SpringSecurity学习二----------实现自定义登录界面

© 版权声明：本文为博主原创文章，转载请注明出处

1.项目结构

2.pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
	
	<modelVersion>4.0.0</modelVersion>
	
	<groupId>org.springsecurity</groupId>
	<artifactId>SpringSecurity</artifactId>
	<packaging>war</packaging>
	<version>0.0.1-SNAPSHOT</version>
	<name>SpringSecurity Maven Webapp</name>
	<url>http://maven.apache.org</url>
	
	<!-- 统一版本 -->
	<properties>
		<jdk.version>1.7</jdk.version>
		<spring.version>4.3.5.RELEASE</spring.version>
		<spring.security.version>4.2.1.RELEASE</spring.security.version>
	</properties>
	
	<dependencies>
		<!-- junit依赖 -->
		<dependency>
			<groupId>junit</groupId>
			<artifactId>junit</artifactId>
			<version>4.12</version>
			<scope>test</scope>
		</dependency>
		<!-- spring依赖 -->
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-core</artifactId>
		    <version>${spring.version}</version>
		</dependency>
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-web</artifactId>
		    <version>${spring.version}</version>
		</dependency>
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-webmvc</artifactId>
		    <version>${spring.version}</version>
		</dependency>
		<!-- spring security依赖 -->
		<dependency>
		    <groupId>org.springframework.security</groupId>
		    <artifactId>spring-security-web</artifactId>
		    <version>${spring.security.version}</version>
		</dependency>
		<dependency>
		    <groupId>org.springframework.security</groupId>
		    <artifactId>spring-security-config</artifactId>
		    <version>${spring.security.version}</version>
		</dependency>
		<!-- jsp、servlet依赖 -->
		<dependency>
		    <groupId>jstl</groupId>
		    <artifactId>jstl</artifactId>
		    <version>1.2</version>
		</dependency>
		<dependency>
		    <groupId>taglibs</groupId>
		    <artifactId>standard</artifactId>
		    <version>1.1.2</version>
		</dependency>
		<dependency>
		    <groupId>javax.servlet</groupId>
		    <artifactId>javax.servlet-api</artifactId>
		    <version>3.1.0</version>
		</dependency>
	</dependencies>
	<build>
	  <finalName>SpringSecurity</finalName>
	</build>
</project>

3.mvc-dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd">

	<!-- 开启包扫描 -->
	<context:component-scan base-package="org.springsecurity.*"/>
	
	<!-- 定义视图解析器 -->
	<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
		<property name="prefix">
			<value>/WEB-INF/pages/</value>
		</property>
		<property name="suffix">
			<value>.jsp</value>
		</property>
	</bean>
        
</beans>

4.spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">
        
    <security:http auto-config="true">
    	<!-- 指定需要拦截的URL，并设置访问所需的角色 -->
    	<security:intercept-url pattern="/admin**" access="hasRole('ROLE_USER')"/>
    	<!-- login-page:用来显示自定义登录表单的页面（修订①）
    		default-target-url:指定身份验证通过后默认展示的页面（修订②）
    		authentication-failure-url:如果验证失败，则转向URL
    		username-parameter:表示登录时用户使用的是哪个参数，即用户名输入框的name
    		password-parameter:表示登录时密码使用的是哪个参数，即密码输入框的name
    		 -->
    	<security:form-login login-page="/login" default-target-url="/welcome" 
    		authentication-failure-url="/login?error" username-parameter="username"
    		password-parameter="password"/>
    	<!-- 开启csrf，在登录或注销页面都必须包含_csrf.token -->
    	<security:csrf/>
    </security:http>
    
    <security:authentication-manager>
    	<security:authentication-provider>
			<security:user-service>
				<!-- 设置用户的密码和角色 -->
				<security:user name="admin" password="123456" authorities="ROLE_USER" />
			</security:user-service>    	
    	</security:authentication-provider>
    </security:authentication-manager>
    
</beans>

5.web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
  	version="3.0" metadata-complete="true">
  	
  	<!-- Spring MVC -->
  	<servlet>
  		<servlet-name>mvc-dispatcher</servlet-name>
  		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  		<init-param>
  			<param-name>contextConfigLocation</param-name>
  			<param-value>classpath:mvc-dispatcher-servlet.xml</param-value>
  		</init-param>
  	</servlet>
  	<servlet-mapping>
  		<servlet-name>mvc-dispatcher</servlet-name>
  		<url-pattern>/</url-pattern>
  	</servlet-mapping>
  	
  	<listener>
  		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  	</listener>
  	
  	<!-- 加载spring-security配置文件 -->
  	<context-param>
  		<param-name>contextConfigLocation</param-name>
  		<param-value>classpath:spring-security.xml</param-value>
  	</context-param>
  	
  	<!-- spring security -->
  	<filter>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  	</filter>
  	<filter-mapping>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<url-pattern>/*</url-pattern>
  	</filter-mapping>
  	
</web-app>

6.HelloController.java

package org.springsecurity.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {

	@RequestMapping(value = {"/", "/welcome**"}, method = RequestMethod.GET)
	public ModelAndView welcomePage() {
		
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is welcome page!");
		model.setViewName("hello");
		return model;
		
	}
	
	@RequestMapping(value = "/admin**", method = RequestMethod.GET)
	public ModelAndView adminPage() {
		
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is protected page!");
		model.setViewName("admin");
		return model;
		
	}
	
	@RequestMapping(value = "/login", method = RequestMethod.GET)
	public ModelAndView login(
			@RequestParam(value = "error", required = false) String error,
			@RequestParam(value = "logout", required = false) String logout) {
		
		ModelAndView model = new ModelAndView();
		if(error != null){
			model.addObject("error", "违法的用户名或密码！");
		}
		if(logout != null){
			model.addObject("msg", "您已成功注销！");
		}
		model.setViewName("login");
		return model;
		
	}
	
}

7.hello.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
	<h1>标题：${title }</h1>
	<h2>消息：${message }</h2>
</body>
</html>

8.admin.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
	<h1>标题：${title }</h1>
	<h2>消息：${message }</h2>
	
	<!-- 隐藏域，用于提交注销请求 -->
	<c:url value="/logout" var="logoutUrl"/>
	<!-- 假设注销请求是*，若*=logout（即等于默认的注销拦截URL）,则实际请求是/login?logout
		若*!=logout,则实际请求是/*。具体原因未知。。 -->
	<form action="${logoutUrl }" method="POST" id="logoutForm">
		<!-- 开启csrf后必须包含_csrf.token,否则报错：
			403 Could not verify the provided CSRF token because your session was not found -->
		<input type="hidden" name="${_csrf.parameterName }" value="${_csrf.token }">
	</form>
	
	<c:if test="${pageContext.request.userPrincipal.name != null }">
		<h2>欢迎：${pageContext.request.userPrincipal.name } 
		| <a href="javascript:formSubmit()">Logout</a></h2>
	</c:if>
</body>
<script type="text/javascript">

	function formSubmit(){//提交注销请求表单
		
		document.getElementById("logoutForm").submit();
		
	}

</script>
</html>

9.login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body onload="focus()">
	<h1>Spring Security 自定义登录界面</h1>
	<div id="login-box">
		<c:if test="${not empty error }">
			<div class="error"><font color="red">${error }</font><br/><br/></div>
		</c:if>
		<c:if test="${not empty msg }">
			<div class="msg"><font color="red">${msg }</font><br/><br/></div>
		</c:if>
		<!-- SpringSecurity3.x默认的登录拦截URL是/j_spring_security_check；
			4.x默认的登录拦截URL是/login -->
		<form name="loginForm" action="<c:url value='/login'/>" method="POST">
			<table>
				<tr>
					<td>用户名：</td>
					<!-- name必须与spring-security.xml中配置的username-parameter一致，否则登录认证会失败 -->
					<td><input type="text" name="username"/></td>
				</tr>
				<tr>
					<td>密码：</td>
					<!-- name必须与spring-security.xml中配置的password-parameter一致，否则登录认证会失败 -->
					<td><input type="password" name="password"></td>
				</tr>
				<tr style="text-align: center;" >
					<td colspan="2">
						<input type="reset" value="重置"/>
						<input type="submit" value="登录"/>
					</td>
				</tr>
			</table>
			<!-- 开启csrf后必须包含_csrf.token,否则报错：
				403 Could not verify the provided CSRF token because your session was not found -->
			<input type="hidden" name="${_csrf.parameterName }" value="${_csrf.token }"/>
		</form>
	</div>
</body>
<script type="text/javascript">
	
	function focus(){//设置加载时鼠标焦点
		
		document.loginForm.username.focus();
		
	}

</script>
</html>

10.效果预览

　　10.1 无需访问权限

　　

　　10.2 需要访问权限（自定义登录界面）

　　

　　10.3 登录失败

　　

　　10.4 登录成功

　　

　　10.5 注销

　　

　　修订： ① login-page:并非是用来显示自定义登录表单的页面，而是被拦截后执行的请求。

　　　　　 ② default-target-url:并非是身份验证通过后默认展示的页面，而是身份验证通过后执行的请求。

 　　参考：http://www.yiibai.com/spring-security/spring-security-form-login-example.html