider >   
  123.     </ authentication-manager >   
  124.       
  125.       
  126.   
  127.     < beans:bean   id = "userService"   class = "com.piaoyi.common.security.UserService"   />   
  128.       
  129.     <!-- 访问决策管理器,这里使用AffirmativeBased,并加入一个自定义的投票器DynamicRoleVoter -->      
  130.     < beans:bean   id = "accessDecisionManager"   
  131.         class = "org.springframework.security.access.vote.AffirmativeBased" >   
  132.         < beans:property   name = "decisionVoters" >   
  133.             < beans:list >   
  134.                 < beans:bean   class = "org.springframework.security.access.vote.RoleVoter"   />   
  135.                 < beans:bean   
  136.                     class = "org.springframework.security.access.vote.AuthenticatedVoter"   />   
  137.                 < beans:bean   class = "com.piaoyi.common.security.DynamicRoleVoter"   />   
  138.             </ beans:list >   
  139.         </ beans:property >   
  140.     </ beans:bean >   
  141. </ beans:beans >   

说明:

1.为了实现不同的登录验证,这里显示声明了登录过滤器与注销过滤器,并指定相应过滤器的位置。

2.因为我们自己来指定了登录过滤器与注销过滤器,所以就不能在<http>中设置auto-config="true"

3.为了区分开不同的登录页面,就需要在<http>中配置认证切入点“entry-point-ref”,认证切入点的作用是当请求被拦截时该如何处理,这里处理为跳转到各自的登录页面

4.这里理想化的将前台用户与后台用户都使用同一个userService进行管理,即表示都存储在同一张用户表中,对于前后台用户不在同一张表中的处理,笔者也在研究中。

 

LoginUrlEntryPoint.java

Java代码  收藏代码
  1. public   class  LoginUrlEntryPoint  implements  AuthenticationEntryPoint {  
  2.   
  3.     public   void  commence(HttpServletRequest request, HttpServletResponse response,  
  4.               AuthenticationException authException) throws  IOException, ServletException {  
  5.         String targetUrl = null ;  
  6.         String url = request.getRequestURI();  
  7.     
  8.         if (url.indexOf( "admin" ) != - 1 ){  
  9.             //未登录而访问后台受控资源时,跳转到后台登录页面   
  10.             targetUrl = "/admin/login.do" ;  
  11.         }else {  
  12.             //未登录而访问前台受控资源时,跳转到前台登录页面   
  13.             targetUrl = "/login.do" ;  
  14.         }  
  15.     
  16.         targetUrl = request.getContextPath() + targetUrl;  
  17.         response.sendRedirect(targetUrl);  
  18.     }  
  19.   

分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics