spring security3.2版本
最近項目要集成spring security進行權限控制,之前對於安全管理框架只是稍微有所瞭解,並沒有實際應用,所以在這部分花了一些時間。簡要記錄下
幾個重要類或方法
1、UsernamePasswordAuthenticationFilter
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
}
2、AbstractUserDetailsAuthenticationProvider
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
}
3、UserDetailsService
UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
4、UsernamePasswordAuthenticationToken
public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(true); // must use super, as we override
}
還有認證成功或失敗的兩個處理類
AuthenticationSuccessHandler
void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException;
AuthenticationFailureHandler
void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException;
項目之前已經實現了了驗證碼,所以必須重寫UsernamePasswordAuthenticationFilter,在裏面添加驗證碼的驗證。需要注意提交的input標籤的name必須是j_username和j_password,form表單的action地址必須爲j_spring_security_check。當然也可以修改,可以去實現這個AbstractAuthenticationProcessingFilter類重寫一下。然後就是authenticate(Authentication authentication)這個方法。實現AuthenticationProvider,在authenticate方法內對賬戶和密碼進行驗證。最後比較重要的就是loadUserByUsername這個方法,實現UserDetailsService,返回一個UserDetails,可以是框架自帶的User類,也可以自定義一個實體類實現UserDetails。
補充:配置xml文件需要將重寫filter、provider、userDetailsService等加到配置裏面
<!-- 未登錄的切入點 -->
<beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/services/loginPage.html"></beans:property>
</beans:bean>
<beans:bean id="loginFilter" class="com.synjones.wechat.manageclient.authority.security.MyUsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check"></beans:property>
<beans:property name="authenticationSuccessHandler" ref="myAuthenticationSuccessHandler"></beans:property>
<beans:property name="authenticationFailureHandler" ref="myAuthenticationFailureHandler"></beans:property>
</beans:bean>
<beans:bean id="authenticationProvider"
class="com.synjones.wechat.manageclient.authority.security.MyAuthenticationProvider">
<beans:property name="userDetailsService" ref="myUserDetailService" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="authenticationProvider"/>
</authentication-manager>
<beans:bean id="myUserDetailService"
class="com.synjones.wechat.manageclient.authority.security.MyUserDetailService">
</beans:bean>
<beans:bean id="myAuthenticationSuccessHandler"
class="com.synjones.wechat.manageclient.authority.security.component.MyAuthenticationSuccessHandler">
</beans:bean>
<beans:bean id="myAuthenticationFailureHandler"
class="com.synjones.wechat.manageclient.authority.security.component.MyAuthenticationFailureHandler">
</beans:bean>
double補充:項目非maven項目,附上jar包下載地址spring security3.2.6,注意下載時需要把相關依賴包一併下載下來