Getting started with SpringSecucity Demo
Spring Security is a security framework that can provide declarative security access control solutions for Spring-based enterprise application systems. It provides a set of Beans that can be configured in the context of Spring applications, making full use of Spring IoC, DI (Inversion of Control, DI: Dependency Injection, dependency injection) and AOP (cutting-oriented programming) functions to provide application systems The declarative security access control function reduces the work of writing a lot of repetitive code for enterprise system security control.
Next, I will take you step by step to build and use the first SpringSecurity project.
We need to make the following preparations:
- Have a maven environment
- Create a web project based on maven
Introduce dependency files
- Because Spring Security is developed in conjunction with Spring, it is necessary to introduce Spring related jar packages and Spring Security jar packages.
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>cn.rayfoo</groupId>
<artifactId>springSecurity-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<spring.version>4.2.4.RELEASE</spring.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<plugins>
<!-- java编译插件 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.2</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<configuration>
<!-- 指定端口 -->
<port>9090</port>
<!-- 请求路径 -->
<path>/</path>
</configuration>
</plugin>
</plugins>
</build>
</project>
Configure web.xml
- To use SpringSecurity, you need to configure a filter in web.xml to filter the requested path. It is worth mentioning that this filter we use is a filter proxy under Spring-web. Specify filter-name
springSecurityFilterChainto automatically implement the interception function of SpringSecurty. - At the same time, you also need to load the SpringSecurity configuration file.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
Configure SpringSecurity configuration file
- Since security: xx </ security: xx> is frequently used in this configuration file , in the header file, the default label header can be specified as security.
<beans:beans xmlns="http://www.springframework.org/schema/security".....></beans:beans>At this time, the security prefix can be omitted. <http></http>Tags are used to create interception rules.- use-expressions: whether to enable SCEL expressions, the default is true
- If the SCEL expression is turned on, then you cannot directly use the literal value when creating the access, but you need to use hasRole ("ROLE_USER")
- intercept-url: This subtag is used to specify specific interception rules
- pattern: This attribute is used to specify which paths to intercept, for example: / img means intercepting / img / xxx requests (if it is / img / xx / xx it will not be intercepted), / * means all of the first-level directories, / * * Means to intercept all requests. This is slightly different from web.xml.
- access: This attribute is used to specify a role name, the definition of the role name specification: must
ROLE_start with an underscore in uppercase .
-
It means that a login page is provided by Spring Security, and the user's account password will automatically jump to index.html after successful verification. The tab can also specify a custom landing page, and which page to jump to after success or failure.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 页面拦截规则 -->
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login/>
</http>
<!-- 认证管理器 -->
<authentication-manager>
<!-- 认证提供者 -->
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_USER"/>
<user name="root" password="root" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
At this time, any request sent by the startup project will be intercepted and redirected to the login page provided by SpringSecurity. When the login is successful, it will automatically jump to index.html.
Custom landing page
Since the official landing page is only suitable for the test environment, we will use a custom landing page in the production process, so how to specify the landing page?
-
First we need to prepare the landing page first. Forms need to provide the login page
usernameandpasswordtwo name value, corresponding to the two name value is springSerurity acquired and in which configuration<user name="admin" password="admin" authorities="ROLE_USER"/>matches exactly the same if the successful landing, otherwise failed on landing. -
Due to the time we intercepted above / **, when using a custom landing page, you must release related resources and pages (landing pages, and other pages that can be accessed without logging in), otherwise access login.html will be blocked, and heavy Directed to /login.html was blocked again. . . . . A situation that causes too many requests to be inaccessible.
-
Configure resource release, add an http tag, and specify pattern and security to none to release related pages.
<http pattern="/login.html" security="none"></http>
<http pattern="/login_error_page.html" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
- Solve cross-domain issues
- Because SpringSecurity supports JSP files by default, it will provide a request header information when it submits the form
X-CSRF-TOKEN. This request header can prevent cross-site request forgery, commonly known as "cross-domain". - So we use html pages to solve this cross-domain problem. We need to turn off SpringSecurity's cross-domain protection.
- The label must be configured in the
<http use-expressions="false">middle.
- Because SpringSecurity supports JSP files by default, it will provide a request header information when it submits the form
<csrf disable="true"/>
- Configure a custom landing page
- login-page: indicates the user's login page
- default-target-url: indicates the page that the user jumps to after successful login
- authentication-failure-url: indicates the page displayed after login failure
<!-- 页面拦截规则 -->
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page = "/login.html" default-target-url = "/index.html" authentication-failure-url = "/login_error_page.html"/>
<csrf disable="true"/>
</http>
Custom login authentication and password encryption, see you in the next article ~