SpringSecurity笔记2-SpringSecurity命名空间
? <beans:beans xmlns="http://www.springframework.org/schema/security"
???????? xmlns:beans="http://www.springframework.org/schema/beans"
???????? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
???????? xsi:schemaLocation="http://www.springframework.org/schema/beans
???????? http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
???????? http://www.springframework.org/schema/security
???????? http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
???????? ...
??? </beans:beans>
??? 采用该命名空间:http://www.springframework.org/schema/security,系统类路径中需引入以下依赖:
??? <dependency>
????? ? ?? <groupId>org.springframework.security</groupId>
?????????? <artifactId>spring-security-core</artifactId>
?????????? <version>${spring.security.version}</version>
??? </dependency>
??? <dependency>
??????????? <groupId>org.springframework.security</groupId>
??????????? <artifactId>spring-security-config</artifactId>
??????????? <version>${spring.security.version}</version>
??? </dependency>
??? <dependency>
??????????? <groupId>org.springframework.security</groupId>
??????????? <artifactId>spring-security-web</artifactId>
??????????? <version>${spring.security.version}</version>
??? </dependency>
??? <dependency>
??????????? <groupId>org.springframework.security</groupId>
??????????? <artifactId>spring-security-taglibs</artifactId>
??????????? <version>${spring.security.version}</version>
??? </dependency>
1. 命名空间的配置
??? (1) web.xml
??? <filter>
??? ?????? <filter-name>springSecurityFilterChain</filter-name>
?????????? <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
??? </filter>
??? <filter-mapping>
?????????? <filter-name>springSecurityFilterChain</filter-name>
????????????????? <url-pattern>/*</url-pattern>
??????????? </filter-mapping>
??? </filter>
??? 通过这种方式提供了一个访问SpringSexurity底层的“钩子”。DelegatingFilterProxy是Spring框架的类,是
??? javax.servlet.Filter的一个实现,将安全处理的流程代理给了一个过滤器,该过滤器是Springs应用上下文中定义
??? 的一个SpringBean: springSecurityFilterChain,该Bean用于处理Web安全。
??? FilterChainProxy, 一个专一的过滤器,用于将多个过滤器组成一个连执行过滤功能;SpringSecurity中需要通过
??? 多个Filter来提供不同的功能,这些多个Filer就是用FilterChainProxy来组装的,只是具体的细节我们不需关注,
??? 只需要通过生命配置:<http>元素。
??? (2) http元素配置
??? <http auto-config='true'>
??????????? <intercept-url pattern="/**" access="ROLE_USER" />
??? </http>
??? 该配置等价与:
??? <http>
??????????? <form-login />
??????????? <http-basic />
??????????? <logout />
??????????? <intercept-url pattern="/**" access="ROLE_USER" />
???? </http>
???? 默认auto-config属性包括:
??? <http>
??????????? <form-login />
??????????? <http-basic />
??????????? <logout />
??? </http>
??? 该配置用于启用Web安全。Http元素将自动装配一个FilterChainProxy,所有的Fileter都在该FilterChainProxy
??? 中;根据该配置,应用程序中的所有URL被保护,需要角色:ROLE_USER去访问。此处可以配置多个intercept
??? -url元素,默认将根据配置的顺序启用过滤策略;同时可添加可给该元素添加method属性以限制特定的HTTP
??? Method(GET,POST,PUT)可以访问。
???
??? <authentication-manager>
?????????? <authentication-provider>
??????????????????? <user-service>
??????????????????????????? <user name="jimi" password="jimispassword" authorities="ROLE_USER,
????????????????????????????????????? ROLE_ADMIN" />
??????????????????????????? <user name="bob" password="bobspassword" authorities="ROLE_USER" />
??????????????????? </user-service>
?????????? </authentication-provider>
??? </authentication-manager>
??? 可以在authentication-manager元素下配置其他的authentication-provider,这些authentication-provider
??? 将会被轮流的处理或参考。
??? (3) 登录表单选项
??? 默认情况下,设置了auto-config='true'后,SpringSecurity将根据系统的配置自动生成一个LoginForm页面,同
??? 时命 名空间也提供了支持用户客制化定义登录页面的属性:
??? <http auto-config='true'>
????????????? <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
????????????? <intercept-url pattern="/**" access="ROLE_USER" />
????????????? <form-login login-page='/login.jsp'/>
??? </http>
??? 或配置成:
??? <http auto-config="true" use-expressions="false">
?????????? <form-login login-processing-url="/static/j_spring_security_check" login-page="/login"
????????????????? authentication-failure-url="/login?login_error=t"/>
??? </http>
??? 该配置中form-login覆盖了默认的配置,其中access="IS_AUTHENTICATED_ANONYMOUSLY"可被匿名用户
??? 访问; 根据当前的配置"pattern="/login.jsp*"与pattern="/**",这两个匹配模式拦截登录请求,将 在应用程
??? 序中引起一个无限的过滤循环,这是错误的配置。
??? <http auto-config='true'>
????????????? <intercept-url pattern="/css/**"? filters="none"/>
????????????? <intercept-url pattern="/login.jsp*"? filters="none"/>
????????????? <intercept-url pattern="/**" access="ROLE_USER" />
????????????? <form-login login-page='/login.jsp'/>
???? </http>
???? 通过制定filter="none"可避免这种现象,指定该属性后,访问的限制将被忽略。
???? 附件中包括SpringSecurity自动生成的Form Login和一个自定义的FormLogin: LoginForm.rar.
??? ?(4) 使用基本认证代替Form Login
??? ?<http auto-config='true'>
?????????????? <intercept-url pattern="/**" access="ROLE_USER" />
?????????????? <http-basic />
????? </http>
???? 这种情况下,当用户访问一个收保护的资源时,基本认证将优先启用,基于Form Login也将同时可用。
???? (5) 设置登出选项
???? <logout logout-url="/static/j_spring_security_logout"/>
??? ?(6) 设置登录后系统的主页
??? ?默认值为:"/"
??? ?<http>
???????????? <intercept-url pattern='/login.htm*' filters='none'/>
???????????? <intercept-url pattern='/**' access='ROLE_USER' />
???????????? <form-login login-page='/login.htm' default-target-url='/home.htm'
?????????????????????? always-use-default-target='true' />
???? </http>
2. 拦截请求
??? (1) 默认实现
??? <intercept-url pattern="/**" access="ROLE_SPITTER" />
??? 属性pattern默认采用Ant 模式匹配URL地址路径,若改变http元素的属性path-type=regex则将采用regular表
??? 达式;access属性指定访问该URL需要的角色。如:
??? <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
??? (2) Spring表达式实现
??? 需要首先在http元素中指定:use-expressions="true":
??? <http auto-config="true" use-expressions="true">
?????? ...
??? </http>
??? 与默认实现中等价配置:
??? <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
??? 如果当前用户被赋予了相应的角色,则hasRole()表达式将返回True, 认证通过。从SpringSecurity开始,已经提供
??? 了许多表达式,见附件:Spring Security extends the Spring Expression Language.zip
??? 例如,如果想指定一个URL地址只能被指定的角色和指定的IP地址访问,可以配置成这样:
??? <intercept-url pattern="/admin/**"
????????? access="hasRole('ROLE_ADMIN') and hasIpAddress('192.168.1.2')"/>
??? (3) 使用https
??? <intercept-url pattern="/spitter/form" requires-channel="https"/>
??? 需要指定属性:requires-channel="https", 如果不需要https支持,则:requires-channel="http".