乐趣区

SpringSecurity01使用传统的xml方式开发且不连接数据库

1. 创建一个 web 工程
2. 在 pom 里面添加依赖,依赖不要随便改, 我改了出错了好几次都找不到原因

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>1.7</maven.compiler.source>
    <maven.compiler.target>1.7</maven.compiler.target>
    <jacksonVersion>2.5.0</jacksonVersion>
    <jstlVersion>1.2</jstlVersion>
    <servletVersion>3.0-alpha-1</servletVersion>
  </properties>
  <dependencies>
    <!--spring-->
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-webmvc</artifactId>
      <version>4.3.13.RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-web</artifactId>
      <version>4.3.13.RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-context</artifactId>
      <version>4.3.13.RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-beans</artifactId>
      <version>4.3.13.RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-core</artifactId>
      <version>4.3.13.RELEASE</version>
    </dependency>
    <!--security-->
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-config</artifactId>
      <version>4.2.3.RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-web</artifactId>
      <version>4.2.3.RELEASE</version>
    </dependency>

    <!--jackson-->
    <!-- Jackson 可以轻松的将 Java 对象转换成 json 对象和 xml 文档, 同样也可以将 json、xml 转换成 Java 对象 -->
    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-core</artifactId>
      <version>${jacksonVersion}</version>
    </dependency>
    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-annotations</artifactId>
      <version>${jacksonVersion}</version>
    </dependency>

    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
      <version>${jacksonVersion}</version>
    </dependency>
    <dependency>
      <groupId>org.codehaus.jackson</groupId>
      <artifactId>jackson-mapper-asl</artifactId>
      <version>1.9.13</version>
    </dependency>
    <dependency>
      <groupId>org.codehaus.jackson</groupId>
      <artifactId>jackson-core-asl</artifactId>
      <version>1.9.13</version>
    </dependency>

    <!--servlet 和 jstl-->
    <dependency>
      <groupId>jstl</groupId>
      <artifactId>jstl</artifactId>
      <version>${jstlVersion}</version>
    </dependency>
    <dependency>
      <groupId>javax.servlet</groupId>
      <artifactId>servlet-api</artifactId>
      <version>${servletVersion}</version>
      <scope>provided</scope>
    </dependency>
    <dependency>
      <groupId>javax.servlet.jsp</groupId>
      <artifactId>jsp-api</artifactId>
      <version>2.2</version>
      <scope>provided</scope>
    </dependency>
  </dependencies>

3. 配置 web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         id="WebApp_ID" version="3.1">
  <display-name>user-manager</display-name>
  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>

  <!-- 加载 Spring 的配置文件到上下文中去 -->
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
      classpath:applicationContext.xml
      classpath:springSecurity.xml
    </param-value>
  </context-param>
  <!-- Spring 监听器 -->
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>



  <!--springSecurity 的过滤器链 -->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- 字符集过滤 -->
  <filter>
    <filter-name>encodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
      <param-name>encoding</param-name>
      <param-value>UTF-8</param-value>
    </init-param>
    <init-param>
      <param-name>forceEncoding</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>encodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <!-- 以下是 Spring MVC 的相关配置 -->
  <servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
      <param-name>contextConfigLocation</param-name>
      <!-- 此处指向的的是 SpringMVC 的配置文件 -->
      <param-value>classpath:springmvc.xml</param-value>
    </init-param>
    <!-- 配置容器在启动的时候就加载这个 servlet 并实例化 -->
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>
  <!-- Spring MVC 的配置结束 -->
</web-app>

4. 配置 applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc.xsd">
</beans>

5. 配置 springmvc.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
    <!-- 此文件负责整个 mvc 中的配置 -->
    <!-- 启用 spring 的一些 annotation 这里是个大坑 -->

    <!-- SpringMVC 注解驱动 -->
    <mvc:annotation-driven>
        <!-- 用来处理 json 数据返回乱码的问题 -->
        <mvc:message-converters>
            <bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter"/>
            <bean class="org.springframework.http.converter.StringHttpMessageConverter">
                <property name="supportedMediaTypes">
                    <list>
                        <value>text/plain;charset=utf-8</value>
                        <value>text/html;charset=UTF-8</value>
                    </list>
                </property>
            </bean>
        </mvc:message-converters>
    </mvc:annotation-driven>
    <!-- 静态资源处理 -->
    <mvc:default-servlet-handler />



    <!-- 自动扫描且只扫描 @Controller -->
    <context:component-scan base-package="com.ty"
                            use-default-filters="false">
        <context:include-filter type="annotation"
                                expression="org.springframework.stereotype.Controller" />
        <context:include-filter type="annotation"
                                expression="org.springframework.web.bind.annotation.ControllerAdvice" />
    </context:component-scan>
    <!-- 静态资源映射 -->
    <!-- 本项目把静态资源放在了 webapp 的 statics 目录下,资源映射如下 -->
    <!--<mvc:resources mapping="/css/**" location="/css/"/>-->
    <!--<mvc:resources mapping="/js/**" location="/js/"/>-->
    <!--<mvc:resources mapping="/image/**" location="/images/"/>-->
    <!-- 对模型视图名称的解析,即在模型视图名称添加前后缀(如果最后一个还是表示文件夹, 则最后的斜杠不要漏了) 使用 JSP-->
    <!-- 默认的视图解析器 在上边的解析错误时使用 (默认使用 html)- -->
    <bean id="defaultViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
        <property name="prefix" value="/WEB-INF/view/"/><!-- 设置 JSP 文件的目录位置 -->
        <property name="suffix" value=".jsp"/>
        <property name="exposeContextBeansAsAttributes" value="true"/>
    </bean>

</beans>

6. 配置 springSecurity.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-4.2.xsd">
    <!--  <security:http>: 对 web.xml 中 spring 过滤器链的配置:web.xml 里面的过滤器接受到请求, 就会根据这个配置去过滤
    1)需要拦截什么资源
    2)什么资源什么角色权限
    3)定义认证方式:HttpBasic,FormLogin
    4)定义登陆页面,定义登陆请求地址, 定义错误处理方式

    用于授权
    -->
    <security:http>
        <!-- 使用 httpbasic 的方式进行登陆, 这个登陆一次之后以后都不需要在登录, 服务器重启也是一样的 -->
        <!--<security:http-basic/>-->

        <!--permitAll()允许所有人进行访问
        isAnonymous(): 只有匿名用户才能进行访问, 登陆了的用户不能访问
        hasRole('ROLE_USER'): 要有 ROLE_USER 这个角色才能访问前面的资源
        注意, 把要放行的请求放在前面, 不然会出错
        -->
        <security:intercept-url pattern="/userLogin" access="permitAll()"></security:intercept-url>
        <security:intercept-url pattern="/product/index" access="permitAll()"></security:intercept-url>
        <security:intercept-url pattern="/product/add" access="hasRole('ROLE_USER')"></security:intercept-url>
        <security:intercept-url pattern="/product/update" access="hasRole('ROLE_USER')"></security:intercept-url>
        <security:intercept-url pattern="/product/list" access="hasRole('ROLE_ADMIN')"></security:intercept-url>
        <security:intercept-url pattern="/product/delete" access="hasRole('ROLE_ADMIN')"></security:intercept-url>
        <!-- 所有资源需要被认证才能访问 -->
        <security:intercept-url pattern="/**" access="isAuthenticated()"></security:intercept-url>
        <!-- 表单登陆,login-page 自定义登陆页面,login-processing-url: 登陆处理的地址, 要和表单填的 action 一致

        -->
        <security:form-login login-page="/userLogin" login-processing-url="/securityLogin"
                             authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-handler-ref="myAuthenticationFailureHandler"/>


        <!-- 自定义权限不足处理 -->
        <security:access-denied-handler error-page="/error"></security:access-denied-handler>

        <!-- 关闭 csrf 的机制 -->
        <security:csrf disabled="true"></security:csrf>
        <!-- 拦截路径的 url
        pattern: 需要拦截的资源
        access: 访问资源的条件
        -->
    </security:http>

    <!--security:authentication-manager:认证管理器
    1)认证信息(可以定义初始的用户的账户名, 密码, 当前用户权限, 也可以在数据库进行查询)

    -->
    <security:authentication-manager>
          <!-- 这里才会动态的获取用户名, 密码和权限 -->
        <security:authentication-provider user-service-ref="myUserDetailService">
              <!-- 这里是初始化写死了的用户名, 密码, 角色 -->
            <!--<security:user-service>-->
            <!--<security:user name="jojo" password="123456" authorities="ROLE_USER"></security:user>-->
            <!--<security:user name="jack" password="123456" authorities="ROLE_ADMIN"></security:user>-->
            <!--</security:user-service>-->
        </security:authentication-provider>

    </security:authentication-manager>

    <bean id="myAuthenticationFailureHandler" class="com.ty.security.MyAuthenticationFailureHandler"></bean>
    <bean id="myAuthenticationSuccessHandler" class="com.ty.security.MyAuthenticationSuccessHandler"></bean>

    <!-- 这个类里面运用了数据库动态获取了用户的角色 -->
    <bean id="myUserDetailService" class="com.ty.security.MyUserDetailService"></bean>
</beans>

7. 自定义成功处理的拦截器 MyAuthenticationSuccessHandler

public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {private  final  static ObjectMapper objectMapper=new ObjectMapper();
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        // 这里是可以拿到用户对的登录名的
        String username = request.getParameter("username");
        System.out.println(username);
        response.setContentType("application/json;charset=utf-8");
        String successMessage = objectMapper.writeValueAsString(new JsonData(200, "登陆成功"));
        response.getWriter().print(successMessage);
    }
}

自定义失败处理器的拦截器

public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler{private  final  static ObjectMapper objectMapper=new ObjectMapper();
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
        // 这里是可以拿到用户对的登录名的
        String username = request.getParameter("username");
        System.out.println(username);
        response.setContentType("application/json;charset=utf-8");
        String failureMessage = objectMapper.writeValueAsString(new JsonData(500, "登陆失败"));
        response.getWriter().print(failureMessage);
    }
}

自定义的 authentication-provider 下面的 user-service
定义一个类, 这个实现类就是用于封装数据库里面的用户的信息然后返回给 springsecurity, 它会比较从
表单穿过来的用户名和密码和数据库查出来的用户名和密码进行比对,这里写死,以后再加数据库

public class MyUserDetailService implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        //UserDetails:封装用户数据的接口, 这里应该是数据库查询出来的数据, 当返回这个 user 对象时,springsecurity 会把输入的用户名和密码和这个对象里面的用户名和密码进行比对
        // 成功则认证通过, 失败则登陆失败
        User user=new User("jojo","123456", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
        return user;
    }
}

创建这个目录结构

示范

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title> 商品添加页面 </title>
</head>
<body>
商品添加页面
</body>
</html>

其它页面一样
index.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title> 首页 </title>
</head>
<body>
一下是网站的功能
<a href="/product/add"> 商品添加 </a>
<a href="/product/update"> 商品修改 </a>
<a href="/product/list"> 商品查询 </a>
<a href="/product/delete"> 商品删除 </a>
</body>
</html>

login.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title> 登录页面 </title>
</head>
<body>
<form  action="${pageContext.request.contextPath}/securityLogin" method="post">
 用户名:<input type="text" name="username"><br>
 密 &ensp; 码:<input type="password" name="password"><br>
    <input type="submit" value="登录">
</form>
</body>
</html>

errorPage.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title> 自定义错误页面 </title>
</head>
<body>
权限不足, 请正确操作
</body>
</html>

controller

@Controller
public class MainController {
    /**
     *
     * @return 登录页面
     */
    @RequestMapping("/userLogin")
    public String loginPage()
    {return "login";}

    /**
     *
     * @return 登录页面
     */
    @RequestMapping("/error")
    public String errorPage()
    {return "errorPage";}
}
@Controller
@RequestMapping("product")
public class ProductController {


    /**
     * 商品添加
     */
    @RequestMapping("index")
    public String index()
    {return "index";}
    /**
     * 商品添加
     */
    @RequestMapping("add")
    public String add()
    {return "product/productAdd";}

    /**
     * 商品修改
     */
    @RequestMapping("update")
    public String update()
    {return "product/productUpdate";}
    /**
     * 商品列表
     */
    @RequestMapping("list")
    public String list()
    {return "product/productList";}
    /**
     * 商品删除
     */
    @RequestMapping("delete")
    public String delete()
    {return "product/productDelete";}
}

创建一个返回给前台的包装类,用于返回 code 和 message

public class JsonData {

    private Integer code;

    private String message;


    public JsonData() {}


    public JsonData(Integer code, String message) {
        this.code = code;
        this.message = message;
    }

    public Integer getCode() {return code;}

    public void setCode(Integer code) {this.code = code;}

    public String getMessage() {return message;}

    public void setMessage(String message) {this.message = message;}
}
退出移动版