Spring Security應用實例（一）：用戶登錄

Sql代碼

DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`id` int(10) NOT NULL auto_increment,
`login_name` varchar(20) default NULL,
`password` varchar(20) default NULL,
`name` varchar(20) default NULL,
`email` varchar(30) default NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Sql代碼

DROP TABLE IF EXISTS `roles`;
CREATE TABLE `roles` (
`id` int(10) NOT NULL auto_increment,
`name` varchar(20) default NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Sql代碼

DROP TABLE IF EXISTS `authorities`;
CREATE TABLE `authorities` (
`id` int(10) NOT NULL auto_increment,
`name` varchar(20) default NULL,
`display_name` varchar(20) default NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Sql代碼

DROP TABLE IF EXISTS `users_roles`;
CREATE TABLE `users_roles` (
`user_id` int(10) NOT NULL,
`role_id` int(10) NOT NULL,
PRIMARY KEY (`user_id`,`role_id`),
KEY `FK_R_2` (`role_id`),
CONSTRAINT `FK_R_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`),
CONSTRAINT `FK_R_2` FOREIGN KEY (`role_id`) REFERENCES `roles` (`id`)

Sql代碼

DROP TABLE IF EXISTS `roles_authorities`;
CREATE TABLE `roles_authorities` (
`role_id` int(10) NOT NULL,
`authority_id` int(10) NOT NULL,
PRIMARY KEY (`role_id`,`authority_id`),
KEY `FK_R_4` (`authority_id`),
CONSTRAINT `FK_R_3` FOREIGN KEY (`role_id`) REFERENCES `roles` (`id`),
CONSTRAINT `FK_R_4` FOREIGN KEY (`authority_id`) REFERENCES `authorities` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Java代碼

package cn.com.sunjiesh.springmvcdemo.entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.MappedSuperclass;
/**
* 統一定義id的entity基類.
*
* @author calvin
*/
@MappedSuperclass
public class IdEntity {
private Long id;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
}

Java代碼

package cn.com.sunjiesh.springmvcdemo.entity.user;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import javax.persistence.CascadeType;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.OrderBy;
import javax.persistence.Table;
import javax.persistence.Transient;
import org.apache.commons.lang.builder.ToStringBuilder;
import org.hibernate.annotations.Cache;
import org.hibernate.annotations.CacheConcurrencyStrategy;
import org.hibernate.annotations.Fetch;
import org.hibernate.annotations.FetchMode;
import org.springside.modules.utils.CollectionUtils;
import cn.com.sunjiesh.springmvcdemo.entity.IdEntity;
/**
* 用戶.
*
* 注意@Cache(Entity與集合的緩存),@ManyToMany/@JoinTable(多對多關系),@OrderBy/LinkedHashSet(集合排序),@Transient(非持久化屬性)的應用.
*
* @author calvin
*/
@Entity
@Table(name = "USERS")
@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
public class User extends IdEntity {
private String loginName;
private String password;
private String name;
private String email;
private Set<Role> roles = new LinkedHashSet<Role>();
@Column(name="login_name")
public String getLoginName() {
return loginName;
}
public void setLoginName(String loginName) {
this.loginName = loginName;
}
@Column(name="password")
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
@Column(name="name")
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
@Column(name="email")
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
@ManyToMany(cascade = { CascadeType.PERSIST, CascadeType.MERGE },fetch=FetchType.EAGER)
@JoinTable(name = "USERS_ROLES", joinColumns = { @JoinColumn(name = "USER_ID") }, inverseJoinColumns = { @JoinColumn(name = "ROLE_ID") })
@OrderBy("id")
@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
public Set<Role> getRoles() {
return roles;
}
public void setRoles(Set<Role> roles) {
this.roles = roles;
}
@Transient
public String getRoleNames() throws Exception {
return CollectionUtils.fetchPropertyToString(roles, "name", ", ");
}
@SuppressWarnings("unchecked")
@Transient
public List<Long> getRoleIds() throws Exception {
return CollectionUtils.fetchPropertyToList(roles, "id");
}
@Override
public String toString() {
return ToStringBuilder.reflectionToString(this);
}
}

Java代碼

package cn.com.sunjiesh.springmvcdemo.entity.user;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import javax.persistence.CascadeType;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.OrderBy;
import javax.persistence.Table;
import javax.persistence.Transient;
import org.apache.commons.lang.builder.ToStringBuilder;
import org.hibernate.annotations.Cache;
import org.hibernate.annotations.CacheConcurrencyStrategy;
import org.springside.modules.utils.CollectionUtils;
import cn.com.sunjiesh.springmvcdemo.entity.IdEntity;
/**
* 角色.
*
* 注意@Cache(Entity與集合的緩存),@ManyToMany/@JoinTable(多對多關系),@OrderBy/LinkedHashSet(集合排序),@Transient(非持久化屬性)的應用.
*
* @author calvin
*/
@Entity
@Table(name = "ROLES")
@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
public class Role extends IdEntity {
private String name;
private Set<Authority> auths = new LinkedHashSet<Authority>();
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
@ManyToMany(cascade = { CascadeType.PERSIST, CascadeType.MERGE },fetch=FetchType.EAGER)
@JoinTable(name = "ROLES_AUTHORITIES", joinColumns = { @JoinColumn(name = "ROLE_ID") }, inverseJoinColumns = { @JoinColumn(name = "AUTHORITY_ID") })
@OrderBy("id")
@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
public Set<Authority> getAuths() {
return auths;
}
public void setAuths(Set<Authority> auths) {
this.auths = auths;
}
@Transient
public String getAuthNames() throws Exception {
return CollectionUtils.fetchPropertyToString(auths, "displayName", ", ");
}
@SuppressWarnings("unchecked")
@Transient
public List<Long> getAuthIds() throws Exception {
return CollectionUtils.fetchPropertyToList(auths, "id");
}
@Override
public String toString() {
return ToStringBuilder.reflectionToString(this);
}
}

Java代碼

package cn.com.sunjiesh.springmvcdemo.entity.user;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Table;
import org.apache.commons.lang.builder.ToStringBuilder;
import org.hibernate.annotations.Cache;
import org.hibernate.annotations.CacheConcurrencyStrategy;
import cn.com.sunjiesh.springmvcdemo.entity.IdEntity;
/**
* 權限.
*
* @Cache使用READ_ONLY策略.
*
* @author calvin
*/
@Entity
@Table(name = "AUTHORITIES")
@Cache(usage = CacheConcurrencyStrategy.READ_ONLY)
public class Authority extends IdEntity {
private String name;
private String displayName;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
@Column(name="display_name")
public String getDisplayName() {
return displayName;
}
public void setDisplayName(String displayName) {
this.displayName = displayName;
}
@Override
public String toString() {
return ToStringBuilder.reflectionToString(this);
}
}

Java代碼

package cn.com.sunjiesh.springmvcdemo.dao.iface;
import cn.com.sunjiesh.springmvcdemo.entity.user.User;
/**
*
* @author sunjie
* @since 2009-03-29
*
*/
public interface IUserDAO extends IBaseHibernateDAO<User> {
public User getUserByUserName(String username);
}

Java代碼

package cn.com.sunjiesh.springmvcdemo.dao.impl;
import org.apache.log4j.Logger;
import org.hibernate.Query;
import cn.com.sunjiesh.springmvcdemo.dao.iface.IUserDAO;
import cn.com.sunjiesh.springmvcdemo.entity.user.User;
public class UserDAOImpl extends BaseHibernateDAOImpl<User> implements IUserDAO {
private static Logger LOG = Logger.getLogger(UserDAOImpl.class);
public User getUserByUserName(String username) {
String hql = "from User where loginName = ?";
Query query = getSession().createQuery(hql);
query.setParameter(0, username);
User user = (User) query.list().get(0);
return user;
}
}

Java代碼

package cn.com.sunjiesh.springmvcdemo.service.security;
import java.util.ArrayList;
import java.util.List;
import org.apache.log4j.Logger;
import org.springframework.dao.DataAccessException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
import org.springframework.security.userdetails.UsernameNotFoundException;
import cn.com.sunjiesh.springmvcdemo.dao.iface.IUserDAO;
import cn.com.sunjiesh.springmvcdemo.entity.user.Authority;
import cn.com.sunjiesh.springmvcdemo.entity.user.Role;
import cn.com.sunjiesh.springmvcdemo.entity.user.User;
/**
* 實現SpringSecurity的UserDetailsService接口,獲取用戶Detail信息.
* @author calvin
*/
public class UserDetailServiceImpl implements UserDetailsService{
private static Logger LOG=Logger.getLogger(UserDetailServiceImpl.class);
private IUserDAO userDao;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
if(username==null){
LOG.error("username is null");
}
if(userDao==null){
LOG.error("userDao is null");
}
User user=userDao.getUserByUserName(username);
//TOTO 判斷用戶存在，如果不存在，則拋出異常。
if(user==null){
LOG.error(username+" is not exist", new UsernameNotFoundException(username+" is not exist"));
}
List<GrantedAuthority> authsList = new ArrayList<GrantedAuthority>();
System.out.println("user.getRoles().size()="+user.getRoles().size());
for (Role role : user.getRoles()) {
for (Authority authority : role.getAuths()) {
authsList.add(new GrantedAuthorityImpl(authority.getName()));
}
}
//TODO　
org.springframework.security.userdetails.User userdetail = new org.springframework.security.userdetails.User(
user.getLoginName(), user.getPassword(), true, true, true, true, authsList
.toArray(new GrantedAuthority[authsList.size()]));
return userdetail;
}
public void setUserDao(IUserDAO userDao) {
this.userDao = userDao;
}
}

Xml代碼

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name> SpringMVCDemo</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/cn/com/sunjiesh/springmvcdemo/spring/spring-*.xml,/WEB-INF/springmvcdemo-servlet.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
Spring Security可以限制一個主體並行認證到同一系統的次數。
很多ISV利用這點來加強授權公里，網管也喜歡這個功能，因為它可以防止人們共享登錄名。
你可以，比如，禁止用戶"Batman"從兩個不同的會話登錄到web應用里。
-->
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class> org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>gb2312</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>dwr-invoker</servlet-name>
<servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>dwr-invoker</servlet-name>
<url-pattern>/dwr/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>springmvcdemo</servlet-name>
<servlet-class> org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/springmvcdemo-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvcdemo</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<jsp-config>
<taglib>
<taglib-uri>http://java.sun.com/jstl/fmt</taglib-uri>
<taglib-location>/WEB-INF/tlds/fmt.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jstl/fmt-rt</taglib-uri>
<taglib-location>/WEB-INF/tlds/fmt-rt.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
<taglib-location>/WEB-INF/tlds/c.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jstl/core-rt</taglib-uri>
<taglib-location>/WEB-INF/tlds/c-rt.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jstl/sql</taglib-uri>
<taglib-location>/WEB-INF/tlds/sql.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jstl/sql-rt</taglib-uri>
<taglib-location>/WEB-INF/tlds/sql-rt.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jstl/x</taglib-uri>
<taglib-location>/WEB-INF/tlds/x.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jstl/x-rt</taglib-uri>
<taglib-location>/WEB-INF/tlds/x-rt.tld</taglib-location>
</taglib>
</jsp-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
</web-app>

Xml代碼

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:/cn/com/sunjiesh/springmvcdemo/spring/jdbc.properties</value>
</list>
</property>
</bean>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close">
<property name="driverClassName" value="${jdbc.driverClassName}" />
<property name="url" value="${jdbc.url}" />
<property name="username" value="${jdbc.username}" />
<property name="password" value="${jdbc.password}" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="annotatedClasses">
<list>
<value>cn.com.sunjiesh.springmvcdemo.entity.user.Authority</value>
<value>cn.com.sunjiesh.springmvcdemo.entity.user.Role</value>
<value>cn.com.sunjiesh.springmvcdemo.entity.user.User</value>
</list>
</property>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.show_sql">true</prop>
<prop key="hibernate.cache.provider_class">org.hibernate.cache.EhCacheProvider</prop>
<prop key="hibernate.cache.use_second_level_cache">false</prop>
<prop key="hibernate.cache.use_query_cache">false</prop>
</props>
</property>
</bean>
<bean id="txManager"
class="org.springframework.orm.hibernate3.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<bean id="baseTxService"
class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"
abstract="true">
<property name="transactionManager" ref="txManager" />
<property name="proxyTargetClass" value="true" />
<property name="transactionAttributes">
<props>
<prop key="get*">PROPAGATION_REQUIRED,readOnly</prop>
<prop key="find*">PROPAGATION_REQUIRED,readOnly</prop>
<prop key="load*">PROPAGATION_REQUIRED,readOnly</prop>
<prop key="save*">PROPAGATION_REQUIRED</prop>
<prop key="update*">PROPAGATION_REQUIRED</prop>
<prop key="remove*">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
</beans>

Xml代碼

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<!--
Author By Sun Jie
Shared document
-->
<beans default-autowire="byName" default-lazy-init="true">
<bean id="userDaoTarget" class="cn.com.sunjiesh.springmvcdemo.dao.impl.UserDAOImpl">
</bean>
<bean id="userDao" parent="baseTxService">
<property name="target">
<ref bean="userDaoTarget"/>
</property>
</bean>
</beans>

Xml代碼

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<!--
FilterChainProxy會按順序來調用這些filter,使這些filter能享用Spring Ioc的功能
-->
<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/user/**"
filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter" />
</security:filter-chain-map>
</bean>
<!--
集成過濾器(HttpSessionContextIntegrationFilter是集成過濾器的一個實現)
每次request前HttpSessionContextIntegrationFilter從Session中獲取Authentication對象，在request完后
又把Authentication對象保存到Session中供下次request使用,此filter必須在其他Acegi filter前使用
-->
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
<!--
退出(Logout)過濾器退出登錄操作
-->
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<constructor-arg value="/login.action" />
<constructor-arg>
<list>
<ref bean="rememberMeServices" />
<bean
class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
</bean>
<!--
處理表單認證filter: 1.authenticationManager 認證管理器 2.authenticationFailureUrl
定義登錄失敗時轉向的頁面 3.defaultTargetUrl 定義登錄成功時轉向的頁面 4.filterProcessesUrl
定義登錄請求的地址 5.rememberMeServices 在驗證成功后添加cookie信息
-->
<bean id="authenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="authenticationFailureUrl" value="/user/login.jsp"></property>
<property name="defaultTargetUrl" value="/user/index.jsp"></property>
<property name="filterProcessesUrl" value="/user/j_spring_security_check"></property>
<property name="rememberMeServices" ref="rememberMeServices"></property>
</bean>
<bean id="basicProcessingFilter"
class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="authenticationEntryPoint">
<bean id="authenticationEntryPoint"
class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
<property name="realmName">
<value>Name Of Your Realm</value>
</property>
</bean>
</property>
</bean>
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter" />
<!--
如果不存在任何授權信息時，自動添加匿名用戶身份至SecurityContextHolder中
-->
<bean id="anonymousProcessingFilter"
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="springsecurity"></property>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"></property>
</bean>
<!--
異常處理filter(異常轉換過濾器)，主要是處理AccessDeniedException和AuthenticationException，
將給每個異常找到合適的"去向"
-->
<bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint" />
<property name="accessDeniedHandler">
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/accessDenied.jsp" />
</bean>
</property>
</bean>
<!--
使用過濾器安全攔截器保護資源
filterSecurityInterceptor在執行轉向目標url前檢查objectDefinitionSource中設定的用戶權限信息,
安全強制過濾器負責攔截請求，判斷請求是否安全，並且給予認證和訪問決策管理器一個機會來驗證用戶的身份和權限過程：
首先，過濾器安全攔截器使用authenticationManager調用自己的provider來對用戶的認證信息進行驗證並獲取用戶已有的權限。
然后，使用訪問決策管理器來判斷用戶是否擁用合適的授權來訪問受保護的資源。
(objectDefinitionSource屬性定義了訪問URL需要的權限信息)
最后，有投票者根據用戶持有認證和訪問url需要的屬性，調用自己的voter來投票，決定是否允許訪問。
-->
<bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="accessDecisionManager" ref="accessDecisionManager"></property>
<!--
<property name="objectDefinitionSource"
ref="objectDefinitionSource"></property>
-->
<property name="objectDefinitionSource">
<security:filter-invocation-definition-source>
<security:intercept-url pattern="/secure/super/**"
access="ROLE_WE_DONT_HAVE" />
<security:intercept-url pattern="/secure/**"
access="ROLE_SUPERVISOR,ROLE_TELLER" />
<security:intercept-url pattern="/login.action*"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/user/user!save.action*"
access="ROLE_MODIFY_USER" />
<security:intercept-url pattern="/user/user!delete.action*"
access="ROLE_MODIFY_USER" />
<security:intercept-url pattern="/user/user*.action*"
access="ROLE_VIEW_USER" />
<security:intercept-url pattern="/user/role!save.action*"
access="ROLE_MODIFY_ROLE" />
<security:intercept-url pattern="/user/role!delete.action*"
access="ROLE_MODIFY_ROLE" />
<security:intercept-url pattern="/user/role*.action*"
access="ROLE_VIEW_ROLE" />
</security:filter-invocation-definition-source>
</property>
</bean>
<!--
訪問決策管理器
驗證用戶是否有權限訪問相應的資源(filterSecurityInterceptor中objectDefinitionSource屬性定義的訪問URL需要的屬性信息)
-->
<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"
p:allowIfAllAbstainDecisions="false">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.vote.RoleVoter" />
<bean class="org.springframework.security.vote.AuthenticatedVoter" />
</list>
</property>
</bean>
<bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/login.jsp" />
<property name="forceHttps" value="false" />
</bean>
<!--
認證管理器(org.springframework.security.AuthenticationManager接口)
org.springframework.security.providers.ProviderManager是認證管理器的一個實現,
ProviderManager通過遍歷一個提供者的集合來實現身份驗證, 直到某一個認證提供者能夠成功地驗證該用戶的身份
-->
<!--
通過Providers提供認證者列表,如果一個認證提供者失敗可以嘗試另外一個認證提供者,以保證獲取不同來源的身份認證，如
DaoAuthenticationProvider 從數據庫中讀取用戶信息驗證身份
AnonymousAuthenticationProvider 匿名用戶身份認證
RememberMeAuthenticationProvider 已存cookie中的用戶信息身份認證其它的還有
AuthByAdapterProvider 使用容器的適配器驗證身份 CasAuthenticationProvider
根據Yale中心認證服務驗證身份, 用於實現單點登陸 JaasAuthenticationProvider
從JASS登陸配置中獲取用戶信息驗證身份 RemoteAuthenticationProvider 根據遠程服務驗證用戶身份
RunAsImplAuthenticationProvider 對身份已被管理器替換的用戶進行驗證
X509AuthenticationProvider 從X509認證中獲取用戶信息驗證身份
TestingAuthenticationProvider 單元測試時使用
每個認證者會對自己指定的證明信息進行認證，如DaoAuthenticationProvider僅對UsernamePasswordAuthenticationToken這個證明信息進行認證。
-->
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
<ref local="anonymousAuthenticationProvider" />
</list>
</property>
</bean>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"></property>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="springsecurity"></property>
</bean>
<bean id="rememberMeServices"
class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
<property name="key" value="springsecurity"></property>
<property name="userDetailsService" ref="userDetailsService"></property>
</bean>
<bean id="userDetailsService"
class="cn.com.sunjiesh.springmvcdemo.service.security.UserDetailServiceImpl">
<property name="userDao" ref="userDao"></property>
</bean>
<bean id="passwordEncoder"
class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
<bean id="loggerListener"
class="org.springframework.security.event.authentication.LoggerListener" />
</beans>

Xml代碼

<?xml version="1.0" encoding="UTF-8"?>
<!--
Author Sun Jie
-->
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean id="methodNameResolver"
class="org.springframework.web.servlet.mvc.multiaction.ParameterMethodNameResolver">
<property name="paramName" value="method" />
<property name="defaultMethodName" value="index" />
</bean>
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/" />
</bean>
<bean id="adminHandlerMapping"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<prop key="/user/login.do">userLoginController</prop>
</props>
</property>
</bean>
<bean id="userLoginController" class="cn.com.sunjiesh.springmvcdemo.web.user.LoginController"
autowire="byName">
<property name="successView" value="/user/index.jsp" />
<property name="errorView" value="" />
</bean>
</beans>

Html代碼

<%@ page contentType="text/html;charset=gb2312"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<%@ page import="org.springframework.security.ui.AbstractProcessingFilter"%>
<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"%>
<%@ page import="org.springframework.security.AuthenticationException"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>SpringMVCDemo登錄頁</title>
<%@ include file="/common/meta.jsp"%>
<script src="${ctx}/js/validate/jquery.validate.js" type="text/javascript"></script>
<script src="${ctx}/js/validate/messages_cn.js" type="text/javascript"></script>
<script>
$(document).ready(function(){
$("#loginForm").validate();
});
</script>
</head>
<body>
<c:set var="ctx" value="${pageContext.request.contextPath}"/>
<div id="content">
<%
if (session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY) != null) {
%>
<span style="color:red"> 登錄失敗，請重試. </span>
<%
}
%>
<h2>SpringMVCDemo示例</h2>
<h3>--CRUD管理界面演示</h3>
<form id="loginForm" action="${ctx}/user/j_spring_security_check" method="post">
<table class="inputView">
<tr>
<td>
用戶名:
</td>
<td>
<input type='text' name='j_username'
<c:if test="${not empty param.error}"> value='<%=session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY)%>'</c:if> class="required"/>
</td>
</tr>
<tr>
<td>
密碼:
</td>
<td>
<input type='password' name='j_password' class="required" />
</td>
</tr>
<tr>
<td colspan='2'>
<input value="登錄" type="submit" />
</td>
</tr>
</table>
</form>
</div>
</body>
</html>

Spring Security應用實例（一）：用戶登錄

免責聲明！