Spring Security Web application entry environment setup

Spring Security Web application entry environment setup

Before using Spring Security to configure Web applications, you must first prepare a Web application created based on the Maven Spring framework (Spring MVC is not mandatory). The content in this article is based on this premise.

Pom. xml add dependency

In addition to some dependency packages of the Spring framework, you also need to add the dependency packages of Spring Security in pom. xml:

 

     
  
   org.springframework.security
      spring-security-web    
  
   4.0.2.RELEASE
  
 
     
  
   org.springframework.security
      spring-security-config    
  
   4.0.2.RELEASE
  
 

Getting started environment Configuration

 

To use Spring Security, you must first configure a filter in web. xml. Note that the filter-name must be springSecurityFilterChain:

 

     
  
   springSecurityFilterChain
      
  
   org.springframework.web.filter.DelegatingFilterProxy
  
 
     
  
   springSecurityFilterChain
      
  
   /*
  
 

You also need to configure the Spring Security configuration file and add the file to Spring Application Context:

 

 

You only need to complete the above two configurations, start the server, open any Web application page in a browser, will jump to a login page, This login page is automatically generated by Spring Security.

 

Enter the wrong username and password on the logon page, and a prompt is displayed. Enter the correct user name and password, and then log on to the Web application page. A simple Spring Security-based Web application has been completed!

Logon page

The default logon page of Spring Security is very simple and generally not used directly. A custom logon page is usually specified:

 

The address of the logon form submission page is/login, and the method is the POST request. To ensure Security and prevent malicious CSRF attacks, Spring Security needs to verify the content submitted by the hidden field in the form.

 

 

Logout
In the configuration file Used to process logout.
The logout button on the page:

The logout request address/logout. The method is a POST request.
Obtain login user information from the database
The username, password, and ROLE of the login user are all configured in the xml configuration file of Spring Security. In actual use, user information is generally not directly configured in the xml file, it is obtained in other ways, such as databases.
Spring Security provides a convenient way to obtain user information through the database, that is, org. springframework. security. core. userdetails. jdbc. jdbcDaoImpl, Which is org. springframework. security. core. userdetails. an Implementation class of the UserDetailsService interface. You only need to configure the DataSource and SQL statements to obtain user information from the database:

The preceding configuration can also be simplified:

Login User information is obtained through other methods
If the user information is not from a database, you need to implement the loadUserByUsername method of the org. springframework. security. core. userdetails. UserDetailsService interface by yourself. That is, you can obtain the user information by using the User Name:

Public class UserDetailsServiceImpl implements UserDetailsService {@ Override public UserDetails loadUserByUsername (String username) throws UsernameNotFoundException {// you can replace if (username. equals (xxg) {Collection
  
   
Auths = new ArrayList
   
    
(); SimpleGrantedAuthority authority = new SimpleGrantedAuthority (ROLE_USER); auths. add (authority); User user = new User (username, 123456, auths); return user;} else {throw new UsernameNotFoundException (the User does not exist );}}}
   
  

Configure the implementation class in the Spring Security configuration file:

Configure URLs not managed by Spring Security
If some URLs in a Web application do not need to be managed by Spring Security, such as some static files or pages that can be viewed without logon, you can configure security = none for these URLs:

Obtain logon user information

Get User Name:

 

HttpServletRequest. getRemoteUser (); // Servlet standard, SecurityContextHolder. getContext (). getAuthentication (). getName ();

Get user ROLE:

 

 

SecurityContextHolder.getContext().getAuthentication().getAuthorities();

Determine whether a user has a ROLE:

 

 

httpServletRequest.isUserInRole(ADMIN);