Spring Security 1

Source: Internet
Author: User

First we set up a spring configuration file specifically for spring security, which is designed to be used as the spring security configuration. With spring security we need to introduce spring security's namespace.

<beans xmlns="Http://www.springframework.org/schema/beans"

xmlns:security="Http://www.springframework.org/schema/security"

xmlns:xsi="Http://www.w3.org/2001/XMLSchema-instance"

xsi:schemalocation="Http://www.springframework.org/schema/beans

Http://www.springframework.org/schema/beans/spring-beans-3.1.xsd

Http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.1.xsd ">

</beans>

The introduction of the spring security namespace simplifies our development, which covers most of the features commonly used by spring security. Its design is based on a wide range of dependencies within the framework and can be divided into the following blocks.

    • Web/http security: This is the most complex part. The framework authentication mechanism is implemented by establishing filter and related service beans. When a protected URL is accessed, the user is introduced to the login interface or to the error interface.
    • Security of a business object or method: Controls the way access is granted.
    • AuthenticationManager: Processes authentication requests from other parts of the framework.
    • Accessdecisionmanager: Provides access decisions for the security of a Web or method. Will register a default, but we can also use the custom Accessdecisionmanager in the same way that the normal bean is registered.
    • Authenticationprovider:authenticationmanager is to authenticate users through it.
    • Userdetailsservice: Closely related to Authenticationprovider, used to obtain user information.

With the introduction of spring Security's namespace, we can use the elements under that namespace to configure spring security. First we define an HTTP element, and security is just a prefix that we use with namespaces. HTTP elements are used to define web-related permission controls.

<security:http auto-config="true">

<security:intercept-url pattern="/**" access="Role_user"/>

</security:http>

As defined above, Intercept-url defines a rule for permission control. The Pattern property indicates which URLs we will have permission to control, or it can be a regular expression, as the above notation means that we will control all URLs, and the Access property indicates what permissions are required to request the corresponding URL. The default configuration should be a comma-delimited list of roles that the requesting user can successfully access by simply owning one of the roles. The "Role_user" here indicates that the requested user should have a role_user role. The "Role_" prefix is a token that prompts spring to use role-based checking.

With the rule of permission control, next we need to define a AuthenticationManager for authentication. Let's look at the following definition:

<security:authentication-manager>

<security:authentication-provider>

<security:user-service>

<security:user name="user" password="user" authorities="Role_user"/>

<security:user name="admin" password="admin" authorities="Role_user, role_admin"/ >

</security:user-service>

</security:authentication-provider>

</security:authentication-manager>

The Authentication-manager element specifies a authenticationmanager, It requires a authenticationprovider (corresponding to the Authentication-provider element) for true authentication, By default, Authentication-provider corresponds to a daoauthenticationprovider, It needs to userdetailsservice (corresponding to the user-service element) to get the user information userdetails (corresponding user element). Here we simply use the user element to define users, and the actual application of this information usually needs to be obtained from the database and other places, this will be placed in the next. We can see that through the user element we can specify the username, password, and the permissions that are owned by users. User-service also supports the use of the properties file to specify user information, such as:

<security:user-service properties="/web-inf/config/users.properties"/>

Where the properties file should follow the following format:

Username=password,grantedauthority[,grantedauthority][,enabled|disabled]

So, corresponding to the above configuration file, the contents of our Users.properties file should look like this:

#username =password,grantedauthority[,grantedauthority][,enabled|disabled]

User=user,role_user

Admin=admin,role_user,role_admin

At this point, the configuration of our spring Security configuration file is complete. The full configuration file will look like the following.

<beans xmlns="Http://www.springframework.org/schema/beans"

xmlns:security="Http://www.springframework.org/schema/security"

xmlns:xsi="Http://www.w3.org/2001/XMLSchema-instance"

xsi:schemalocation="Http://www.springframework.org/schema/beans

Http://www.springframework.org/schema/beans/spring-beans-3.1.xsd

Http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.1.xsd ">

<security:http auto-config="true">

<security:intercept-url pattern="/**" access="Role_user"/>

</security:http>

<security:authentication-manager>

<security:authentication-provider>

<security:user-service>

<security:user name="user" password="user" authorities="Role_user"/>

<security:user name="admin" password="admin" authorities="Role_user, role_admin"/ >

</security:user-service>

</security:authentication-provider>

</security:authentication-manager>

</beans>

We then tell spring to load the configuration file. In general, we can specify it as spring's initial configuration file in the Web. xml file via Context-param, or it can be introduced in the corresponding spring's initial configuration file. Here we use the former.

<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>/web-inf/config/applicationcontext.xml,/web-inf/config/spring-security.xml</param-value >

</context-param>

<listener>

<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

</listener>

The spring configuration file is loaded and initialized with the corresponding Contextloaderlistener, and the Applicationcontext.xml file in the above code is the corresponding spring configuration file if it is not available without configuration. Next we need to define a filter in Web. XML to intercept requests that need to be submitted to the spring security process, but be aware that the filter must be defined before other interception requests such as SPRINGMVC. Here we will intercept all requests, as shown in the following example:

<filter>

<filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>springSecurityFilterChain</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

Next you can launch our app and then visit our homepage in the browser. You will see the following page.


Because all requests in our Spring-security.xml file are configured with "Role_user" permissions, when we request the home page, spring Security discovers that we are not logged in, and spring directs us to the login screen. After logging in with the correct user name and password (such as the User/user or admin/admin configured above), we can access the home page if the corresponding permissions are met, otherwise the 403 (Forbidden) interface will appear.

You might wonder if we didn't build the login page above, why does spring security jump to the login page above? This is when we set the HTTP auto-config= "true" when spring security automatically generated for us.

When specifying the auto-config= "true" of an HTTP element, it is equivalent to a shorthand for the following.

<security:http>

<security:form-login/>

<security:http-basic/>

<security:logout/>

</security:http>

These elements are responsible for establishing form logins, Basic authentication, and logout processing. They can all change their behavior by specifying the corresponding properties.

Spring Security 1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.