1:引入依赖包
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${springVersion}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${springVersion}</version>
</dependency>
如果写jsp下面的包就有用
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${springVersion}</version>
</dependency>
2:配置spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
https://www.springframework.org/schema/security/spring-security.xsd">
<!-- 过滤器释放静态资源-->
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<security:http pattern="/fail.jsp" security="none"/>
<!-- 配置security-->
<!-- auto-config="true"表示自动加载springSecurity的配置文件-->
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/login.jsp" access="permitAll()"/>
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" />
<security:form-login login-page="/login.jsp"
login-processing-url="/login"
default-target-url="/index.jsp"
authentication-failure-url="/fail.jsp" />
<security:logout logout-url="/logout"
logout-success-url="/login.jsp"/>
<!-- 去掉csrf拦截过滤器-->
<!-- <security:csrf disabled="true"/>-->
</security:http>
<!--spring提供的加密编码-->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!--spring security的密码认证,默认是加密的,不加密认证要加{noop} no operation-->
<security:user name="user" password="{noop}user" authorities="ROLE_USER"/>
<security:user name="admin" password="{noop}admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
<security:authentication-provider user-service-ref="accountService">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
3:user-service-ref="accountService"
里的bean实现
@Service("accountService")
public class AccountServiceImpl implements UserDetailsService {
@Autowired
@Qualifier("accountDao")
private IAccountDao accountDao;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
Account account = accountDao.fetchAccount1(s);
if (account == null) {
throw new UsernameNotFoundException("无帐户");
}
List<GrantedAuthority> l = new ArrayList<>();
for (Role s1 : account.getAuthority()) {
l.add(new SimpleGrantedAuthority(s1.getName()));
}
System.out.println(account);
return new User(account.getUsername(),
account.getPassword(),
account.getStatus() == 1,
true,
true,
true, l);
}
}
4:spring-security
什么时候加载
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml,classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
或在applicationContext.xml
里
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc https://www.springframework.org/schema/mvc/spring-mvc.xsd">
<context:component-scan base-package="com.ppf" >
<context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
</context:component-scan>
<import resource="spring-security.xml"/>
</beans>