手把手教你整合maven+spring專案(3)
阿新 • • 發佈:2018-12-14
在上一篇部落格裡我們講解了如何用maven專案整合Springmvc,今天我們將圍繞Spring Security 來介紹,Spring Security 提供了基於javaEE的企業應用軟體全面的安全服務,如果你的專案對於安全和訪問要求比較高,強烈輕易你在專案中使用Spring Security模組,這裡是Spring Security的中文官網介紹https://springcloud.cc/spring-security-zhcn.html,下面我們就通過一個登入登出功能來揭開Spring Security的面紗,專案程式碼在上一篇部落格的基礎上實現。
第一步:修改pom.xml配置新增Spring Security所需要的核心jar包spring-security-web和spring-security-config,這裡博主使用的是3.2.3的版本號。
配置好pom.xml後,儲存修改,然後在src/main/resources目錄下新增spring-security.xml,具體配置如下<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.zds</groupId> <artifactId>MavenDemo</artifactId> <version>0.0.1-SNAPSHOT</version> <packaging>war</packaging> <name>MavenDemo Maven Webapp</name> <url>http://maven.apache.org</url> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.source>1.7</maven.compiler.source> <maven.compiler.target>1.7</maven.compiler.target> </properties> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.11</version> <scope>test</scope> </dependency> <dependency> <groupId>javax</groupId> <artifactId>javaee-api</artifactId> <version>7.0</version> <scope>provided</scope> </dependency> <dependency> <groupId>jstl</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>4.1.6.RELEASE</version> <type>jar</type> <scope>compile</scope> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>4.1.6.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>4.1.6.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>3.2.3.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>3.2.3.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-tx</artifactId> <version>4.1.6.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>4.1.6.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>4.1.6.RELEASE</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.15</version> <exclusions> <exclusion> <groupId>javax.jms</groupId> <artifactId>jms</artifactId> </exclusion> <exclusion> <groupId>com.sun.jdmk</groupId> <artifactId>jmxtools</artifactId> </exclusion> <exclusion> <groupId>com.sun.jmx</groupId> <artifactId>jmxri</artifactId> </exclusion> </exclusions> </dependency> </dependencies> </project>
簡單的介紹一下,Login-page對應的是後臺的登陸方法,default-target-url對應的是登陸成功後跳轉的地方,authentication-falure-url對應的事登陸失敗(如賬號或密碼錯誤)後跳轉的地方。然後我們就可以修改Index.jsp,新增一個跳轉向登陸頁面的超連結(當然Index頁面可有可無,這裡為了利用之前寫好的index頁面),具體程式碼如下:<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <http auto-config="true"> <!--只用user和amdin角色才可訪問/view --> <intercept-url pattern="/view**" access="ROLE_USER,ROLE_ADMIN" /> <!--只用user和amdin角色才可訪問/welcome --> <intercept-url pattern="/welcome**" access="ROLE_USER,ROLE_ADMIN" /> <!--default-target-url表示登入成功後自動跳轉的頁面 --> <form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" /> <!-- enable csrf protection --> <csrf/> </http> <!--為了方便這裡直接用xml配置使用者資訊,也可用java程式碼實現該功能 --> <authentication-manager> <authentication-provider> <user-service> <user name="user1" password="123456" authorities="ROLE_USER" /> <user name="admin" password="123456" authorities="ROLE_ADMIN" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<a href="login" >點選登入賬號</a>
this is mavendemo 第一天
</body>
</html>
然後我們需要在後臺的LoginController.java裡新增對應的login方法來跳轉到login.jsp,
@RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", "賬號或密碼錯誤");
}
if (logout != null) {
model.addObject("msg", "你已經成功地登出了");
}
model.addObject("title", "Spring Security Hello World");
model.addObject("message", "This is login page!");
model.setViewName("login");
return model;
}
新增完畢後,需要在WEB-INF的jsp資料夾下新建一個login.jsp,用來顯示登陸表單,具體程式碼如下:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>${title}</title>
<style>
.error {
padding: 15px;
margin-bottom: 20px;
border: 1px solid transparent;
border-radius: 4px;
color: #a94442;
background-color: #f2dede;
border-color: #ebccd1;
}
.msg {
padding: 15px;
margin-bottom: 20px;
border: 1px solid transparent;
border-radius: 4px;
color: #31708f;
background-color: #d9edf7;
border-color: #bce8f1;
}
#login-box {
width: 300px;
padding: 20px;
margin: 100px auto;
background: #fff;
-webkit-border-radius: 2px;
-moz-border-radius: 2px;
border: 1px solid #000;
}
</style>
</head>
<body onload='document.loginForm.username.focus();'>
<div id="login-box">
<h2>Login with Username and Password</h2>
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<form name='loginForm'
action="<c:url value='j_spring_security_check' />" method='POST'>
<table>
<tr>
<td>賬號:</td>
<td><input type='text' name='username' value=''></td>
</tr>
<tr>
<td>密碼:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="登陸" /></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
</form>
</div>
</body>
</html>
輸入登陸資訊後,spring security用對輸入的賬號和密碼對之前spring-security.xml裡所配置的使用者資訊進行匹配,如果賬號和密碼都對,則跳轉到xml裡default-target-url對應的請求,如果失敗,則跳轉到authentication-failure-url對應的請求,當然xml裡的使用者資訊我們也可以從資料庫中獲取,具體的java實現方式我們將在下一篇部落格裡介紹。登陸成功後請求轉發到了/welcome,所以我們需要在LoginController.java裡新增welcome方法:
@RequestMapping("/welcome")
public ModelAndView demo(HttpServletRequest request){
ModelAndView mav = new ModelAndView();
String contextPath = request.getContextPath();
mav.addObject("contextPath" , contextPath);
mav.addObject("title", "Spring Security Hello World");
mav.addObject("message", "This is welcome page!");
mav.setViewName("welcome");
return mav;
}
然後在WEB-INF的jsp資料夾下新建一個welcome.jsp,具體程式碼如下:
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h1>標題: ${title}</h1>
<h1>訊息 : ${message}</h1>
<c:if test="${pageContext.request.userPrincipal.name != null}">
<h2>
Welcome : ${pageContext.request.userPrincipal.name} | <a
href="logout"> Logout登出</a>
</h2>
</c:if>
<div align="right">
<a href="view?path=demo" >點選檢視圖片</a>
</div>
</body>
<script>
</script>
</html>
pageContext.request.userPrincipal.name表示登陸使用者的名字,之前index.jsp裡的檢視圖片功能我們放在了welcome.jsp裡,這就實現了對資源的保護,不登入不能訪問這些資源,最後就是登出功能,對應的是LoginController.java裡的logout方法,具體程式碼如下:
@RequestMapping(value="/logout", method = RequestMethod.GET)
public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
return "redirect:/login?logout";
}
這是比較符合spring規範的登出操作,登出呼叫執行以下操作:
- HTTP的會話失效,那麼解除繫結到它的任何物件;
- 將刪除 SecurityContext 的身份驗證,以防止併發請求的問題;
- 顯式地清除當前執行緒上下文值;
package com.zds.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class LoginController {
@RequestMapping("/view")
public ModelAndView view(HttpServletRequest request){
//獲取請求中的path引數
String path = request.getParameter("path") + "";
//新建檢視變數
ModelAndView mav = new ModelAndView();
//獲取web專案的根路徑,方便我們取到Img下的圖片
String contextPath = request.getContextPath();
//儲存路徑到記憶體中
mav.addObject("contextPath" , contextPath);
//設定跳轉的頁面名稱
mav.setViewName(path);
return mav;
}
@RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", "賬號或密碼錯誤");
}
if (logout != null) {
model.addObject("msg", "你已經成功地登出了");
}
model.addObject("title", "Spring Security Hello World");
model.addObject("message", "This is login page!");
model.setViewName("login");
return model;
}
@RequestMapping("/welcome")
public ModelAndView demo(HttpServletRequest request){
ModelAndView mav = new ModelAndView();
String contextPath = request.getContextPath();
mav.addObject("contextPath" , contextPath);
mav.addObject("title", "Spring Security Hello World");
mav.addObject("message", "This is welcome page!");
mav.setViewName("welcome");
return mav;
}
@RequestMapping(value="/logout", method = RequestMethod.GET)
public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
return "redirect:/login?logout";
}
}
第二步:啟動tomcat執行專案,瀏覽器輸入http://localhost:8080/MavenDemo/顯示頁面如下
點選登陸賬號,跳轉頁面如下:
登陸成功後welcome頁面如下:
點選登出(即退出登陸)顯示頁面如下: