Preface:
Before we javaweb part, and ssm part using Filter or interceptors, do control the landing, now do we use Spring Secutriy landing control
A, Spring Security's small demo
1, create a new project, import dependence maven
<properties>
<spring.version>4.2.4.RELEASE</spring.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<plugins>
<!-- java编译插件 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.2</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<configuration>
<!-- 指定端口 -->
<port>9090</port>
<!-- 请求路径 -->
<path>/</path>
</configuration>
</plugin>
</plugins>
</build>
2, web.xml configuration file
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<!--加载spring-security配置文件-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
3, spring-security.xml profile
intercept-url represents the interception page
/ * Represents the resources in the directory, just including this directory does not include lower-level directory
/ ** indicates that the directory and all subdirectories of the directory level resources
form-login landing is open form
use-expressions is whether to use Spring Expression Language (SpEL), the default is true, if turned on, the interception of configuration should be written in the form
login-processing-url = "/ login2" specify a different landing page
username-parameter = "" password-parameter = "" rewritten user's login name and the attribute name
<? xml Version = "1.0" encoding = "UTF-8"?>
<Beans: Beans xmlns = "http://www.springframework.org/schema/security"
xmlns: Beans = "HTTP: //www.springframework .org / Schema / Beans "
xmlns: xsi =" http://www.w3.org/2001/XMLSchema-instance "
xsi: schemaLocation =" http://www.springframework.org/schema/beans HTTP: // www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd ">
< ! - page blocking rules represent intercepted page use-expressions for the applicability of SpEL, defaults to true, ->
<HTTP use-expressions = "false">
<url-pattern intercept = "/ **" Access = "ROLE_USER" />
<!- Open the form login, if the use-expressions is set to true, login-processing-url = "/ login2" used to specify a different landing page ->
<form-the Login />
</ HTTP>
<! - Certification Manager ->
< Manager-authentication>
<authentication-Provider>
<the user-Service>
<-! ROLE_USER can add a number of roles, users must above roles ->
<the user name = "ADMIN" password = "123456" Authorities = "ROLE_USER" />
</-Service-User>
</ authentication-Provider>
</ authentication-Manager>
</ Beans: Beans>
Second, create our own login screen
The default is not logged in, jump directly to our login screen, login failures, failed to jump to page
1, 创建 login.html, login_error.html
<! DOCTYPE HTML>
<HTML>
<head>
<Meta charset = "UTF-8">
<title> Log </ title>
</ head>
<body>
- - Welcome to my landing system
<form action = "/ login" method = "post ">
user name: <input name = "username" > <br>
password: <the INPUT name = "password"> <br>
<the Button> login </ the Button>
</ form>
< / body>
</ HTML>
<! DOCTYPE HTML>
<HTML>
<head>
<Meta charset = "UTF-8">
<title> Home </ title>
</ head>
<body>
user name or password wrong ~ ~ ~
</ body>
</ html>
2, spring-security.xml profile modification
security = "none" Set this resource is not intercepted .
Page-the Login : Specifies the login page.
failure-url-authentication : specifies the jump to the authentication failed page.
target-url-default : specifies the page after successful authentication and authorization default presented to the user.
csrf disabled="true"
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 以下界面不进行拦截 --> <http pattern="/login.html" security="none" ></ HTTP> <http pattern="/login_error.html" security="none" ></http> <-! configure blocking rules -> <HTTP-use Expressions = "false"> <! - intercept all requests, go to the login page. Role Configuration -> <URL pattern-Intercept = "/ *" Access = "users with the ROLE_USER" /> <-form Login Login-Page = "/ the login.html" default-target-URL = "/ index.html" authentication- URL-failure = "/ login_error.html" /> <CSRF = Disabled "to true" /> </ HTTP> <-! authentication Manager -> <authentication-Manager> <authentication-Provider> <-Service-User> <-! ROLE_USER can add a number of roles, users must above roles -> </authentication-manager> </beans:beans>
If you do not set logon page security = "none", the following error will occur
note:
I wrote "login.html" at the bottom of the landing page when the operation myself to forget the "/" will report the above error, I hope you pay attention
After this time access to the page will jump to the login screen of our own creation, and only enter the correct user name and password will jump to the page inex.html