Spring security learning (spring in action)

1. Configure the namespace using Spring Security

Spring securtiy provides security-related namespaces. we can add the spring security namespace declaration to the spring public configuration xml file, in this way, we need to use security as the prefix to indicate that the configuration is about security; at the same time, we can also extract the security-related configuration to a separate spring-secutiry.xml file, and change the primary namespace of the configuration file to the security namespace, in this way, the security prefix is not required when security is configured. The spring-security.xml namespace is as follows:

2. Configure protection for web requests

Spring Security uses a series of Servlet filters to provide various Security functions. You need to add a filter in web. xml:

      springSecurityFilterChain      org.springframework.web.filter.DelegatingFilterProxy                  springSecurityFilterChain      /*    

DelegatingFilterProxy delegates the work to a javax. servlet. filter Implementation class, which is registered as a bean in the context of Spring applications. The filter I configured here filters all web requests.

Next, you can configure security. Here, you can use the

 

Here, I first use

Second, security authentication is not performed for login and registration page requests (IS_AUTHENTICATED_ANONYMOUSLY: Anonymous Authentication ):

　　　

　　Set the logon page:

　　　

 

Login-processing-url: login Request

Login-page: logon page

Default-target-url: the default page to jump to after Successful Logon

Default-target-url: the page to jump to after authentication failure

After the logon page is set, set the exit system:

　　　

 

Logout-success-url: page to jump to after successful exit

Logout-url: Exit request

 

Complete web Authentication Configuration:

 

3. authenticate users

Spring security has a variety of user-based policies, such as memory-based user repositories, jdbc-based user repositories, and LDAP-based user repositories, here I chose jdbc-based database authentication.

First, implement the UserDetailsService interface, the implementation class is called myUserDetailsService, and declare this bean in spring-security.

MyUserDetailsService:

  MyUserDetailsService   Logger log = Logger.getLogger(MyUserDetailsService.= =  userDao.getByColumn("username""spring security load user fail"

 

Get the User object from the database through this service, but note that the loadUserByUsername () method in the UserDetailsService interface returns the UserDetails object, so your User object must inherit from the UserDetails interface, and implement the methods in the interface.

User:

 List<Role> .user_id = .username = .password = List<Role>  setRoles(List<Role>.roles = Collection<?  GrantedAuthority><GrantedAuthority> list =  ArrayList<GrantedAuthority>=                         
 

Permission type:

　　

  .username = .authority =

After myUserDetailsService is declared, you can use myUserDetailsService as the authentication provider:

Here, we must declare the encryption method used by the password. Otherwise, the service will not encrypt the password entered by the user, so the database and the password entered by the user cannot be correct. Here, the encryption method I use is md5 encryption, and the salt value is the user name.

Description of the encrypted bean:

The basic configuration has been completed. Note that when writing the user login form, the user name and password name should be noted as: j_username and j_password, otherwise, the user name and password entered by the user cannot be obtained.

Here, a simple spring security configuration is basically complete. Of course, the security features of spring security are far more than that, and we will continue to learn more.