Spring3.x Security 容易应用
Spring3.x Security 简单应用
Security 配置文件:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- 不需要权限控制的资源 --> <http pattern="/favicon.ico" security="none" /> ...... <!-- 404页面 --> <http pattern="/404.html" security="none" /> <!-- 过滤器链 --> <http auto-config="true" access-decision-manager-ref="accessDecisionManager" disable-url-rewriting="true" request-matcher="ant"> <intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" /> <!-- 登录控制 --> <form-login login-page="/login/login.do" login-processing-url="/doLogin.do" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-handler-ref="loginFailureHandler" /> <!-- 退出链接 --> <logout logout-url="/logout.do" /> <!-- 控制同时只能有一个相同的用户登录 --> <session-management invalid-session-url="/login/login.do"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/login/login.do" /> </session-management> <!-- 记住我 --> <remember-me services-ref="rememberMeServices" key="rocks" use-secure-cookie="false" authentication-success-handler-ref="rememberMeSuccessHandler" /> <!-- 自定义Filter --> <custom-filter ref="urlAuthenticationFilter" after="LAST" /> </http> <!-- 自定义Filter实现 --> <beans:bean id="urlAuthenticationFilter" class="com.xxx.security.UrlAuthenticationFilter" /> <!-- 登录成功处理 --> <beans:bean id="loginSuccessHandler" class="com.xxx.security.LoginSuccessHandler" /> <!-- 登录失败处理 --> <beans:bean id="loginFailureHandler" class="com.xxx.security.LoginFailureHandler" /> <!-- 通过记住我登录成功处理 --> <beans:bean id="rememberMeSuccessHandler" class="com.xxx.security.RememberMeSuccessHandler" /> <!-- 密码加密方式 --> <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> <!-- 权限控制 --> <authentication-manager alias="authenticationManager" erase-credentials="false"> <authentication-provider user-service-ref="customerDetailsBiz"> <password-encoder ref="passwordEncoder"> </password-encoder> </authentication-provider> </authentication-manager> <!-- 记住我登录流程 --> <beans:bean id="rememberMeServices" class="com.xxx.customer.biz.CustomerRememberMeBiz"> <beans:property name="userDetailsService" ref="customerDetailsBiz" /> <beans:property name="key" value="rocks" /> </beans:bean> <!-- Spring UserDetailsService接口实现类 主要是从数据库查找准备登录的用户 --> <beans:bean id="customerDetailsBiz" class="com.xxx.customer.biz.CustomerDetailsBiz" /> <!-- 投票器 --> <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:property name="allowIfAllAbstainDecisions" value="false" /> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> </beans:list> </beans:property> </beans:bean> </beans:beans>
登录成功处理:
LoginSuccessHandler
package com.xxx.security; /** * 用户登录成功后处理 * * @author Theodore * */ public class LoginSuccessHandler implements AuthenticationSuccessHandler { private static final Log log = LogFactory.getLog(LoginSuccessHandler.class); @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException, ServletException { log.debug("...LoginSuccessHandler@onAuthenticationSuccess..."); // 登录日志之类 } /** * 获取客户端IP * * @param request * @return */ public String getIpAddr(HttpServletRequest request) { String ip = request.getHeader("x-forwarded-for"); if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } log.debug("ip:::" + ip); return ip; } }
登录失败处理:
loginFailureHandler
package com.xxx.security; import java.io.IOException; import java.util.HashMap; import java.util.Map; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * 登录失败逻辑处理 * * @author Theodore * */ public class LoginFailureHandler implements AuthenticationFailureHandler { // private static final Log log = // LogFactory.getLog(LoginFailureHandler.class); @Override public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { //登录失败处理,例如向客户端输出失败信息 } }
记住我:
RememberMeSuccessHandler
package com.xxx.security; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * 用户登录成功后处理 * * @author Theodore * */ public class RememberMeSuccessHandler implements AuthenticationSuccessHandler { private static final Log log = LogFactory .getLog(RememberMeSuccessHandler.class); @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException, ServletException { log.debug("...RememberMeSuccessHandler@onAuthenticationSuccess..."); // 登录日志 } /** * 获取客户端IP * * @param request * @return */ public String getIpAddr(HttpServletRequest request) { String ip = request.getHeader("x-forwarded-for"); if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } return ip; } }
CustomerDetailsBiz
import java.util.List; /** * 查找指定用户 * @author Theodore * */ public class CustomerDetailsBiz extends BaseBiz<Customer, CustomerDao> implements UserDetailsService { private static final Log log = LogFactory.getLog(CustomerDetailsBiz.class); @Resource private CustomerBiz xxxBiz; /** * * <p> * 根据后台用户名查找用户并加载用户的详细信息 * </p> * * @param * @return UserDetails * @throws */ @Override public UserDetails loadUserByUsername(String userId) throws UsernameNotFoundException { Customer customer = xxxBiz.getCustomer(userId); if (customer != null) { //如果该用户可以登录 } else { //如果没有找到该用户,需要创建一个空对象 customer = new Customer(); } return customer; } }