1. Configure the namespace using Spring Security
Spring securtiy provides security-related namespaces. we can add the spring security namespace declaration to the spring public configuration xml file, in this way, we need to use security as the prefix to indicate that the configuration is about security; at the same time, we can also extract the security-related configuration to a separate spring-secutiry.xml file, and change the primary namespace of the configuration file to the security namespace, in this way, the security prefix is not required when security is configured. The spring-security.xml namespace is as follows:
2. Configure protection for web requests
Spring Security uses a series of Servlet filters to provide various Security functions. You need to add a filter in web. xml:
springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /*
DelegatingFilterProxy delegates the work to a javax. servlet. filter Implementation class, which is registered as a bean in the context of Spring applications. The filter I configured here filters all web requests.
Next, you can configure security. Here, you can use the
Here, I first use
Second, security authentication is not performed for login and registration page requests (IS_AUTHENTICATED_ANONYMOUSLY: Anonymous Authentication ):
Set the logon page:
Login-processing-url: login Request
Login-page: logon page
Default-target-url: the default page to jump to after Successful Logon
Default-target-url: the page to jump to after authentication failure
After the logon page is set, set the exit system:
Logout-success-url: page to jump to after successful exit
Logout-url: Exit request
Complete web Authentication Configuration:
3. authenticate users
Spring security has a variety of user-based policies, such as memory-based user repositories, jdbc-based user repositories, and LDAP-based user repositories, here I chose jdbc-based database authentication.
First, implement the UserDetailsService interface, the implementation class is called myUserDetailsService, and declare this bean in spring-security.
MyUserDetailsService:
MyUserDetailsService Logger log = Logger.getLogger(MyUserDetailsService.= = userDao.getByColumn("username""spring security load user fail"
Get the User object from the database through this service, but note that the loadUserByUsername () method in the UserDetailsService interface returns the UserDetails object, so your User object must inherit from the UserDetails interface, and implement the methods in the interface.
User:
List<Role> .user_id = .username = .password = List<Role> setRoles(List<Role>.roles = Collection<? GrantedAuthority><GrantedAuthority> list = ArrayList<GrantedAuthority>=
Permission type:
.username = .authority =
After myUserDetailsService is declared, you can use myUserDetailsService as the authentication provider:
Here, we must declare the encryption method used by the password. Otherwise, the service will not encrypt the password entered by the user, so the database and the password entered by the user cannot be correct. Here, the encryption method I use is md5 encryption, and the salt value is the user name.
Description of the encrypted bean:
The basic configuration has been completed. Note that when writing the user login form, the user name and password name should be noted as: j_username and j_password, otherwise, the user name and password entered by the user cannot be obtained.
Here, a simple spring security configuration is basically complete. Of course, the security features of spring security are far more than that, and we will continue to learn more.