我在spring-mvc应用程序之上使用spring-security。关于我正在处理的应用程序的几点要点。
userDetailsService()而UserDetails()不是AuthenticationManager/ provider现在的情况 :
security-context.xml
<import resource="servlet-context.xml" />
<!-- Global Security settings -->
<security:global-method-security pre-post-annotations="enabled" />
<!-- Spring Security framework settings -->
<security:http pattern="/users" use-expressions="true" auto-config="true" disable-url-rewriting="true" entry-point-ref="formAuthenticationEntryPoint">
<security:session-management>
<security:concurrency-control max-sessions="5" error-if-maximum-exceeded="false"/>
</security:session-management>
<security:intercept-url pattern="/*" requires-channel="any" access="permitAll" />
<security:intercept-url pattern="/**" requires-channel="any" access="permitAll" />
</security:http>
<!-- queries to be run on data -->
<beans:bean id="formAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<bean id="LoginServiceImplementation" class="com.WirTauschen.service.LoginServiceImpl"></bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsService" />
</security:authentication-manager>
</beans>
LoginServiceImpl:
@Service("userDetailsService")
public class LoginServiceImpl implements UserDetailsService{
@Autowired private UserDao userDao;
@Autowired private Assembler assembler;
@Override
@Transactional
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDetails userDetails = null;
User user = userDao.findByName(username);
if(user == null) { throw new UsernameNotFoundException("Wrong username or password");} //Never specify which one was it exactly
return assembler.buildUserFromUserEntity(user);
}
}
登录表单(包含在user.jsp中的hompage HTML代码的一部分)
<nav class="col-lg-5 col-md-5 col-sm-5">
<ul class="pull-right">
<li class="purple"><a href="#"><i class="icons icon-user-3"></i> Login</a>
<ul id="login-dropdown" class="box-dropdown">
<li>
<form id="form" action="<c:url value='/login'/>" method="POST">
<div class="box-wrapper">
<h4>LOGIN</h4>
<div class="iconic-input">
<input type="text" placeholder="Username" name="username" id="username" value="">
<i class="icons icon-user-3"></i>
</div>
<div class="iconic-input">
<input type="password" placeholder="Password" name="password" id="password" value="">
<i class="icons icon-lock"></i>
</div>
<input type="checkbox" id="loginremember"> <label for="loginremember">Remember me</label>
<br>
<br>
<div class="pull-left">
<input name="submit" type="submit" class="orange" value="Login">
</div>
<div class="pull-right">
<a href="#">Forgot your password?</a>
<br>
<a href="#">Forgot your username?</a>
<br>
</div>
<br class="clearfix">
</div>
<div class="footer">
<h4 class="pull-left">NEW CUSTOMER?</h4>
<a class="button pull-right" href="create_an_account.html">Create an account</a>
</div>
</form>
</li>
</ul>
</li>
<li><a href="#"><i class="icons icon-lock"></i> Create an Account</a></li>
</ul>
</nav>
来自security-applicationContext.xml的表单登录
<security:form-login login-page="/users" default-target-url="/users"/>
你能帮忙的话,我会很高兴。从来没有听说过弹簧安全只会是酷刑。
更新
您必须了解Spring的工作原理:客户端尝试访问受保护的资源(例如,用户页面);如果他尚未登录,则将其重定向(Spring将其重定向)到登录页面。
在您的Spring beans.xml中,您声明什么是登录页面。如果在此放置“ /login.html”,则必须确保具有登录表单的此类页面。用户登录后,Spring会将其重定向回/ users。
说得通?
更新二
您可以将登录页面(例如Amazon ...)设为公开页面(例如index.html),这意味着用户无需登录即可看到它。然后,那里有指向“受保护资源”的链接,如果用户尝试单击它并获取受保护的资源,Spring会将他重定向到登录页面。如果你想做到这一点,你把你“保护资源”在特定目录下(例如/担保),你将有所有prote ç特德资源HTML / JSP /等。您可以在beans.xml中进行配置:(请注意,“欢迎”页面是不安全的,每个人都可以在不登录的情况下看到它)
<sec:http pattern="/welcome" security="none" />
<sec:http authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/secure/**" access="ROLE_USER" />
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句