第二种方法之密码加密
可能要有人要问,用户表里面的密码是如何取得的呢?这个密码是通过MD5进行加密过的,并且以用户名做为了盐值,最后就成为32位数字这个样子,这个你可以参见下面applicationContext-Security.xml中的password-encoder和salt-source的配置就会明白。
那么在spring security3中是如何加密的呢?当我们设置了pawwrod-encoder和salt-source之后,Spring Security3会根据配置,采用相匹配的加密算法(比如设置了MD5加密算法)再加上salt-source进行加密,形成32位数字的密文。
比如用户名为yew,密码为yew1234,盐值为用户名yew。那么最后加密的明文为“yew1234{yew}”,密文就为“8fe2657d1599dba8e78a7a0bda8651bb”。
我们在试验过程中,通常喜欢先将几个常用的用户及密码插入数据库进行试验,这种情况下如何得到该用户的密码密文呢?
不妨试试我这个办法,假设,用户名为user,密码明文为user369,而且在配置文件里面设置了以MD5作为加密算法,并以用户名做为盐值。
那么你可以首先将各个信息组合成待加密的密码明文, 应是 密码明文 + { + 盐值 + }, 那么很明显,上述user的密码明文应当是:
user369{user}
拿上述的字串拷贝到 http://www.51240.com/md5jiami/ 网页上的输入框里,点击加密按钮,下面即可生成32位数字的密码密文。
哈哈,屡试不爽啊。这个方法要谨慎使用,一般人我不告诉他。
第二种方法之相关配置
将权限及资源(URL或Action)的关系配置在xml文件中,并且配置与Spring Security3相关的其他配置:
1、applicationContext-Security.xml代码:
<
b:beans
xmlns
="http://www.springframework.org/schema/security"
xmlns:b ="http://www.springframework.org/schema/beans" xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd" >
< http auto-config ="true" access-denied-page ="/accessDenied.jsp" >
<!-- 不要过滤图片等静态资源,其中**代表可以跨越目录,*不可以跨越目录。 -->
< intercept-url pattern ="/**/*.jpg" filters ="none" />
< intercept-url pattern ="/**/*.png" filters ="none" />
< intercept-url pattern filters ="none" />
< intercept-url pattern ="/**/*.css" filters ="none" />
< intercept-url pattern ="/**/*.js" filters ="none" />
<!-- 登录页面和忘记密码页面不过滤 -->
< intercept-url pattern ="/login.jsp" filters ="none" />
< intercept-url pattern ="/jsp/forgotpassword.jsp" filters ="none" />
<!-- 下面是对Action配置。表示具有访问/unitsManager资源的用户必须具有ROLE_PLATFORMADMIN的权限。
当用户登录时,SS3将用户的所有权限从数据库中提取出来,形成列表。 当用户访问该资源时,SS3将
登录用户的权限列表提出来跟下面配置的权限进行比对,若有,则允许访问,若没有,则给出AccessDeniedException。 -->
< intercept-url pattern ="/unitsManager" access ="ROLE_PLATFORMADMIN" />
< intercept-url pattern ="/usersManager" access ="ROLE_PLATFORMADMIN" />
< intercept-url pattern ="/horizontalQuery" access ="ROLE_PLATFORMADMIN" />
< intercept-url pattern ="/verticalQuery" access ="ROLE_PLATFORMADMIN" />
< form-login login-page ="/login.jsp" authentication-failure-url ="/login.jsp?error=true" default-target-url ="/index.jsp" />
<!-- "记住我"功能,采用持久化策略(将用户的登录信息存放在数据库表中) -->
< remember-me data-source-ref ="dataSource" />
<!-- 检测失效的sessionId,超时时定位到另外一个URL -->
< session-management invalid-session-url ="/sessionTimeout.jsp" />
</ http >
<!-- 注意能够为authentication-manager 设置alias别名 -->
< authentication-manager alias ="authenticationManager" >
< authentication-provider user-service-ref ="userDetailsManager" >
< password-encoder ref ="passwordEncoder" >
<!-- 用户名做为盐值 -->
< salt-source user-property ="username" />
</ password-encoder >
</ authentication-provider >
</ authentication-manager >
</ b:beans >
xmlns:b ="http://www.springframework.org/schema/beans" xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd" >
< http auto-config ="true" access-denied-page ="/accessDenied.jsp" >
<!-- 不要过滤图片等静态资源,其中**代表可以跨越目录,*不可以跨越目录。 -->
< intercept-url pattern ="/**/*.jpg" filters ="none" />
< intercept-url pattern ="/**/*.png" filters ="none" />
< intercept-url pattern filters ="none" />
< intercept-url pattern ="/**/*.css" filters ="none" />
< intercept-url pattern ="/**/*.js" filters ="none" />
<!-- 登录页面和忘记密码页面不过滤 -->
< intercept-url pattern ="/login.jsp" filters ="none" />
< intercept-url pattern ="/jsp/forgotpassword.jsp" filters ="none" />
<!-- 下面是对Action配置。表示具有访问/unitsManager资源的用户必须具有ROLE_PLATFORMADMIN的权限。
当用户登录时,SS3将用户的所有权限从数据库中提取出来,形成列表。 当用户访问该资源时,SS3将
登录用户的权限列表提出来跟下面配置的权限进行比对,若有,则允许访问,若没有,则给出AccessDeniedException。 -->
< intercept-url pattern ="/unitsManager" access ="ROLE_PLATFORMADMIN" />
< intercept-url pattern ="/usersManager" access ="ROLE_PLATFORMADMIN" />
< intercept-url pattern ="/horizontalQuery" access ="ROLE_PLATFORMADMIN" />
< intercept-url pattern ="/verticalQuery" access ="ROLE_PLATFORMADMIN" />
< form-login login-page ="/login.jsp" authentication-failure-url ="/login.jsp?error=true" default-target-url ="/index.jsp" />
<!-- "记住我"功能,采用持久化策略(将用户的登录信息存放在数据库表中) -->
< remember-me data-source-ref ="dataSource" />
<!-- 检测失效的sessionId,超时时定位到另外一个URL -->
< session-management invalid-session-url ="/sessionTimeout.jsp" />
</ http >
<!-- 注意能够为authentication-manager 设置alias别名 -->
< authentication-manager alias ="authenticationManager" >
< authentication-provider user-service-ref ="userDetailsManager" >
< password-encoder ref ="passwordEncoder" >
<!-- 用户名做为盐值 -->
< salt-source user-property ="username" />
</ password-encoder >
</ authentication-provider >
</ authentication-manager >
</ b:beans >
2、applicationContext.service.xml:
<
beans
xmlns
="http://www.springframework.org/schema/beans"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util ="http://www.springframework.org/schema/util"
xmlns:jee ="http://www.springframework.org/schema/jee"
xmlns:aop ="http://www.springframework.org/schema/aop"
xmlns:tx ="http://www.springframework.org/schema/tx"
xmlns:context ="http://www.springframework.org/schema/context"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd" >
<!-- 定义上下文返回的消息的国际化。 -->
< bean id ="messageSource"
class ="org.springframework.context.support.ReloadableResourceBundleMessageSource" >
< property name ="basename"
value ="classpath:org/springframework/security/messages_zh_CN" />
</ bean >
<!-- 事件监听:实现了 ApplicationListener监听接口,包括AuthenticationCredentialsNotFoundEvent 事件,
AuthorizationFailureEvent事件,AuthorizedEvent事件, PublicInvocationEvent事件 -->
< bean class ="org.springframework.security.authentication.event.LoggerListener" />
<!-- 用户的密码加密或解密 -->
< bean id ="passwordEncoder"
class ="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<!-- 用户详细信息管理 : 数据源、用户缓存、启用用户组功能。 -->
< bean id ="userDetailsManager"
class ="org.springframework.security.provisioning.JdbcUserDetailsManager" >
< property name ="dataSource" ref ="dataSource" />
< property name ="userCache" ref ="userCache" />
</ bean >
< bean id ="userCache"
class ="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache" >
< property name ="cache" ref ="userEhCache" />
</ bean >
< bean id ="userEhCache" class ="org.springframework.cache.ehcache.EhCacheFactoryBean" >
< property name ="cacheName" value ="userCache" />
< property name ="cacheManager" ref ="cacheManager" />
</ bean >
<!-- 缓存用户管理 -->
< bean id ="cacheManager"
class ="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
<!-- spring security自带的与权限有关的数据读写Jdbc模板 -->
< bean id ="jdbcTemplate" class ="org.springframework.jdbc.core.JdbcTemplate" >
< property name ="dataSource" ref ="dataSource" />
</ bean >
</ beans >
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util ="http://www.springframework.org/schema/util"
xmlns:jee ="http://www.springframework.org/schema/jee"
xmlns:aop ="http://www.springframework.org/schema/aop"
xmlns:tx ="http://www.springframework.org/schema/tx"
xmlns:context ="http://www.springframework.org/schema/context"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd" >
<!-- 定义上下文返回的消息的国际化。 -->
< bean id ="messageSource"
class ="org.springframework.context.support.ReloadableResourceBundleMessageSource" >
< property name ="basename"
value ="classpath:org/springframework/security/messages_zh_CN" />
</ bean >
<!-- 事件监听:实现了 ApplicationListener监听接口,包括AuthenticationCredentialsNotFoundEvent 事件,
AuthorizationFailureEvent事件,AuthorizedEvent事件, PublicInvocationEvent事件 -->
< bean class ="org.springframework.security.authentication.event.LoggerListener" />
<!-- 用户的密码加密或解密 -->
< bean id ="passwordEncoder"
class ="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<!-- 用户详细信息管理 : 数据源、用户缓存、启用用户组功能。 -->
< bean id ="userDetailsManager"
class ="org.springframework.security.provisioning.JdbcUserDetailsManager" >
< property name ="dataSource" ref ="dataSource" />
< property name ="userCache" ref ="userCache" />
</ bean >
< bean id ="userCache"
class ="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache" >
< property name ="cache" ref ="userEhCache" />
</ bean >
< bean id ="userEhCache" class ="org.springframework.cache.ehcache.EhCacheFactoryBean" >
< property name ="cacheName" value ="userCache" />
< property name ="cacheManager" ref ="cacheManager" />
</ bean >
<!-- 缓存用户管理 -->
< bean id ="cacheManager"
class ="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
<!-- spring security自带的与权限有关的数据读写Jdbc模板 -->
< bean id ="jdbcTemplate" class ="org.springframework.jdbc.core.JdbcTemplate" >
< property name ="dataSource" ref ="dataSource" />
</ bean >
</ beans >
3、web.xml:
<
web-app
version
="2.5"
xmlns
="http://java.sun.com/xml/ns/javaee"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" >
<!-- 设置log4j存放Log文件位置(通过spring统一进行管理) -->
< context-param >
< param-name > webAppRootKey </ param-name >
< param-value > log.root </ param-value >
</ context-param >
<!-- 加载log4j的配置文件 -->
< context-param >
< param-name > log4jConfigLocation </ param-name >
< param-value > classpath:/log4j.properties </ param-value >
</ context-param >
<!-- Spring默认刷新Log4j配置文件的间隔,单位为millisecond -->
< context-param >
< param-name > log4jRefreshInterval </ param-name >
< param-value > 60000 </ param-value >
</ context-param >
<!-- Spring用于log4j初始化的监听器 -->
< listener >
< listener-class > org.springframework.web.util.Log4jConfigListener </ listener-class >
</ listener >
<!--
加载Spring XML配置文件,Spring安全配置及各类资源文件,暂不加
/WEB-INF/applicationContext-security.xml,
-->
< context-param >
< param-name > contextConfigLocation </ param-name >
< param-value >
/WEB-INF/applicationContext*.xml,
classpath*:applicationContext.xml
</ param-value >
</ context-param >
<!-- spring监听器的配置,用于在启动Web容器时,自动装配ApplicationContext的配置信息 -->
< listener >
< listener-class > org.springframework.web.context.ContextLoaderListener </ listener-class >
</ listener >
<!-- 使用Spring中的过滤器解决在请求和应答中的中文乱码问题 -->
< filter >
< filter-name > characterEncodingFilter </ filter-name >
< filter-class > org.springframework.web.filter.CharacterEncodingFilter </ filter-class >
< init-param >
< param-name > encoding </ param-name >
< param-value > gbk </ param-value >
</ init-param >
< init-param >
<!-- 强制转换编码(request和response均适用) -->
< param-name > ForceEncoding </ param-name >
< param-value > true </ param-value >
</ init-param >
</ filter >
< filter-mapping >
< filter-name > characterEncodingFilter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- Spring Secutiry3.0.2的过滤器链配置 -->
< filter >
< filter-name > springSecurityFilterChain </ filter-name >
< filter-class > org.springframework.web.filter.DelegatingFilterProxy </ filter-class >
</ filter >
< filter-mapping >
< filter-name > springSecurityFilterChain </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- 配置Struts2的FilterDispathcer的Filter -->
< filter >
< filter-name > struts2 </ filter-name >
< filter-class >
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
</ filter-class >
</ filter >
<!-- struts2用以处理用户Web请求的路径模式 -->
< filter-mapping >
< filter-name > struts2 </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- 避免乱码问题 -->
< filter >
< filter-name > struts-cleanup </ filter-name >
< filter-class >
org.apache.struts2.dispatcher.ActionContextCleanUp
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > struts-cleanup </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- Spring刷新Interceptor防止内存泄漏 -->
< listener >
< listener-class >
org.springframework.web.util.IntrospectorCleanupListener
</ listener-class >
</ listener >
<!-- 设置session 超时时间为20分钟 -->
< session-config >
< session-timeout > 20 </ session-timeout >
</ session-config >
<!-- 系统欢迎页面 -->
< welcome-file-list >
< welcome-file > login.jsp </ welcome-file >
</ welcome-file-list >
</ web-app >
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" >
<!-- 设置log4j存放Log文件位置(通过spring统一进行管理) -->
< context-param >
< param-name > webAppRootKey </ param-name >
< param-value > log.root </ param-value >
</ context-param >
<!-- 加载log4j的配置文件 -->
< context-param >
< param-name > log4jConfigLocation </ param-name >
< param-value > classpath:/log4j.properties </ param-value >
</ context-param >
<!-- Spring默认刷新Log4j配置文件的间隔,单位为millisecond -->
< context-param >
< param-name > log4jRefreshInterval </ param-name >
< param-value > 60000 </ param-value >
</ context-param >
<!-- Spring用于log4j初始化的监听器 -->
< listener >
< listener-class > org.springframework.web.util.Log4jConfigListener </ listener-class >
</ listener >
<!--
加载Spring XML配置文件,Spring安全配置及各类资源文件,暂不加
/WEB-INF/applicationContext-security.xml,
-->
< context-param >
< param-name > contextConfigLocation </ param-name >
< param-value >
/WEB-INF/applicationContext*.xml,
classpath*:applicationContext.xml
</ param-value >
</ context-param >
<!-- spring监听器的配置,用于在启动Web容器时,自动装配ApplicationContext的配置信息 -->
< listener >
< listener-class > org.springframework.web.context.ContextLoaderListener </ listener-class >
</ listener >
<!-- 使用Spring中的过滤器解决在请求和应答中的中文乱码问题 -->
< filter >
< filter-name > characterEncodingFilter </ filter-name >
< filter-class > org.springframework.web.filter.CharacterEncodingFilter </ filter-class >
< init-param >
< param-name > encoding </ param-name >
< param-value > gbk </ param-value >
</ init-param >
< init-param >
<!-- 强制转换编码(request和response均适用) -->
< param-name > ForceEncoding </ param-name >
< param-value > true </ param-value >
</ init-param >
</ filter >
< filter-mapping >
< filter-name > characterEncodingFilter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- Spring Secutiry3.0.2的过滤器链配置 -->
< filter >
< filter-name > springSecurityFilterChain </ filter-name >
< filter-class > org.springframework.web.filter.DelegatingFilterProxy </ filter-class >
</ filter >
< filter-mapping >
< filter-name > springSecurityFilterChain </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- 配置Struts2的FilterDispathcer的Filter -->
< filter >
< filter-name > struts2 </ filter-name >
< filter-class >
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
</ filter-class >
</ filter >
<!-- struts2用以处理用户Web请求的路径模式 -->
< filter-mapping >
< filter-name > struts2 </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- 避免乱码问题 -->
< filter >
< filter-name > struts-cleanup </ filter-name >
< filter-class >
org.apache.struts2.dispatcher.ActionContextCleanUp
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > struts-cleanup </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
<!-- Spring刷新Interceptor防止内存泄漏 -->
< listener >
< listener-class >
org.springframework.web.util.IntrospectorCleanupListener
</ listener-class >
</ listener >
<!-- 设置session 超时时间为20分钟 -->
< session-config >
< session-timeout > 20 </ session-timeout >
</ session-config >
<!-- 系统欢迎页面 -->
< welcome-file-list >
< welcome-file > login.jsp </ welcome-file >
</ welcome-file-list >
</ web-app >
扫一扫
8055
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
