第9章　保护Web应用--Spring Security 之 HelloWord 基于注解形式

最新推荐文章于 2025-04-10 19:02:09 发布

原创最新推荐文章于 2025-04-10 19:02:09 发布 · 288 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#spring security #helloworld #注解形式 #入门

Spring实战笔记专栏收录该内容

31 篇文章

订阅专栏

概述:

上一篇学习基于xml，继续学习基于javaConfig配置Spring Security

1、工程结构：

2、增加Controller一个方法 HelloController

package com.jack.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {
	
	@RequestMapping(value={"/","/welcome**"}, method=RequestMethod.GET)
	public ModelAndView welcomePage(){
		
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is welcom page!");
		model.setViewName("hello");
		return model;
	}
	
	@RequestMapping(value ="/admin**", method= RequestMethod.GET)
	public ModelAndView adminPage(){
		ModelAndView model = new ModelAndView();
		model.addObject("title", "SpringSecurity Hello World");
		model.addObject("message", "This is protected page!-Admin Page!");
		model.setViewName("admin");
		
		return model;
	}
	
	@RequestMapping(value="/dba**", method= RequestMethod.GET )
	public ModelAndView dbaPage(){
		
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is protected page - Database Page!");
		model.setViewName("admin");
		
		return model;
	}
	
}

3、配置文件，主要包括Springmvc、 spring-security 、过滤器代理、DispatcherServlet 对应四个类

DispatcherServlet : 只要实现AbstractAnnotationConfigDispatcherServletInitializer 在Servlet3.0自动扫描继承该类定为Servlet，也就是tomcat7以上

package com.jack.config;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class SpringMvcInitializer 
	extends AbstractAnnotationConfigDispatcherServletInitializer{

	@Override
	protected Class<?>[] getRootConfigClasses() {
		return new Class[] {AppConfig.class};
	}

	@Override
	protected Class<?>[] getServletConfigClasses() {
		return null;
	}

	@Override
	protected String[] getServletMappings() {
		return new String[] {"/"};
	}

}

SpringMVC：

package com.jack.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;

@EnableWebMvc
@Configuration
@ComponentScan({"com.jack.*"})
@Import({SecurityConfig.class})
public class AppConfig {

	@Bean
	public InternalResourceViewResolver viewResolver(){
		
		InternalResourceViewResolver viewResolver 
			= new InternalResourceViewResolver();
		viewResolver.setViewClass(JstlView.class);
		viewResolver.setPrefix("/WEB-INF/pages/");
		viewResolver.setSuffix(".jsp");
		return viewResolver;
	}
}

总结：

1、@EnableWebMvc 启动webmvc 注解

2、@ComponentScan 扫描对应包

3、@Import 导入对应配置类，其实就是连接配置类的纽带，只要加载AppConfig, 自然会加载SecurityConfig.class

Spring-security:

package com.jack.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity // 启动web安全控制
public class SecurityConfig extends WebSecurityConfigurerAdapter{
	
	@Autowired
	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
		auth.inMemoryAuthentication().withUser("jack").password("123456").roles("USER");
		auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
		auth.inMemoryAuthentication().withUser("dba").password("123456").roles("DBA");
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		
		http.authorizeRequests()
			.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
			.antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
			.and().formLogin();
	}
	
	

}

总结：

1、@EnableWebSecurity 就是启动web安全，也就是说明这个类是Spring-Security类

2、通过注入AuthenticationManagerBuilder来构建用户名和密码策略

3、通过连续点操作，inMemoryAuthentication() 表示内存级

4、antMatchers("/admin/**") 利用Ant的匹配规则， hasRole('ROLE_ADMIN') 是SpEL表达式

5、formLogin()表示表单登录

与之对应xml配置如下

<http auto-config="true">
	<intercept-url pattern="/admin**" access="ROLE_ADMIN" />
	<intercept-url pattern="/dba**" access="ROLE_ADMIN,ROLE_DBA" />
</http>

<authentication-manager>
  <authentication-provider>
    <user-service>
	<user name="mkyong" password="123456" authorities="ROLE_USER" />
	<user name="admin" password="123456" authorities="ROLE_ADMIN" />
	<user name="dba" password="123456" authorities="ROLE_DBA" />
    </user-service>
  </authentication-provider>
</authentication-manager>

4、配置过滤器代理，这个必须配置，没有拦截者，安全策略就是失去意义

package com.jack.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer{

}

总结：

注意这个是没有@Component注解，却能被Spring实例化，说明是Servlet自动会寻找继承AbstractSecurityWebApplicationInitializer的类进行实例化

这里配置拦截mapping，它跟Servlet一样 “/”

等效于：

<filter>
	<filter-name>springSecurityFilterChain</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy
                </filter-class>
</filter>

<filter-mapping>
	<filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

参考地址：点击打开链接