ssm整合sceurity-基础用法之sceurity基本配置介绍

startanew
193 阅读1分钟
认证方式
  1. httpbasic 在请求受保护资源时,会弹出一个认证窗口,提供登录。
<security:http>
    <security:http-basic/>
</security:http>
  1. FormLogin 在请求受保护资源时,会跳转登录界面
<security:http>
    <security:form-login />
</security:http>
解决csrf问题
<security:csrf disabled="true"/>
拦截方式
pattern需 要 拦 截 资 源
access:拦 截 方 式
isFullyAuthenticated():
该 资 源 需 要 认 证 才 可 以 访 问
isAnonymous(): 只 有 匿 名 用 户 才 可 以 访 问 ( 如 果 登 录 用 户 就 无 法 访 问 )
permitAll(): 允 许 所 有 人 ( 匿 名 和 登 录 用 户 ) 方 法
  • 示例:
<security:intercept-url pattern="/product/index" access="permitAll()"/>
自定义登录请求与登录界面
<security:form-login 
        //登录页面地址
        login-page="/login"
        //登录地址
        login-processing-url="/securityLogin"/>
认证管理器
   <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
<!--                name:用户名     password:密码    authorities:权限-->
                <security:user name="eric" password="123456" authorities="ROLE_USER"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
user-service 配置实现用户权限访问控制
<security:intercept-url pattern="/product/add " access="hasRole('ROLE_ADMIN')"/>
自定义 UserDetailService 类实现用户权限 访问控制
public class MyUserDetailService  implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        User user=new User("medua","123456", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_ADMIN,ROLE_USER"));
        return user;
    }
}


<security:authentication-manager>
    <security:authentication-provider user-service-ref="myUserDetailService">
    </security:authentication-provider>
</security:authentication-manager>
<bean id="myUserDetailService" class="red.bury.security.MyUserDetailService"></bean>
自定义权限不足界面
<security:access-denied-handler error-page="/error"/>
自定义登录成功与失败处理逻辑

  • 关键点:

  • 1)登录成功处理:AuthenticationSuccessHandler

  • 2)登录失败处理:AuthenticationFailureHandle

public class MyAuthenticationSuccessHandler   implements AuthenticationSuccessHandler {
//    jackson框架的工具类
   private ObjectMapper objectMapper = new ObjectMapper();
    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        Map result=new HashMap();
        result.put("success",true);
        String json=objectMapper.writeValueAsString(result);
        httpServletResponse.setContentType("text/json;charset=utf08");
        httpServletResponse.getWriter().write(json);
    }
}

public class MyAuthenticationSuccessHandler   implements AuthenticationSuccessHandler {
//    jackson框架的工具类
   private ObjectMapper objectMapper = new ObjectMapper();
    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        Map result=new HashMap();
        result.put("success",true);
        String json=objectMapper.writeValueAsString(result);
        httpServletResponse.setContentType("text/json;charset=utf08");
        httpServletResponse.getWriter().write(json);
    }
}


<security:http>
    <security:form-login authentication-success-handler-ref="myAuthenticationSuccessHandler"
                         authentication-failure-handler-ref="myAuthenticationFailureHandler"/>
</security:http>
<security:authentication-manager>
    <security:authentication-provider user-service-ref="myUserDetailService">
    </security:authentication-provider>
</security:authentication-manager>
<bean id="myUserDetailService" class="red.bury.security.MyUserDetailService"></bean>
<bean id="myAuthenticationSuccessHandler" class="red.bury.security.MyAuthenticationSuccessHandler"></bean>
<bean id="myAuthenticationFailureHandler" class="red.bury.security.MyAuthenticationFailureHandler"></bean>
开启security注解配置
<security:global-method-security secured-annotations="enabled"></security:global-method-security>
  • 使用方法
@RequestMapping("/add")
@Secured("ROLE_ADD_PRODUCT")
public String add(){
    return "product/productadd";
}
@RequestMapping("/update")
@Secured("ROLE_UPDATE_PRODUCT")
public String update(){
    return "product/productupdate";
}
@RequestMapping("/delete")
@Secured("ROLE_DELETE_PRODUCT")
public String delete(){
    return "product/productdelete";
}
@RequestMapping("/list")
@Secured("ROLE_LIST_PRODUCT")
public String list(){
    return "product/productlist";
}
开启pre-post-annotations注解配置
<security:global-method-security pre-post-annotations="enabled"></security:global-method-security>
  • 使用方法
@RequestMapping("/add")
@PreAuthorize("hasRole('ROLE_ADD_PRODUCT')")
public String add(){
    return "product/productadd";
}
@RequestMapping("/update")
@PreAuthorize("hasRole('ROLE_UPDATE_PRODUCT')")
public String update(){
    return "product/productupdate";
}
@RequestMapping("/delete")
@PreAuthorize("hasRole('ROLE_DELETE_PRODUCT')")
public String delete(){
    return "product/productdelete";
}
@RequestMapping("/list")
@PreAuthorize("hasRole('ROLE_LIST_PRODUCT')")
public String list(){
    return "product/productlist";
}
avatar
文章
阅读
粉丝