Principles and tutorials of spring security

Principles and tutorials of spring security
Spring security classification: How to Use spring security, I believe Baidu knows that there are a total of four usage methods, from simplicity to depth: 1. No database, all the data is written in the configuration file, this is also the demo in the official document; 2. Use the database to design the database based on the spring security default code. That is to say, the database is fixed and this method is not flexible, in addition, the database is poorly designed and has poor practicability. 3. Unlike spring security and Acegi, the default filter cannot be modified, but filter can be inserted. Therefore, we can insert our own filters for flexible use. 4. brute force means: Modify the source code. The modification to the default filter mentioned above only modifies the configuration file to replace the filter, this is directly changed the source code, but this does not comply with the OO design principles, and is not practical, not available. This article is intended for readers: This article is intended to introduce the third method, so the readers have the basic knowledge of spring security. But it doesn't matter. You can take a look at this tutorial. After reading it, you can use the second method for development. Simple Principle of spring security: uses a large number of interceptors to intercept URLs to manage permissions. However, it is impossible for me to talk about so many interceptors one by one, mainly about the two core processes. First of all, permission management cannot be separated from login verification, so the login verification interceptor AuthenticationProcessingFilter should talk about it; there is also the management of accessed resources, so the Resource Management interceptor AbstractSecurityInterceptor should talk about it; however, the implementation in the interceptor requires some components, so it is supported by components such as AuthenticationManager and accessDecisionManager. Now, the entire process is roughly passed. User Login will be blocked by AuthenticationProcessingFilter and the implementation of AuthenticationManager will be called, in addition, AuthenticationManager calls ProviderManager to obtain user authentication information (different providers call different services because the information can be in the database or on the LDAP server, can be an xml configuration file, etc.). If the authentication succeeds, the User's permission information will be encapsulated into the global cache SecurityContextHolder of spring for later use when accessing resources. When accessing a url, It is intercepted by the AbstractSecurityInterceptor Interceptor. The method of FilterInvocationSecurityMetadataSource is called to obtain all the permissions required for the intercepted url. In the authorization manager AccessDecisionManager, the authorization manager obtains the user's permission information through spring's global cache SecurityContextHolder, and obtains all the permissions required for the intercepted url and intercepted url. Then, according to the configured policy (including: one-vote decision, one-vote denial, and a few are subject to the majority). If the permission is sufficient, the system returns. If the permission is insufficient, an error is reported and the page with insufficient permission is called. Although it seems complicated, readers may be a little dizzy, but don't worry about it. The actual code is explained later. Readers can read the code implementation and then return to the simple principle, there may be good gains.
Spring security implementation (based on spring security3.1.4): javaEE Portal: web. xml:

 
   
  
  
   
    
ContextConfigLocation
   
   
    
Classpath: securityConfig. xml
   
     
  
  
   
    
SpringSecurityFilterChain
   
   
    
Org. springframework. web. filter. DelegatingFilterProxy
   
  
  
   
    
SpringSecurityFilterChain
   
   
    
/*
   
      
  
  
   
    
Org. springframework. web. context. ContextLoaderListener
   
       
  
  
   
    
Index. jsp
   
  
 

Needless to say about the configuration above. Go directly to the spring security Configuration File securityConfig. xml:

Index. jsp:

<% @ Page language = "java" import = "java. util. * "pageEncoding =" UTF-8 "%> <% @ taglib prefix =" sec "uri =" http://www.springframework.org/security/tags "%>   My JSP 'index. jsp 'starting page  Welcome
 !
Enter admin page to go to other pages  

Http://blog.csdn.net/u012367513/article/details/admin.jsp:

<% @ Page language = "java" import = "java. util. *" pageEncoding = "UTF-8" %>My JSP 'HTTP: // blog.csdn.net/u012367513/article/details/admin.jsp' starting pageWelcome to the Administrator page.

AccessDenied. jsp:

<% @ Page language = "java" import = "java. util. *" pageEncoding = "UTF-8" %>My JSP 'HTTP: // blog.csdn.net/u012367513/article/details/admin.jsp' starting pageWelcome to the Administrator page.

Http://blog.csdn.net/u012367513/article/details/other.jsp:

<% @ Page language = "java" import = "java. util. * "pageEncoding =" UTF-8 "%> <% String path = request. getContextPath (); String basePath = request. getScheme () + ": //" + request. getServerName () + ":" + request. getServerPort () + path + "/"; %>              My JSP 'HTTP: // blog.csdn.net/u012367513/article/details/other.jsp' starting page    
 
 
     
 
 
       Here is the Other page

Project diagram:
The source code and the jar package are all in this tutorial. Why not give them directly? The goal of the author is to let the reader repeat the Code with the tutorial and be very impressed (I believe everyone in this line knows how big the difference is between reading and typing the same piece of code ), so we will not hesitate to force everyone. As I often get used to csdn blogs, I try my best to answer any questions that readers do not understand (or advise.
Reprinted please mark this article link: http://blog.csdn.net/u012367513/article/details/38866465