ssm整合sceurity-基础用法之sceurity基本配置介绍 - 编程 | 南风知我意 = JAVA = soul Blog

# 认证方式

httpbasic 在请求受保护资源时，会弹出一个认证窗口，提供登录。

1
2
3

<security:http>
    <security:http-basic/>
</security:http>

FormLogin 在请求受保护资源时，会跳转登录界面

<security:http>
    <security:form-login />
</security:http>

# 解决 csrf 问题

1	<security:csrf disabled="true"/>

# 拦截方式

pattern需 要 拦 截 资 源
access:拦 截 方 式
isFullyAuthenticated():
该 资 源 需 要 认 证 才 可 以 访 问
isAnonymous(): 只 有 匿 名 用 户 才 可 以 访 问 （ 如 果 登 录 用 户 就 无 法 访 问 ）
permitAll(): 允 许 所 有 人 （ 匿 名 和 登 录 用 户 ） 方 法

示例:

1 2	<security:intercept-url pattern="/product/index" access="permitAll()"/>

# 自定义登录请求与登录界面

<security:form-login 
        //登录页面地址
        login-page="/login"
        //登录地址
        login-processing-url="/securityLogin"/>

# 认证管理器

   <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
<!--                name：用户名     password：密码    authorities：权限-->
                <security:user name="eric" password="123456" authorities="ROLE_USER"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

# user-service 配置实现用户权限访问控制

1	<security:intercept-url pattern="/product/add " access="hasRole('ROLE_ADMIN')"/>

# 自定义 UserDetailService 类实现用户权限访问控制

public class MyUserDetailService  implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        User user=new User("medua","123456", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_ADMIN,ROLE_USER"));
        return user;
    }
}

<security:authentication-manager>
    <security:authentication-provider user-service-ref="myUserDetailService">
    </security:authentication-provider>
</security:authentication-manager>
<bean id="myUserDetailService" class="red.bury.security.MyUserDetailService"></bean>

# 自定义权限不足界面

1 2	<security:access-denied-handler error-page="/error"/>

# 自定义登录成功与失败处理逻辑

关键点：
1）登录成功处理：AuthenticationSuccessHandler
2）登录失败处理：AuthenticationFailureHandle

public class MyAuthenticationSuccessHandler   implements AuthenticationSuccessHandler {
//    jackson框架的工具类
   private ObjectMapper objectMapper = new ObjectMapper();
    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        Map result=new HashMap();
        result.put("success",true);
        String json=objectMapper.writeValueAsString(result);
        httpServletResponse.setContentType("text/json;charset=utf08");
        httpServletResponse.getWriter().write(json);
    }
}

public class MyAuthenticationSuccessHandler   implements AuthenticationSuccessHandler {
//    jackson框架的工具类
   private ObjectMapper objectMapper = new ObjectMapper();
    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        Map result=new HashMap();
        result.put("success",true);
        String json=objectMapper.writeValueAsString(result);
        httpServletResponse.setContentType("text/json;charset=utf08");
        httpServletResponse.getWriter().write(json);
    }
}

<security:http>
    <security:form-login authentication-success-handler-ref="myAuthenticationSuccessHandler"
                         authentication-failure-handler-ref="myAuthenticationFailureHandler"/>
</security:http>
<security:authentication-manager>
    <security:authentication-provider user-service-ref="myUserDetailService">
    </security:authentication-provider>
</security:authentication-manager>
<bean id="myUserDetailService" class="red.bury.security.MyUserDetailService"></bean>
<bean id="myAuthenticationSuccessHandler" class="red.bury.security.MyAuthenticationSuccessHandler"></bean>
<bean id="myAuthenticationFailureHandler" class="red.bury.security.MyAuthenticationFailureHandler"></bean>

# 开启 security 注解配置

1 2	<security:global-method-security secured-annotations="enabled"></security:global-method-security>

使用方法

@RequestMapping("/add")
@Secured("ROLE_ADD_PRODUCT")
public String add(){
    return "product/productadd";
}
@RequestMapping("/update")
@Secured("ROLE_UPDATE_PRODUCT")
public String update(){
    return "product/productupdate";
}
@RequestMapping("/delete")
@Secured("ROLE_DELETE_PRODUCT")
public String delete(){
    return "product/productdelete";
}
@RequestMapping("/list")
@Secured("ROLE_LIST_PRODUCT")
public String list(){
    return "product/productlist";
}

# 开启 pre-post-annotations 注解配置

1	<security:global-method-security pre-post-annotations="enabled"></security:global-method-security>

使用方法

@RequestMapping("/add")
@PreAuthorize("hasRole('ROLE_ADD_PRODUCT')")
public String add(){
    return "product/productadd";
}
@RequestMapping("/update")
@PreAuthorize("hasRole('ROLE_UPDATE_PRODUCT')")
public String update(){
    return "product/productupdate";
}
@RequestMapping("/delete")
@PreAuthorize("hasRole('ROLE_DELETE_PRODUCT')")
public String delete(){
    return "product/productdelete";
}
@RequestMapping("/list")
@PreAuthorize("hasRole('ROLE_LIST_PRODUCT')")
public String list(){
    return "product/productlist";
}

spring-sceurity