The underlying principle is to spring Security interceptor chain. In an article on the use of annotations way to build a spring project,
Can be a custom interceptor to intercept implement interfaces HandlerInterceptr spring provided, and then implement three methods interceptor,
The method defined in prexxx validation logic. Interceptors defined well after injection come then registered in the configuration class servletContext container. You can use.
This is a way of authentication and authorization based session.
spring Security provides a framework for authentication and authorization for us. On the following probably explain how to quickly build a spring Security project.
1 Create a maven project
2 pom-dependent, with the depending spring Security of
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
3 and the last article as to create two profiles, one for spring container equivalent applicationContext.xml,
One is servletContext containers. There is no registration own interceptors to when and springmvc.xml.
4 spring loaded container
5 are configured, the security configuration defined
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigAdapetor{
// configure user information services
@Bean
public UserDetailsService userDetailsService(){
InMemoryUserDetailManger manger = new InMemoryUserDetailManger();
manger,createUser(User.withUsername("zhangsan").password("111").authorities("a1","a2").build()));
manger,createUser(User.withUsername("lisi").password("222").authorities("b1","b2").build()));
return manger ;
}
// define a password encoder
@Bean
public PasswordEncoder passwordEncoder(){
return noOpPasswordEncoder .getIntance() ;
}
// define security interception mechanism
@Bean
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers("/r/**").authenticated()
.anyRequest().permitAll()
.and()
.formLogin ()
.sucessFowardUrl("/login-sucess");
}
}
6 disposed in the loading load the class
In getRootConfigClasses method, plus class configuration in the array.
7 initialized spring Security. Since the spring currently used environment, so no redundant code
If you do not use spring environment, you need to WebSecurityConfig (spring Security Configuration class) passed the parent class,
In order to get fit, to create a spring context
public class SpringSecurotyApplicationInitializer extends AbstractSecurityWebApplicationInitializer{
public SpringSecurotyApplicationInitializer (){
// super (WebSecurityConfig); // If there is no spring or springMvc need to add this line
}
}
8 When clicking on the login time (certification ending) need to jump to our own pages to go, you need to modify the configuration servletContext inside the login address is:
Override
public void addViewControlers(viewControllerRegistry registry){
registry.addViewController("/").setViewName("redirect:/login");
}
9 definition request / login-sucess in the controller. spring Security default exit request is / logout
10 Test
11 arranged in the configuration class authorized configuration
http.authorizeRequests()
.antMatchers("/r/r1").hasAuthority("a1")
.antMatchers("/r/r2").hasAuthority("b1")
.antMatchers("/r/**").authenticated()
.anyRequest().permitAll()
.and()
.formLogin ()
.sucessFowardUrl("/login-sucess");