Maven設置
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>添加Security XML文件
文件名:applicationContext-security.xml
文件位置:src/main/resource/spring/applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
</beans> 設置web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>最小化配置securityXML
在applicationContext-security.xml中添加如下內容
<http>
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>intercept-url:根據pattern攔截url請求
form-login:使用一個有username和password的表單進行登錄
logout:退出系統
添加用戶信息用於測試
在applicationContext-security.xml中添加如下內容
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>元素:認證管理器
元素: 認證提供者
元素:用戶服務,創建了兩個賬戶,保存在內存中。
注意各元素之間的關係
訪問頁面
重啓服務器,會有一個默認的登錄頁面
http://localhost/你的項目名當沒有指定登錄用的表單頁面時,Spring Security 會生成一個默認登錄低低頁面。
編寫login.jsp
login.jsp位於項目的根目錄(webRoot)下
<body>
<form name="f" action="login" method="post">
<fieldset>
<legend>Please Login</legend>
<label for="username">Username</label>
<input type="text" id="username" name="username" value="${username}"/>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
<div class="form-actions">
<button type="submit" class="btn">Log in</button>
</div>
</fieldset>
</form>
</body>相應的securityXML 設置
<http pattern="/css/**" security="none"/>
<http pattern="/login.jsp*" security="none"/>
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>當元素的屬性use-expressions=”false”時,的access屬性值爲ROLE_USER
當元素的屬性use-expressions=”true”或沒有此屬性時,的access屬性值爲hasRole(‘USER’)
當不想寫login.jsp時
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>這時會彈出一個窗口用於用戶登錄信息的錄入。大概是這樣子。
設置登錄成功後的跳轉頁面
<form-login login-page='/login.jsp' default-target-url='/home.jsp'
always-use-default-target='true' />default-target-url:登錄成功後跳轉頁面
always-use-default-target:總是跳轉到default-target-url定義的頁面
給密碼加密
<beans:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager>
<authentication-provider>
<password-encoder ref="bcryptEncoder"/>
<user-service>
<user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
其它問題
當遇到
HTTP Status 403 - Could not verify the provided CSRF token because your session was not found.參考:http://blog.csdn.net/yiifaa/article/details/71744120?utm_source=itdadao&utm_medium=referral