First we set up a spring configuration file specifically for spring security, which is designed to be used as the spring security configuration. With spring security we need to introduce spring security's namespace.
<beans xmlns="Http://www.springframework.org/schema/beans"
xmlns:security="Http://www.springframework.org/schema/security"
xmlns:xsi="Http://www.w3.org/2001/XMLSchema-instance"
xsi:schemalocation="Http://www.springframework.org/schema/beans
Http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
Http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd ">
</beans>
The introduction of the spring security namespace simplifies our development, which covers most of the features commonly used by spring security. Its design is based on a wide range of dependencies within the framework and can be divided into the following blocks.
With the introduction of spring Security's namespace, we can use the elements under that namespace to configure spring security. First we define an HTTP element, and security is just a prefix that we use with namespaces. HTTP elements are used to define web-related permission controls.
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="Role_user"/>
</security:http>
As defined above, Intercept-url defines a rule for permission control. The Pattern property indicates which URLs we will have permission to control, or it can be a regular expression, as the above notation means that we will control all URLs, and the Access property indicates what permissions are required to request the corresponding URL. The default configuration should be a comma-delimited list of roles that the requesting user can successfully access by simply owning one of the roles. The "Role_user" here indicates that the requested user should have a role_user role. The "Role_" prefix is a token that prompts spring to use role-based checking.
With the rule of permission control, next we need to define a AuthenticationManager for authentication. Let's look at the following definition:
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="user" authorities="Role_user"/>
<security:user name="admin" password="admin" authorities="Role_user, role_admin"/ >
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
The Authentication-manager element specifies a authenticationmanager, It requires a authenticationprovider (corresponding to the Authentication-provider element) for true authentication, By default, Authentication-provider corresponds to a daoauthenticationprovider, It needs to userdetailsservice (corresponding to the user-service element) to get the user information userdetails (corresponding user element). Here we simply use the user element to define users, and the actual application of this information usually needs to be obtained from the database and other places, this will be placed in the next. We can see that through the user element we can specify the username, password, and the permissions that are owned by users. User-service also supports the use of the properties file to specify user information, such as:
<security:user-service properties="/web-inf/config/users.properties"/>
Where the properties file should follow the following format:
Username=password,grantedauthority[,grantedauthority][,enabled|disabled]
So, corresponding to the above configuration file, the contents of our Users.properties file should look like this:
#username =password,grantedauthority[,grantedauthority][,enabled|disabled]
User=user,role_user
Admin=admin,role_user,role_admin
At this point, the configuration of our spring Security configuration file is complete. The full configuration file will look like the following.
<beans xmlns="Http://www.springframework.org/schema/beans"
xmlns:security="Http://www.springframework.org/schema/security"
xmlns:xsi="Http://www.w3.org/2001/XMLSchema-instance"
xsi:schemalocation="Http://www.springframework.org/schema/beans
Http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
Http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd ">
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="Role_user"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="user" authorities="Role_user"/>
<security:user name="admin" password="admin" authorities="Role_user, role_admin"/ >
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
We then tell spring to load the configuration file. In general, we can specify it as spring's initial configuration file in the Web. xml file via Context-param, or it can be introduced in the corresponding spring's initial configuration file. Here we use the former.
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/web-inf/config/applicationcontext.xml,/web-inf/config/spring-security.xml</param-value >
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
The spring configuration file is loaded and initialized with the corresponding Contextloaderlistener, and the Applicationcontext.xml file in the above code is the corresponding spring configuration file if it is not available without configuration. Next we need to define a filter in Web. XML to intercept requests that need to be submitted to the spring security process, but be aware that the filter must be defined before other interception requests such as SPRINGMVC. Here we will intercept all requests, as shown in the following example:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Next you can launch our app and then visit our homepage in the browser. You will see the following page.
Because all requests in our Spring-security.xml file are configured with "Role_user" permissions, when we request the home page, spring Security discovers that we are not logged in, and spring directs us to the login screen. After logging in with the correct user name and password (such as the User/user or admin/admin configured above), we can access the home page if the corresponding permissions are met, otherwise the 403 (Forbidden) interface will appear.
You might wonder if we didn't build the login page above, why does spring security jump to the login page above? This is when we set the HTTP auto-config= "true" when spring security automatically generated for us.
When specifying the auto-config= "true" of an HTTP element, it is equivalent to a shorthand for the following.
<security:http>
<security:form-login/>
<security:http-basic/>
<security:logout/>
</security:http>
These elements are responsible for establishing form logins, Basic authentication, and logout processing. They can all change their behavior by specifying the corresponding properties.
Spring Security 1
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
