-
十九、商城 - 运营商登录-Spring Security(7)
一、Spring Security 框架入门
忽略结构图往下看
1.1 Spring Security 简介
Spring Security [ sprɪŋ sɪˈkjʊərəti ]
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
相关依赖
<dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-webartifactId> <version>4.1.0.RELEASEversion> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-configartifactId> <version>4.1.0.RELEASEversion> dependency>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
1.2 Spring Security 入门 Demo
1.2.1 最简单 Demo
(1)创建工程
spring-security-demo, 并且引入pom.xml 内容
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0modelVersion> <groupId>com.zqlgroupId> <artifactId>spring-security-demoartifactId> <version>1.0version> <packaging>warpackaging> <properties> <webVersion>3.0webVersion> <spring.version>4.2.5.RELEASEspring.version> properties> <dependencies> <dependency> <groupId>org.springframeworkgroupId> <artifactId>spring-coreartifactId> <version>${spring.version}version> dependency> <dependency> <groupId>org.springframeworkgroupId> <artifactId>spring-webartifactId> <version>${spring.version}version> dependency> <dependency> <groupId>org.springframeworkgroupId> <artifactId>spring-webmvcartifactId> <version>${spring.version}version> dependency> <dependency> <groupId>org.springframeworkgroupId> <artifactId>spring-context-supportartifactId> <version>${spring.version}version> dependency> <dependency> <groupId>org.springframeworkgroupId> <artifactId>spring-testartifactId> <version>${spring.version}version> dependency> <dependency> <groupId>org.springframeworkgroupId> <artifactId>spring-jdbcartifactId> <version>${spring.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-webartifactId> <version>4.1.0.RELEASEversion> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-configartifactId> <version>4.1.0.RELEASEversion> dependency> <dependency> <groupId>javax.servletgroupId> <artifactId>servlet-apiartifactId> <version>2.5version> <scope>providedscope> dependency> dependencies> <build> <plugins> <plugin> <artifactId>maven-compiler-pluginartifactId> <configuration> <source>1.8source> <target>1.8target> configuration> plugin> <plugin> <groupId>org.apache.tomcat.mavengroupId> <artifactId>tomcat7-maven-pluginartifactId> <configuration> <port>9090port> <path>/path> configuration> plugin> plugins> build> project>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
(2)创建
web.xml<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <context-param> <param-name>contextConfigLocationparam-name> <param-value>classpath:spring-security.xmlparam-value> context-param> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener listener-class> listener> <filter> <filter-name>springSecurityFilterChainfilter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class> filter> <filter-mapping> <filter-name>springSecurityFilterChainfilter-name> <url-pattern>/*url-pattern> filter-mapping> web-app>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
注意过滤器名字必须固定为:
springSecurityFilterChainwebapp下面创建
index.htmlDOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Titletitle> head> <body> 登录成功 body> html>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
resources下面创建
spring-security.xml<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http use-expressions="false"> <intercept-url pattern="/**" access="ROLE_ADMIN" /> <form-login/> http> <authentication-manager> <authentication-provider> <user-service> <user name="admin" password="123" authorities="ROLE_ADMIN"/> user-service> authentication-provider> authentication-manager> beans:beans>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
启动tomcat
浏览器登录
http://localhost:9090/index.html出现下面 👇🏾👇🏾
在spring-security.xml对应位置中添加 👇🏾👇🏾
<http pattern="/favicon.ico" security="none"/>- 1
- 2
再次访问
localhost:9090/index.html
- 配置说明:
- intercept-url 表示拦截页面
- /* 表示的是该目录下的资源,只包括本级目录不包括下级目录
- /** 表示的是该目录以及该目录下所有级别子目录的资源
- form-login 为开启表单登陆
- use-expressions 为是否使用使用 Spring 表达式语言( SpEL ),默认为true ,
- 拦截的配置应该写成以下形式 👇🏾👇🏾
ROLE_ADMIN:必须验证具备该角色后才能访问,注意角色名称必须以ROLE_开头
再次访问
localhost:9090/index.html
1.2.2 用户自定义登录页
开发中,我们不可能使用系统生成的登录页,而是使用我们自己的登录页。
(1)webapp下面 构建登陆页:
login.htmlDOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>登陆title> head> <body> <form action='/login' method='POST'> <table> <tr> <td>用户名:td> <td><input type='text' name='username' value=''>td> tr> <tr> <td>密码:td> <td><input type='password' name='password' />td> tr> <tr> <td colspan='2'><input name="submit" type="submit" value="登陆" />td> tr> table> form> body> html>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
注意:登录提交地址/login 改地址由SpringSecurity生成,提交方法必须是POST
(2)构建登陆失败页 login_error.html
DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Titletitle> head> <body> 登录失败 body> html>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
(3)修改 spring 配置文件 spring-security.xml
浏览器登录页的登录
http://localhost:9090/login.html
解决: 👇🏾👇🏾 添加
CSRF(Cross-site request forgery)跨站请求伪造,也被称为“One Click Attack”或者Session Riding,通常缩写为CSRF或者XSRF,是一种对网站的恶意利用。
则 🤞🤞
在spring-security.xml对应位置中添加 👇🏾👇🏾<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http pattern="/favicon.ico" security="none"/> <http use-expressions="false"> <intercept-url pattern="/**" access="ROLE_ADMIN" /> <form-login login-page="/login.html" default-target-url="/index.html" always-use-default-target="true" authentication-failure-url="/login_error.html"/> <csrf disabled="true">csrf> http> <authentication-manager> <authentication-provider> <user-service> <user name="admin" password="123" authorities="ROLE_ADMIN"/> user-service> authentication-provider> authentication-manager> beans:beans>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
访问 :
http://localhost:9090/login.html因为拦截了所以登录页会被反复重定向。
- login-page:指定登录页面。
- default-target-url:指定了成功进行身份验证和授权后默认呈现给用户的页面。
- authentication-failure-url:指定了身份验证失败时跳转到的页面。
- always-use-default-target
– 如果设置成"true",用户会一直转发到default-target-url指定的位置,无论他们在登录页面之前访问的什么位置。 对应UsernamePasswordAuthenticationFilter的alwaysUseDefaultTargetUrl属性。 - csrf disabled=“true” 关闭csrf ,如果不加会出现错误
解决 :
<http pattern="/login.html" security="none"/> <http pattern="/login_error.html" security="none"/>- 1
- 2
- 3
再次访问 :
http://localhost:9090/login.html
登录成功显示 : 用户名 :admin 密码:123
登录失败显示 : 比如 用户名 :admin 密码:1234
二、运营商系统登录与安全控制
2.1 需求分析
完成运营商登陆功能
2.2 登陆功能的实现
2.2.1 配置文件
(1)修改youlexuan_manager_web的 pom.xml ,添加依赖
<dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-webartifactId> <version>4.1.0.RELEASEversion> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-configartifactId> <version>4.1.0.RELEASEversion> dependency>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
(2)修改web.xml ,增加SpringSecurity过滤器
<filter> <filter-name>springSecurityFilterChainfilter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class> filter> <filter-mapping> <filter-name>springSecurityFilterChainfilter-name> <url-pattern>/*url-pattern> filter-mapping>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
(3)youlexuan_manager_web 的 spring目录下添加配置文件
spring-security.xml
并copy 1.2.2 (2)做修改 如下:<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http pattern="/favicon.ico" security="none"/> <http pattern="/login.html" security="none">http> <http pattern="/css/**" security="none">http> <http pattern="/img/**" security="none">http> <http pattern="/js/**" security="none">http> <http pattern="/plugins/**" security="none">http> <http use-expressions="false"> <intercept-url pattern="/**" access="ROLE_ADMIN" /> <form-login login-page="/login.html" default-target-url="/admin/index.html" always-use-default-target="true" authentication-failure-url="/login.html"/> <csrf disabled="true">csrf> http> <authentication-manager> <authentication-provider> <user-service> <user name="admin" password="123" authorities="ROLE_ADMIN"/> user-service> authentication-provider> authentication-manager> beans:beans>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
解决 :
<headers> <frame-options policy="SAMEORIGIN"/> headers>- 1
- 2
- 3
- 4
SAMEORIGIN:frame页面的地址只能为同源域名下的页面
完整
spring-security.xml代码 :👇🏾👇🏾<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http pattern="/favicon.ico" security="none"/> <http pattern="/login.html" security="none">http> <http pattern="/css/**" security="none">http> <http pattern="/img/**" security="none">http> <http pattern="/js/**" security="none">http> <http pattern="/plugins/**" security="none">http> <http use-expressions="false"> <intercept-url pattern="/**" access="ROLE_ADMIN" /> <form-login login-page="/login.html" default-target-url="/admin/index.html" always-use-default-target="true" authentication-failure-url="/login.html"/> <csrf disabled="true">csrf> <headers> <frame-options policy="SAMEORIGIN"/> headers> http> <authentication-manager> <authentication-provider> <user-service> <user name="admin" password="123" authorities="ROLE_ADMIN"/> user-service> authentication-provider> authentication-manager> beans:beans>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
2.2.2 登录页面
修改youlexuan_manager_web的 login.html
<div id="profile" class="tab-pane active"> <form id="loginform" action="/login" method="post"> <div class="input-prepend"><span class="add-on loginname">span> <input name="username" id="prependedInput" type="text" placeholder="邮箱/用户名/手机号" class="span2 input-xfat"> div> <br/> <div class="input-prepend"><span class="add-on loginpwd">span> <input name="password" id="prependedInput" type="password" placeholder="请输入密码" class="span2 input-xfat"> div><br/> <div class="setting"> <div id="slider"> <div id="slider_bg">div> <span id="label">>>span> <span id="labelTip">拖动滑块验证span> div> div> <div class="logined"> <a class="sui-btn btn-block btn-xlarge btn-danger" onclick="document:loginform.submit()" target="_blank">登 录a> div> form> div>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
2.3 主界面显示登陆人
2.3.1 后端代码
在youlexuan_manager_web新建 LoginController.java
package com.zql.sellergoods.controller; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import java.util.HashMap; import java.util.Map; /** * @Author:Daniel * @Version 1.0 */ @RestController @RequestMapping("/login") public class LoginController { @RequestMapping("/name") public Map name(){ String name = SecurityContextHolder.getContext().getAuthentication().getName(); //System.out.println("================="+name); Map map = new HashMap<>(); map.put("loginName",name); return map; } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
2.3.2 前端代码
(1)在youlexuan_manager_web / webapp / js / service下面新建
loginService.js//登陆服务层 app.service('loginService',function ($http) { //读取登录人名称 this.loginName = function () { return $http.get('../login/name.do'); } });- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
(2)在youlexuan_manager_web / webapp / js / controller下面新建 indexController.js
app.controller('indexController',function ($scope,$controller,loginService) { //读取当前登录人 $scope.showLoginName = function () { loginService.loginName().success(function(response){ $scope.loginName = response.loginName; }) } });- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
(3)在youlexuan_manager_web / webapp / admin / index.html 添加指令并引入下面 js
<body class="hold-transition skin-green sidebar-mini" ng-app="youlexuan" ng-controller="indexController" ng-init="showLoginName()" >- 1
<script type="text/javascript" src="../plugins/angularjs/angular.min.js"></script> <script type="text/javascript" src="../js/base.js"></script> <script type="text/javascript" src="../js/service/loginService.js"></script> <script type="text/javascript" src="../js/controller/indexController.js"></script>- 1
- 2
- 3
- 4
测试 :
http://localhost:9101/login/name.do
登录后的效果显示:
http://localhost:9101/login.html用户名 admin 密码 123
2.4 退出登录
在youlexuan_manager_web的 spring-security.xml 的 http节点中添加配置
加此配置后,会自动的产生退出登录的地址/logout
修改注销的链接 youelxuan_manager_web / webapp / admin / index.html
别人总结的👉🏾👉🏾 Spring Security
-
相关阅读:
c++ 学习之 静态成员变量和静态成员函数
spring cloud搭建教程
推荐一款国人开源的 Redis 可视化管理工具
万字总结:分布式系统的38个知识点
联邦学习: 联邦场景下的时空数据挖掘
什么?又来看驱动的过程了?是滴,必需滴--I2C设备的注册过程(小白篇)
Linux安装ErLang(亲测可用)
Java基础----常用类
Data.olllo:轻松去除所有字母
01. Python基础环境搭建
- 原文地址:https://blog.csdn.net/weixin_42171159/article/details/126255787
