Spring Security ).

1. Brief Introduction to Spring Security

Spring Security was previously called acegi and later became a sub-project of Spring. It is also the most popular Security permission management framework, which is closely integrated with Spring.

Spring Security focuses on providing services at the enterprise application Security layer. You will find that there are various requirements in the business problem area. Banking systems are very different from e-commerce applications. The e-commerce system is very different from the enterprise's sales automation tools. These custom requirements make application security interesting, challenging, and valuable. Spring Security provides a comprehensive Security solution for J2EE-based enterprise applications.

 

2. Configure filters and other parameters for Spring Security

To use Spring Security, you must first. configure the filter for it in xml, and then because my spring configuration file is placed under the WEB-INF, configure the context parameters and add the spring listener:

[Xhtml]
<? Xml version = "1.0" encoding = "UTF-8"?>
<Web-app version = "2.5" xmlns = "http://java.sun.com/xml/ns/javaee"
Xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance"
Xsi: schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<! -- Configure the context parameter to specify the location of the spring configuration file -->
<Context-param>
<Param-name> contextConfigLocation </param-name>
<Param-value>/WEB-INF/spring-*. xml </param-value>
</Context-param>
<! -- Filters required by spring security Ensure that all pages must pass authentication when accessing -->
<Filter>
<Filter-name> springSecurityFilterChain </filter-name>
<Filter-class>
Org. springframework. web. filter. DelegatingFilterProxy
</Filter-class>
</Filter>
<Filter-mapping>
<Filter-name> springSecurityFilterChain </filter-name>
<Url-pattern>/* </url-pattern>
</Filter-mapping>
<Listener>
<Listener-class>
Org. springframework. web. context. ContextLoaderListener
</Listener-class>
</Listener>
<Welcome-file-list>
<Welcome-file> index. jsp </welcome-file>
</Welcome-file-list>
<Login-config>
<Auth-method> BASIC </auth-method>
</Login-config>
</Web-app>

 

3. Configure security (spring-security.xml)

[Xhtml]
<? Xml version = "1.0" encoding = "UTF-8"?>
<! -- The security namespace must be used here to provide the katakana beans -->
<Beans: beans xmlns = "http://www.springframework.org/schema/security"
Xmlns: beans = "http://www.springframework.org/schema/beans"
Xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance"
Xsi: schemaLocation = "http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
Http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd ">
 
<! -- Spring Security adopts the proximity principle. If there are multiple constraints, the first one from top to bottom will be returned if it is satisfied. Therefore, we should put the strictest constraint at the beginning, put the loose constraint at the end. the auto-config attribute allows spring security to automatically configure several common permission control mechanisms for us, including form, anonymous, and rememberMe. You can also configure it manually. -->
<Http auto-config = "true">
<! -- Intercept-url is used to determine the permissions required by the user to access the corresponding url resource. You can specify a specific url resource in pattern, you can also use wildcards to specify a group of similar url resources. Two intercepter-URLs defined in the example, the first one is used to control access to/security/**, and the second one uses wildcard /**, it controls access to all url resources in the system. -->
<Intercept-url pattern = "/security/**" access = "ROLE_ADMIN"/>
<Intercept-url pattern = "/**" access = "ROLE_ADMIN, ROLE_USER"/>
<Intercept-url pattern = "/login. jsp *" filters = "none"/>
<Logout-url = "/logout. jsp"
Logout-success-url = "/j_spring_security_check"/>
</Http>
 
<! -- Use the configuration information of memory permission management. When tomcat is started, the file will be loaded and stored in the memory until the application restarts. Therefore, it is also called memory permission management.
<Authentication-provider>
<User-service>
<User name = "admin" password = "tomcat" authorities = "ROLE_ADMIN"/>
<User name = "liky" password = "redhat" authorities = "ROLE_USER"/>
</User-service>
</Authentication-provider>
-->
<! -- Use the database as the source of permission management. data-source-ref specifies the data source. The specified data source must contain the users and authorities tables and comply with the security definition specifications. -->
<Authentication-provider>
<Jdbc-user-service data-source-ref = "dataSource"/>
</Authentication-provider>
 
</Beans: beans>

 

4. Data source configuration (spring-common.xml)

[C-sharp]
<? Xml version = "1.0" encoding = "UTF-8"?>
<Beans xmlns = "http://www.springframework.org/schema/beans"
Xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance"
Xsi: schemaLocation = "http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
 
<! -- Define a data source -->
<Bean id = "dataSource"
Class = "org. apache. commons. dbcp. BasicDataSource">
<Property name = "driverClassName"
Value = "com. mysql. jdbc. Driver">
</Property>
<Property name = "url" value = "jdbc: mysql: // localhost: 3306/csu"> </property>
<Property name = "username" value = "root"> </property>
<Property name = "password" value = "redhat"> </property>
<Property name = "maxActive" value = "100"> </property>
<Property name = "maxIdle" value = "30"> </property>
<Property name = "maxWait" value = "300"> </property>
<Property name = "defaultAutoCommit" value = "true"> </property>
</Bean>
</Beans>

 

 

5. directory structure of the project

 

 

6. Database scripts

[Xhtml]
/-- Note that the script here is MYSQL, so when you demonstrate this instance, you need to add the MySQL driver package --/

Create table users
(
Username varchar (50) primary key,
Password varchar (50 ),
Enabled tinyint (1)
);
 
Create table authorities
(
Id int auto_increment primary key,
Username varchar (50 ),
Authority varchar (50 ),
Constraint fk_authorities_users foreign key (username) references users (username)
);
 
Create unique index ix_auth_username on authorities (username, authority );

 

7. Key Points of deployment and Configuration

This is a database Authentication instance for Spring Security. Pay attention to the following points:
(1) Please add the necessary Spring package, Spring security package and MySQL driver package, of course you can also switch to other databases, but you need to modify the dataSource in the spring-common.xml
(2) The users and authorites tables in the database must be completely defined according to the script. That is to say, the table name cannot be modified.
(3) The users table must contain the username, password, and enabled fields. These fields must be unique and cannot be modified. In addition, enabled must be 1 to log on.
(4) The authorities table must contain the username field. This field references the users username as the foreign key. The authority field is the role name. The role name must meet the format of ROLE_XXX (for example, ROLE_ADMIN, ROLE_USER, ROLE_MAMAGER)
(5) If a user has multiple roles, do not separate them with commas. each role defines a record (for example, if abu has two roles: ROLE_ADMIN and ROLE_USER, you should define two records: one for abu, ROLE_USER, and the other for abu and ROLE_ADMIN. instead of having only one entry: abu, ROLE_ADMIN, ROLE_USER)
(6) You can add an id field to the authorities table as the primary key.