spring security 之用戶和權限用數據庫存儲

時間  2019-11-19
標籤 spring security 用戶 權限 數據庫 存儲 欄目 Spring 简体版
原文   原文鏈接

本項目是根據http://www.blogjava.net/SpartaYew/archive/2011/05/19/SpingSecurity3.html 第二種方法實現的,並將之改爲spring security3.1版本css

本項目基於spring security3.1+oracle 10html

 使用到的兩個表,用戶表和權限表的SQL語句。將用戶和權限以數據庫進行存儲。java

create table USERS(
  USERNAME   VARCHAR2(50) not null,
  PASSWORD   VARCHAR2(50) not null,
  ENABLED    NUMBER(1) not null,
  USERNAMECN VARCHAR2(50),
  primary key( username )
)

create table AUTHORITIES(
  USERNAME  VARCHAR2(50) not null,
  AUTHORITY VARCHAR2(50) not null
)

 

 

 

 

相關配置web

將權限及資源(URL或Action)的關係配置在xml文件中,而且配置與Spring Security3相關的其餘配置:spring

    1.applicationContext-security.xml代碼:數據庫

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<!-- 不要過濾圖片等靜態資源,其中**表明能夠跨越目錄,*不能夠跨越目錄。 -->
<http pattern="/**/*.jpg" security="none" />
<http pattern="/**/*.png" security="none" />
<http pattern="/**/*.gif" security="none" />
<http pattern="/**/*.css" security="none" />
<http pattern="/**/*.js" security="none" />
<http pattern="/login.jsp" security="none" />
<http pattern="/jsp/forgotpassword.jsp" security="none" />

 <http auto-config="true" access-denied-page="/accessDenied.jsp">
  
  <!-- spring security3.1 security 不支持filter="none"
  <intercept-url pattern="/**/*.jpg" filters="none" />
  <intercept-url pattern="/**/*.png" filters="none" />
  <intercept-url pattern="/**/*.gif" filters="none" />
  <intercept-url pattern="/**/*.css" filters="none" />
  <intercept-url pattern="/**/*.js" filters="none" />
  登陸頁面和忘記密碼頁面不過濾
  <intercept-url pattern="/login.html" filters="none" />
  <intercept-url pattern="/jsp/forgotpassword.jsp"   filters="none" />  --> 

   <!-- 下面是對Action配置。表示具備訪問/unitsManager資源的用戶必須具備ROLE_PLATFORMADMIN的權限。
                      當用戶登陸時,SS3將用戶的全部權限從數據庫中提取出來,造成列表。 當用戶訪問該資源時,SS3將
                      登陸用戶的權限列表提出來跟下面配置的權限進行比對,如有,則容許訪問,若沒有,則給出AccessDeniedException。-->
  <intercept-url pattern="/admin/*.jsp"   access="ROLE_ADMIN" />
  <intercept-url pattern="/lxb/*.jsp"  access="ROLE_LXB" />

  <intercept-url pattern="/user/*.jsp"  access="ROLE_USER" />
  
  <form-login login-page="/login.jsp"  authentication-failure-url="/login.html?error=true"  />

  <!-- "記住我"功能,採用持久化策略(將用戶的登陸信息存放在數據庫表中) -->
  <remember-me data-source-ref="dataSource" />
  
  <!-- 檢測失效的sessionId,超時時定位到另一個URL -->
  <session-management invalid-session-url="/sessionTimeout.jsp" />
  
 </http>

 <!-- 注意可以爲authentication-manager 設置alias別名  -->
 <authentication-manager alias="authenticationManager">
      <authentication-provider user-service-ref="userDetailsManager">
          
      </authentication-provider>
  
 </authentication-manager>

</b:beans>

2.applicationContext.xml瀏覽器

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:util="http://www.springframework.org/schema/util"
 xmlns:jee="http://www.springframework.org/schema/jee" 
 xmlns:aop="http://www.springframework.org/schema/aop"
 xmlns:tx="http://www.springframework.org/schema/tx" 
 xmlns:context="http://www.springframework.org/schema/context"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
   http://www.springframework.org/schema/aop 
   http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
   http://www.springframework.org/schema/tx
   http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
   http://www.springframework.org/schema/jee
   http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
   http://www.springframework.org/schema/context
   http://www.springframework.org/schema/context/spring-context-3.0.xsd
   http://www.springframework.org/schema/util 
   http://www.springframework.org/schema/util/spring-util-3.0.xsd">
 
 
    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
           <property name="driverClassName"><value>oracle.jdbc.driver.OracleDriver</value></property> 
           <property name="url"><value>jdbc:oracle:thin:@127.0.0.1:1521:ORCL</value></property> 
           <property name="username"><value>scott</value></property> 
           <property name="password"><value>scott</value></property> 
     </bean>
     

 <!--   事件監聽:實現了 ApplicationListener監聽接口,包括AuthenticationCredentialsNotFoundEvent 事件,
  AuthorizationFailureEvent事件,AuthorizedEvent事件, PublicInvocationEvent事件 -->
 <bean  class="org.springframework.security.authentication.event.LoggerListener" />

 <!-- 用戶的密碼加密或解密 -->
 <!-- <bean id="passwordEncoder"
  class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
 -->

 <!-- 用戶詳細信息管理 : 數據源、用戶緩存、啓用用戶組功能。  -->
 <bean id="userDetailsManager"
  class="org.springframework.security.provisioning.JdbcUserDetailsManager">
  <property name="dataSource" ref="dataSource" />
  <!-- <property name="userCache" ref="userCache" /> -->
 </bean> 

 <!--spring security自帶的與權限有關的數據讀寫Jdbc模板-->
 <bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
  <property name="dataSource" ref="dataSource" />
 </bean> 
</beans>

3.web.xml緩存

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns="http://java.sun.com/xml/ns/javaee" 
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" 
id="WebApp_ID" 
version="3.0">
  <display-name>springsecurity</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  
  <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:applicationContext.xml
            classpath:applicationContext-security.xml
        </param-value>
    </context-param>
  <!-- 定義spring security代理Filter -->
   <filter>
           <filter-name>springSecurityFilterChain</filter-name>
           <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <!-- 攔截全部的請求 -->
   <filter-mapping>
           <filter-name>springSecurityFilterChain</filter-name>
           <url-pattern>/*</url-pattern>
   </filter-mapping>
   
    <!--
      - Loads the root application context of this web app at startup.
    -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

沒有對任何的資源和權限之間的對應關係進行配置的,spring security3就會認爲根本不須要對任何的URL或Action進行檢測session

 

主要內容大概是這些,剩下的參考上傳的項目,添加缺省的內容,oracle

啓動服務,打開瀏覽器,輸入http://localhost:8080/SpringSecurity/user/user.jsp,因爲有權限限制,會跳轉到登陸頁面,輸入user帳號和密碼(沒有采用密文)登陸後就能夠到user.jsp頁面,若是將url改成http://localhost:8080/SpringSecurity/admin/admin.jsp,會跳轉到權限不足的界面。

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程