spring security simple entry

spring security simple entry example

I. Overview

Spring Security is able to provide a secure access control declarative security framework Spring-based solutions for enterprise applications.

The most important security operation has two.

Certification: the establishment of a body he declared for the user, the user's login is completed

Authorization: refers to a user can perform an action in the application. Prior authorization has completed authentication of the user.

Second, Quick Start Case

1. Create a java web project

Use idea + maven create a java web project directory as follows

And created the login page, login failure page, and login success page, login.html, success.html, failed.html, as well as engineering Home index.jsp

2. Import dependence

Pom file contents are as follows

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.lyy</groupId>
  <artifactId>web_03_security_quicklystart</artifactId>
  <version>1.0-SNAPSHOT</version>
  <packaging>war</packaging>

  <name>web_03_security_quicklystart Maven Webapp</name>
  <!-- FIXME change it to the project's website -->
  <url>http://www.example.com</url>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <spring.version>5.0.2.RELEASE</spring.version>
    <spring.security.version>5.0.1.RELEASE</spring.security.version>
  </properties>

  <dependencies>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-core</artifactId>
      <version>${spring.version}</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-web</artifactId>
      <version>${spring.version}</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-webmvc</artifactId>
      <version>${spring.version}</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-context-support</artifactId>
      <version>${spring.version}</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-test</artifactId>
      <version>${spring.version}</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-jdbc</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-web</artifactId>
      <version>${spring.security.version}</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-config</artifactId>
      <version>${spring.security.version}</version>
    </dependency>
    <dependency>
      <groupId>javax.servlet</groupId>
      <artifactId>javax.servlet-api</artifactId>
      <version>3.1.0</version>
      <scope>provided</scope>
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.tomcat.maven</groupId>
          <artifactId>tomcat7-maven-plugin</artifactId>
            <version>2.1</version>
              <configuration>
                <port>80</port>
                <path>/</path>
                <uriEncoding>UTF-8</uriEncoding>
                <server>tomcat7</server>
              </configuration>
      </plugin>

    </plugins>
  </build>
</project>

3. Create spring security configuration file

the spring-security.xml follows

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security.xsd">

    <!--spring-security的入门配置-->

    <!--配置哪些资源不会被拦截 /xxx表示根路径下的某个资源-->
    <security:http security="none" pattern="/login.html"/>
    <security:http security="none" pattern="/failed.html"/>

    <security:http auto-config="true" use-expressions="false">
        <!-- 配置链接地址，表示任意路径都需要ROLE_USER权限 -->
        <security:intercept-url pattern="/**" access="ROLE_USER"/>

        <!--自定义登录页面-->
        <security:form-login login-page="/login.html" login-processing-url="/login"
                             username-parameter="username" password-parameter="password"
                             authentication-failure-forward-url="/failed.html"
                             default-target-url="/success.html" authentication-success-forward-url="/success.html"

        />
        <!--关闭csrf,默认是开启的-->
        <security:csrf disabled="true"/>
    </security:http>
    <security:authentication-manager>
        <security:authentication-provider>
            <!--这里配置了两个用户,分别具有USER和ADMIN的权限-->
            <security:user-service>
                <security:user name="user" password="{noop}user"
                               authorities="ROLE_USER"/>
                <security:user name="admin" password="{noop}admin"
                               authorities="ROLE_ADMIN"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

The main contents of this configuration file are as follows:

(1) Configuration security without resource access control, such as logging and failure page

<!--配置哪些资源不会被拦截 /xxx表示根路径下的某个资源-->
<security:http security="none" pattern="/login.html"/>
<security:http security="none" pattern="/failed.html"/>

(2) configure any paths need permission ROLE_USER

(3) configuration uses a custom login page

(4) arranged two users, each having a USER and ADMIN permissions

Note that the prefix must bring ROLE_ configuration path access

4. The filter spring security configuration in web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
  <display-name>Archetype Created Web Application</display-name>

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>classpath:spring-security.xml</param-value>
  </context-param>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
</web-app>

Note springSecurityFilterChain this filter name can not be changed

5. Start project

Start project, enter localhost access, login page will appear as follows

Use user: user and admin: admin These two accounts are to complete the login, the login is successful will jump to the login success page

have to be aware of is:

Configuration file is that all resources should be ROLE_USER right to access, so if a user after successful login, you can access other resources to the project, such as home; but log in with admin, because only ROLE_ADMIN rights, it can not access project other resources