大型网站的建设,企业网站php模板,wordpress多媒体主题,wordpress国内最流行的主题文章目录 Spring Security概念快速入门案例环境准备Spring配置文件SpringMVC配置文件log4j配置文件web.xmlTomcat插件 整合SpringSecurity 认证操作自定义登录页面关闭CSRF拦截数据库认证加密认证状态记住我授权注解使用标签使用 Spring Security概念
Spring Security是Spring… 文章目录 Spring Security概念快速入门案例环境准备Spring配置文件SpringMVC配置文件log4j配置文件web.xmlTomcat插件 整合SpringSecurity 认证操作自定义登录页面关闭CSRF拦截数据库认证加密认证状态记住我授权注解使用标签使用 Spring Security概念
Spring Security是Spring采用 AOP思想基于 servlet过滤器实现的安全框架。它提供了完善的认证机制和方法级的授权功能。是一款非常优秀的权限管理框架。
特征
对身份验证和授权的全面且可扩展的支持保护免受会话固定劫持跨站点请求伪造等攻击Servlet API集成与Spring Web MVC的可选集成
快速入门案例
环境准备
准备一个SpringMVCSpringjsp的Web环境然后在这个基础上整合SpringSecurity。
添加相关的依赖 dependenciesdependencygroupIdjunit/groupIdartifactIdjunit/artifactIdversion4.11/versionscopetest/scope/dependencydependencygroupIdorg.springframework/groupIdartifactIdspring-webmvc/artifactIdversion5.2.1.RELEASE/version/dependencydependencygroupIdjavax.servlet/groupIdartifactIdservlet-api/artifactIdversion2.5/versionscopeprovided/scope/dependencydependencygroupIdorg.slf4j/groupIdartifactIdslf4j-log4j12/artifactIdversion1.7.25/version/dependency/dependenciesSpring配置文件
?xml version1.0 encodingUTF-8?
beans xmlnshttp://www.springframework.org/schema/beansxmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:contexthttp://www.springframework.org/schema/contextxsi:schemaLocationhttp://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context.xsdcontext:component-scan base-packagecom.xx.service /context:component-scan/beansSpringMVC配置文件
?xml version1.0 encodingUTF-8?
beans xmlnshttp://www.springframework.org/schema/beansxmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:contexthttp://www.springframework.org/schema/contextxmlns:mvchttp://www.springframework.org/schema/mvcxsi:schemaLocationhttp://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context.xsdhttp://www.springframework.org/schema/mvchttp://www.springframework.org/schema/mvc/spring-mvc.xsdcontext:component-scan base-packagecom.xx.controller/context:component-scanmvc:annotation-driven /mvc:annotation-driven/beanslog4j配置文件
log4j.properties文件
log4j.rootCategoryINFO, stdoutlog4j.appender.stdoutorg.apache.log4j.ConsoleAppender
log4j.appender.stdout.layoutorg.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern[QC] %p [%t] %C.%M(%L) | %m%n
web.xml
web.xml
!DOCTYPE web-app PUBLIC-//Sun Microsystems, Inc.//DTD Web Application 2.3//ENhttp://java.sun.com/dtd/web-app_2_3.dtd web-app version2.5 idWebApp_ID xmlnshttp://java.sun.com/xml/ns/javaeexmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexsi:schemaLocationhttp://java.sun.com/xml/ns/javaeehttp://java.sun.com/xml/ns/javaee/web-app_2_5.xsddisplay-nameArchetype Created Web Application/display-name!-- 初始化spring容器 --context-paramparam-namecontextConfigLocation/param-nameparam-valueclasspath:applicationContext.xml/param-value/context-paramlistenerlistener-classorg.springframework.web.context.ContextLoaderListener/listener-class/listener!-- post乱码过滤器 --filterfilter-nameCharacterEncodingFilter/filter-namefilter-classorg.springframework.web.filter.CharacterEncodingFilter/filter-classinit-paramparam-nameencoding/param-nameparam-valueutf-8/param-value/init-param/filterfilter-mappingfilter-nameCharacterEncodingFilter/filter-nameurl-pattern/*/url-pattern/filter-mapping!-- 前端控制器 --servletservlet-namedispatcherServletb/servlet-nameservlet-classorg.springframework.web.servlet.DispatcherServlet/servlet-class!-- contextConfigLocation不是必须的 如果不配置contextConfigLocation springmvc的配置文件默认在WEB-INF/servlet的name-servlet.xml --init-paramparam-namecontextConfigLocation/param-nameparam-valueclasspath:spring-mvc.xml/param-value/init-paramload-on-startup1/load-on-startup/servletservlet-mappingservlet-namedispatcherServletb/servlet-name!-- 拦截所有请求jsp除外 --url-pattern//url-pattern/servlet-mapping/web-app
Tomcat插件
添加Tomcat的插件 启动测试 pluginsplugingroupIdorg.apache.tomcat.maven/groupIdartifactIdtomcat7-maven-plugin/artifactIdversion2.2/versionconfigurationport8082/portpath//path/configuration/plugin/plugins整合SpringSecurity
添加相关的依赖
spring-security-core.jar 核心包任何SpringSecurity的功能都需要此包
spring-security-web.jar:web工程必备包含过滤器和相关的web安全的基础结构代码
spring-security-config.jar用于xml文件解析处理
spring-security-tablibs.jar:动态标签库
!-- 添加SpringSecurity的相关依赖 --
dependencygroupIdorg.springframework.security/groupIdartifactIdspring-security-config/artifactIdversion5.1.5.RELEASE/version
/dependency
dependencygroupIdorg.springframework.security/groupIdartifactIdspring-security-taglibs/artifactIdversion5.1.5.RELEASE/version
/dependencyweb.xml文件中配置SpringSecurity !-- 配置过滤器链 springSecurityFilterChain 名称固定 --filterfilter-namespringSecurityFilterChain/filter-namefilter-classorg.springframework.web.filter.DelegatingFilterProxy/filter-class/filterfilter-mappingfilter-namespringSecurityFilterChain/filter-nameurl-pattern/*/url-pattern/filter-mapping添加SpringSecurity的配置文件
?xml version1.0 encodingUTF-8?
beans xmlnshttp://www.springframework.org/schema/beansxmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:securityhttp://www.springframework.org/schema/securityxsi:schemaLocationhttp://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd!-- SpringSecurity配置文件 --!--auto-config:表示自动加载SpringSecurity的配置文件use-expressions表示使用Spring的EL表达式--security:http auto-configtrue use-expressionstrue!--拦截资源pattern/** 拦截所有的资源accesshasAnyRole(ROLE_USER) 表示只有ROLE_USER 这个角色可以访问资源--security:intercept-url pattern/** accesshasAnyRole(ROLE_USER) /security:intercept-url/security:http!-- 认证用户信息 --security:authentication-managersecurity:authentication-providersecurity:user-service !-- 设置一个账号 zhangsan 密码123 {noop} 表示不加密 具有的角色是 ROLE_USER--security:user namezhangsan authoritiesROLE_USER password{noop}123 /security:usersecurity:user namelisi authoritiesROLE_USER password{noop}123456 /security:user/security:user-service/security:authentication-provider/security:authentication-manager
/beans将SpringSecurity的配置文件引入到Spring配置文件中
启动测试访问 认证操作
自定义登录页面
如何使用我们自己写的登录页面呢
%--Created by IntelliJ IDEA.User: dpbDate: 2021/3/16Time: 16:57To change this template use File | Settings | File Templates.
--%
% page contentTypetext/html;charsetUTF-8 languagejava %
html
headtitleTitle/title
/head
bodyh1登录页面/h1form action/login methodpost账号:input typetext nameusernamebr密码:input typepassword namepasswordbrinput typesubmit value登录/form
/body
/html
修改相关的配置文件
?xml version1.0 encodingUTF-8?
beans xmlnshttp://www.springframework.org/schema/beansxmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:securityhttp://www.springframework.org/schema/securityxsi:schemaLocationhttp://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd!-- SpringSecurity配置文件 --!--auto-config:表示自动加载SpringSecurity的配置文件use-expressions表示使用Spring的EL表达式--security:http auto-configtrue use-expressionstrue!-- 匿名访问登录页面--security:intercept-url pattern/login.jsp accesspermitAll()/!--拦截资源pattern/** 拦截所有的资源accesshasAnyRole(ROLE_USER) 表示只有ROLE_USER 这个角色可以访问资源--security:intercept-url pattern/** accesshasAnyRole(ROLE_USER) /!--配置认证的信息--security:form-login login-page/login.jsplogin-processing-url/logindefault-target-url/home.jspauthentication-failure-url/error.jsp/!-- 注销 --security:logout logout-url/logoutlogout-success-url/login.jsp //security:http!-- 认证用户信息 --security:authentication-managersecurity:authentication-providersecurity:user-service !-- 设置一个账号 zhangsan 密码123 {noop} 表示不加密 具有的角色是 ROLE_USER--security:user namezhangsan authoritiesROLE_USER password{noop}123 /security:usersecurity:user namelisi authoritiesROLE_USER password{noop}123456 /security:user/security:user-service/security:authentication-provider/security:authentication-manager
/beans访问home.jsp页面后会自动跳转到自定义的登录页面 但是当提交了请求后页面出现了如下的错误 关闭CSRF拦截
为什么系统默认的登录页面提交没有CRSF拦截的问题呢 自定义的认证页面没有这个信息怎么办呢两种方式 关闭CSRF拦截 再次登录显示成功 使用CSRF防护 在页面中添加对应taglib 访问登录页面可以看到csrf的信息再次登陆即可成功。 数据库认证
前面的案例账号信息是直接写在配置文件中的这显然是不太好的如何实现和数据库中的信息进行认证
添加相关的依赖 dependencygroupIdorg.mybatis/groupIdartifactIdmybatis/artifactIdversion3.5.4/version/dependencydependencygroupIdorg.mybatis/groupIdartifactIdmybatis-spring/artifactIdversion2.0.4/version/dependencydependencygroupIdmysql/groupIdartifactIdmysql-connector-java/artifactIdversion8.0.11/version/dependencydependencygroupIdcom.alibaba/groupIdartifactIddruid/artifactIdversion1.1.8/version/dependency添加配置文件
jdbc.drivercom.mysql.cj.jdbc.Driver
jdbc.urljdbc:mysql://localhost:3306/logistics?characterEncodingutf-8serverTimezoneUTC
jdbc.usernameroot
jdbc.password123456?xml version1.0 encodingUTF-8?
beans xmlnshttp://www.springframework.org/schema/beansxmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:contexthttp://www.springframework.org/schema/contextxsi:schemaLocationhttp://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context.xsdcontext:component-scan base-packagecom.xxx.service /context:component-scan!-- SpringSecurity的配置文件 --import resourceclasspath:spring-security.xml /context:property-placeholder locationclasspath:db.properties /bean classcom.alibaba.druid.pool.DruidDataSource iddataSourceproperty nameurl value${jdbc.url} /property namedriverClassName value${jdbc.driver} /property nameusername value${jdbc.username} /property namepassword value${jdbc.password} //beanbean classorg.mybatis.spring.SqlSessionFactoryBean idsessionFactoryBean property namedataSource refdataSource /property nameconfigLocation valueclasspath:mybatis-config.xml /property namemapperLocations valueclasspath:mapper/*.xml //beanbean classorg.mybatis.spring.mapper.MapperScannerConfigurerproperty namebasePackage valuecom.xxx.mapper //bean
/beans需要完成认证的service中继承 UserDetailsService父接口
实现类中实现验证方法
Service
public class UserServiceImpl extends UserDetailsService {Autowiredprivate UserMapper mapper;Overridepublic UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {// 根据账号查询用户信息UserExample example new UserExample();example.createCriteria().andUserNameEqualTo(s);ListUser users mapper.selectByExample(example);if(users ! null users.size() 0){User user users.get(0);if(user ! null){ListSimpleGrantedAuthority authorities new ArrayList();// 设置登录账号的角色authorities.add(new SimpleGrantedAuthority(ROLE_USER));UserDetails userDetails new org.springframework.security.core.userdetails.User(user.getUserName(),{noop}user.getPassword(),authorities);return userDetails;}}return null;}
}
最后修改配置文件关联自定义的service即可 加密
在SpringSecurity中推荐我们是使用的加密算法是 BCryptPasswordEncoder
修改配置文件 认证状态
用户的状态包括 是否可用账号过期凭证过期账号锁定等等。 可以在用户的表结构中添加相关的字段来维护这种关系
记住我
在表单页面添加一个 记住我的按钮. 在SpringSecurity中默认是关闭 RememberMe功能的需要放开 记住我的功能会方便大家的使用但是安全性却是令人担忧的因为Cookie信息存储在客户端很容易被盗取这时我们可以将这些数据持久化到数据库中。
CREATE TABLE persistent_logins (
username VARCHAR (64) NOT NULL,
series VARCHAR (64) NOT NULL,
token VARCHAR (64) NOT NULL,
last_used TIMESTAMP NOT NULL,
PRIMARY KEY (series)
) ENGINE INNODB DEFAULT CHARSET utf8 注意设置了过期时间到期后并不是删除表结构中的数据而是客户端不会在携带相关信息了同时删除掉数据库中的数据 记住我也会失效
授权
注解使用
开启注解的支持
?xml version1.0 encodingUTF-8?
beans xmlnshttp://www.springframework.org/schema/beansxmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:contexthttp://www.springframework.org/schema/contextxmlns:mvchttp://www.springframework.org/schema/mvcxmlns:securityhttp://www.springframework.org/schema/securityxsi:schemaLocationhttp://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context.xsdhttp://www.springframework.org/schema/mvchttp://www.springframework.org/schema/mvc/spring-mvc.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsdcontext:component-scan base-packagecom.xxx.controller/context:component-scanmvc:annotation-driven /mvc:annotation-driven!--开启权限控制注解支持jsr250-annotationsenabled 表示支持jsr250-api的注解支持需要jsr250-api的jar包pre-post-annotationsenabled 表示支持Spring的表达式注解secured-annotationsenabled 这个才是SpringSecurity提供的注解--security:global-method-securityjsr250-annotationsenabledpre-post-annotationsenabledsecured-annotationsenabled/
/beansjsr250的使用
添加依赖
dependencygroupIdjavax.annotation/groupIdartifactIdjsr250-api/artifactIdversion1.0/version
/dependency控制器中通过注解设置 Controller
RequestMapping(/user)
public class UserController {RolesAllowed(value {ROLE_ADMIN})RequestMapping(/query)public String query(){System.out.println(用户查询....);return /home.jsp;}RolesAllowed(value {ROLE_USER})RequestMapping(/save)public String save(){System.out.println(用户添加....);return /home.jsp;}RequestMapping(/update)public String update(){System.out.println(用户更新....);return /home.jsp;}
} Spring表达式的使用 Controller
RequestMapping(/order)
public class OrderController {PreAuthorize(value hasAnyRole(ROLE_USER))RequestMapping(/query)public String query(){System.out.println(用户查询....);return /home.jsp;}PreAuthorize(value hasAnyRole(ROLE_ADMIN))RequestMapping(/save)public String save(){System.out.println(用户添加....);return /home.jsp;}RequestMapping(/update)public String update(){System.out.println(用户更新....);return /home.jsp;}
}
SpringSecurity提供的注解
Controller
RequestMapping(/role)
public class RoleController {Secured(ROLE_USER)RequestMapping(/query)public String query(){System.out.println(用户查询....);return /home.jsp;}Secured(ROLE_ADMIN)RequestMapping(/save)public String save(){System.out.println(用户添加....);return /home.jsp;}RequestMapping(/update)public String update(){System.out.println(用户更新....);return /home.jsp;}
}
异常处理
新增一个错误页面然后在SpringSecurity的配置文件中配置即可 当然也可以使用SpringMVC中的各种异常处理器处理 标签使用
注解的权限管理可以控制用户是否具有这个操作的权限但是当用户具有了这个权限后进入到具体的操作页面这时我们还有进行更细粒度的控制这时注解的方式就不太适用了这时可以通过标签来处理
添加SpringSecurity的标签库 % page contentTypetext/html;charsetUTF-8 languagejava %
% taglib prefixsecurity urihttp://www.springframework.org/security/tags %
html
headtitleTitle/title
/head
bodyh1欢迎光临.../h1security:authentication propertyprincipal.username /security:authorize accesshasAnyRole(ROLE_USER) a href#用户查询/abr/security:authorizesecurity:authorize accesshasAnyRole(ROLE_ADMIN) a href#用户添加/abr/security:authorizesecurity:authorize accesshasAnyRole(ROLE_USER) a href#用户更新/abr/security:authorizesecurity:authorize accesshasAnyRole(ROLE_ADMIN) a href#用户删除/abr/security:authorize
/body
/html
页面效果
