Spring-security User Rights authentication Framework

As you know, in spring there is a rights Management module based on the Acegi development of Spring-security, which is a lightweight framework. Springsecurity can protect the URL access of a Web application declaratively, with a simple configuration. Springsecurity provides a variety of security services for Web applications through a range of servlet filters.
Configure Spring-security
To add a filter to Web. xml:

<filter>    <filter-name>springSecurityFilterChain</filter-name>    <filter-class >org.springframework.web.filter.delegatingfilterproxy</filter-class></filter>< filter-mapping>    <filter-name>springSecurityFilterChain</filter-name>    <url-pattern >/*</url-pattern></filter-mapping>

Then create the configuration file Project-security.xml under the <classpath> path:

<?xml version= "1.0" encoding= "UTF-8"? ><beans:beans xmlns= "http://www.springframework.org/schema/security "Xmlns:beans= "Http://www.springframework.org/schema/beans"Xmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance"xsi:schemalocation= "Http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsdhttp//www.springframework.org/schema/securityhttp//www.springframework.org/schema/security/spring-security-2.0.xsd ">default-target-url= "/"/> <remember-me data-source-ref= "DataSource"/> <logout invalidate-session= "true "Logout-success-url="/"/> <!--uncomment to enable X509 client authentication support<x509/>-Users-by-username-query= "Select Account as username, password, status as enabled from user where account=?"authorities-by-username-query= "Select Account as username, authority from user where account=?"/> </authentication-provider ></beans:beans>

Add the configuration file to the <context-param> of Web. Xml.

Spring-security uses roles to categorize administrative user rights, such as the above configuration contains the Role_admin and role_user two roles, respectively, with/admin/and/user/URL path permissions.

Saving users in the database

The user's account password is saved in several different ways, including XML, LDAP, and database medium. The above is used in the way saved to the database, using the DataSource bean that was previously configured in Applicationcontext.xml. When you use the database to save your account, you need to build the table according to the fields specified in Spring-security, there are two related tables, respectively, to save the account password and login status. Using MySQL, you can create this:

CREATE TABLE ' user ' (  ' account ' varchar(') ' is not null,  ' password ' varchar () ' is not NULL,  ' authority ' varcharis notnull,  ' status ' tinyint (1) is not null, a  UNIQUE KEY ' account ' (' Account '), ENGINE=innodb DEFAULT charset=UTF8; CREATE TABLE ' persistent_logins ' (  ' username ' varchar) notNULL,  ' series ' varchar (64 ) NOT NULL,  ' token ' varchar (+) not null,  ' last_used ' timestamp not null DEFAULT Current_ TIMESTAMP on UPDATE current_timestamp,  PRIMARY KEY (' series ') ENGINE=innodb DEFAULT Charset=utf8;

Encrypt Password

Passwords are stored in plaintext in the default spring-security and can be encrypted by setting <password-encoder> . The corresponding user registration module is also to save the password with encrypted data to the database before the line.

Import Org.springframework.security.providers.encoding.Md5PasswordEncoder; Import  newnull);

Prevent users from repeatedly logging in

Session control can be used to prevent users from repeating logins, which can be achieved through configuration. First, add the Listener in Web. XML:

<listener>    <listener-class> org.springframework.security.ui.session.httpsessioneventpublisher</listener-class></listener >

Then add in inside the project-security.xml configuration file:

<concurrent-session-control max-sessions= "1" exception-if-maximum-exceeded= "true"/>

max-sessions= "1" indicates that the maximum number of sessions that the user is logged on at the same time is 1 and exception-if-maximum-exceeded= "true" indicates that the exceeded user is blocked from logging in.

Add Spring-security to JSP

Spring-security gives the interface used in the JSP. User logins can use the following form:

<form name= ' F ' action= '/project/j_spring_security_check ' method= ' POST ' ><table>  <tr><td > Username: </td><td><input type= ' text ' name= ' j_username ' value= ' ></td></tr>  < tr><td> Password: </td><td><input type= ' password ' name= ' J_password '/></td></tr>  <tr><td></td><td><input type= ' checkbox ' name= ' _spring_security_remember_me '/> Auto login </td></tr>  <tr><td colspan= ' 2 ' align= "right" ><input name= "reset" id= "reset" type = "Reset" value= "reset"/> <input name= "Submit" id= "submit" type= "submit" value= "Login"/></td></tr>< /table></form>

The following can be used to determine the condition of the logged-on user:

<%@ taglib prefix= "SEC" uri= "http://www.springframework.org/security/tags"%><sec:authorize ifallgranted= " Role_anonymous "><!--...--></sec:authorize><sec:authorize ifallgranted=" Role_user "><!-- ...--></sec:authorize>

The way to get the logged-in user's account on a specific JSP page is:

<%@ taglib prefix= "SEC" uri= "http://www.springframework.org/security/tags"%><input name= "Customer" type= " Hidden "value=" <sec:authentication property= ' principal.username '/> '/>

In addition, Spring Security provides some of the following features:

1. Remember me, remember me;

2. Form-login Login control;

3. Multi-identity authentication function;

4. User password encryption and "salt" function;

5. HTTP protocol control;

6. Access Port control;

7. Pre-invocation & After-invocation.

Spring-security also has a number of related uses that can be viewed in the official documentation. http://www.yeolar.com/note/2011/10/19/spring-security/

Spring-security User Rights authentication Framework