spring security 详解

spring security 详解

 

 

spring-security.xml 

 

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-4.0.xsd ">
	
    <http pattern="/login" security="none"/>  
    
	<http auto-config="true">
	<headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
		<http-basic />
		<csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
	</http>

    
    <beans:bean id="csrfSecurityRequestMatcher" class="com.curiousby.csrf.CsrfSecurityRequestMatcher">
        <beans:property name="execludeUrls">
            <beans:list>
               <beans:value>/test/</beans:value>
               <beans:value>/index/</beans:value>
            </beans:list>
        </beans:property>
    </beans:bean>
	<authentication-manager>
	</authentication-manager>
 
</beans:beans> 

 

 

 

/*
 * Project: .web
 * 
 * File Created at 2017年3月15日
 * 
 * Copyright 2016  Corporation Limited.
 * All rights reserved.
 *
 * This software is the confidential and proprietary information of
 * curiousby Company. ("Confidential Information").  You shall not
 * disclose such Confidential Information and shall use it only in
 * accordance with the terms of the license.
 */
package com.curiousby.csrf;

import java.util.List;
import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;

import org.springframework.security.web.util.matcher.RequestMatcher;

/**
 * @see com.curiousby.csrf.CsrfSecurityRequestMatcher
 * @Type CsrfSecurityRequestMatcher.java
 * @Desc 
 * @author baoyou curiousby@163.com
 * @date 2017年3月15日 下午3:44:57
 * @version 
 */
public class CsrfSecurityRequestMatcher implements RequestMatcher {
    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");

    @Override
    public boolean matches(HttpServletRequest request) {

        if (execludeUrls != null && execludeUrls.size() > 0) {
            String servletPath = request.getServletPath();
            for (String url : execludeUrls) {
                if ("POST".equals(request.getMethod())) {
                    if (servletPath.contains(url)) {
                        System.out.println("---------排除掉的post方法--------" + servletPath);
                        return false;
                    }
                }
            }
        }
        return !allowedMethods.matcher(request.getMethod()).matches();
    }

    /**
     * 需要排除的url列表
     */
    private List<String> execludeUrls;

    public List<String> getExecludeUrls() {
        return execludeUrls;
    }

    public void setExecludeUrls(List<String> execludeUrls) {
        this.execludeUrls = execludeUrls;
    }
}

/**
 * Revision history
 * -------------------------------------------------------------------------
 * 
 * Date Author Note
 * -------------------------------------------------------------------------
 * 2017年3月15日 baoyou curiousby@163.com creat
 */

 

 

web.xml 

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

捐助开发者

在兴趣的驱动下,写一个免费的东西，有欣喜，也还有汗水，希望你喜欢我的作品，同时也能支持一下。 当然，有钱捧个钱场（右上角的爱心标志，支持支付宝和微信捐助），没钱捧个人场，谢谢各位。

 
 
 谢谢您的赞助，我会做的更好！