spring Security框架整合

框架demo去svn找https://svnbucket.com

1.配置文件

   pom.xml

    <!-- 身份驗證 -->
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-web</artifactId>		
	</dependency>
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-config</artifactId>		
	</dependency>

web.xml

      <context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath:spring/spring-security.xml</param-value>
	 </context-param>
	 <listener>
		<listener-class>
			org.springframework.web.context.ContextLoaderListener
		</listener-class>
	 </listener>	
	 <filter>  
		<filter-name>springSecurityFilterChain</filter-name>  		
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
	 </filter>  
	 <filter-mapping>  
		<filter-name>springSecurityFilterChain</filter-name>  
		<url-pattern>/*</url-pattern>  
	 </filter-mapping>	

spring-security.xml

    <!-- 以下頁面不被攔截 -->
	<http pattern="/login.html" security="none"></http>
	<http pattern="/css/**" security="none"></http>
	<http pattern="/img/**" security="none"></http>
	<http pattern="/js/**" security="none"></http>
	<http pattern="/plugins/**" security="none"></http>
	
	<!-- 頁面攔截規則 -->
	<http use-expressions="false">
		<intercept-url pattern="/*" access="ROLE_ADMIN" />
		<form-login login-page="/login.html"  default-target-url="/admin/index.html" authentication-failure-url="/login.html" always-use-default-target="true"/>	
		<csrf disabled="true"/>
		<headers>
			<frame-options policy="SAMEORIGIN"/>
		</headers>
	</http>

	<!-- 認證管理器 -->
	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="admin" password="12345678" authorities="ROLE_ADMIN"/>
				<user name="sunwukong" password="houzi" authorities="ROLE_ADMIN"/>
			</user-service>		
		</authentication-provider>	
	</authentication-manager>

配置說明：

        always-use-default-target：指定了是否在身份驗證通過後總是跳轉到default-target-url屬性指定的URL。

        如果你在系統中使用了框架頁，需要設置框架頁的策略爲SAMEORIGIN

<headers>
	<frame-options policy="SAMEORIGIN"/>
</headers>

登錄頁面

<form id="loginform" action="/login" method="post"  class="sui-form">
		<input id="prependedInput"  name="username" type="text" placeholder="郵箱/用戶名/手機號" class="span2 input-xfat">
		<input id="prependedInput"  name="password" type="password" placeholder="請輸入密碼" class="span2 input-xfat">
	<div class="setting">
		<a class="sui-btn btn-block btn-xlarge btn-danger" onclick="document:loginform.submit()" target="_blank">登&nbsp;&nbsp;錄</a>
</form>

退出登錄

        在spring-security.xml的http節點中添加配置  <logout/>

        加此配置後，會自動的產生退出登錄的地址/logout,如果你不想用這個地址 ，你也可以定義生成的退出地址以及跳轉的頁面，配置如下  <logout logout-url="" logout-success-url=""/>

        logout-url:退出的地址，會自動生成

        logout-success-url:退出後跳轉的地址

修改頁面註銷的鏈接

<div class="pull-right">
      <a href="../logout" class="btn btn-default btn-flat">註銷</a>
</div>

spring Security 內置過濾器表

別名	Filter 類
CHANNEL_FILTER	ChannelProcessingFilter
SECURITY_CONTEXT_FILTER	SecurityContextPersistenceFilter
CONCURRENT_SESSION_FILTER	ConcurrentSessionFilter
LOGOUT_FILTER	LogoutFilter
X509_FILTER	X509AuthenticationFilter
PRE_AUTH_FILTER	AstractPreAuthenticatedProcessingFilter 的子類
CAS_FILTER	CasAuthenticationFilter
FORM_LOGIN_FILTER	UsernamePasswordAuthenticationFilter
BASIC_AUTH_FILTER	BasicAuthenticationFilter
SERVLET_API_SUPPORT_FILTER	SecurityContextHolderAwareRequestFilter
JAAS_API_SUPPORT_FILTER	JaasApiIntegrationFilter
REMEMBER_ME_FILTER	RememberMeAuthenticationFilter
ANONYMOUS_FILTER	AnonymousAuthenticationFilter
SESSION_MANAGEMENT_FILTER	SessionManagementFilter
EXCEPTION_TRANSLATION_FILTER	ExceptionTranslationFilter
FILTER_SECURITY_INTERCEPTOR	FilterSecurityInterceptor
SWITCH_USER_FILTER	SwitchUserFilter