SpringSecurity学习三----------通过Security标签库简单显示视图

© 版权声明：本文为博主原创文章，转载请注明出处

1.项目结构

2.pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    
    <modelVersion>4.0.0</modelVersion>
    
    <groupId>org.springsecurity</groupId>
    <artifactId>SpringSecurity</artifactId>
    <packaging>war</packaging>
    <version>0.0.1-SNAPSHOT</version>
    <name>SpringSecurity Maven Webapp</name>
    <url>http://maven.apache.org</url>
    
    <!-- 统一版本 -->
    <properties>
        <jdk.version>1.7</jdk.version>
        <spring.version>4.3.5.RELEASE</spring.version>
        <spring.security.version>4.2.1.RELEASE</spring.security.version>
    </properties>
    
    <dependencies>
        <!-- junit依赖 -->
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>test</scope>
        </dependency>
        <!-- spring依赖 -->
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-core</artifactId>
            <version>${spring.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-web</artifactId>
            <version>${spring.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>${spring.version}</version>
        </dependency>
        <!-- spring security依赖 -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <!-- SpringSecurity标签库依赖 -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <!-- jsp、servlet依赖 -->
        <dependency>
            <groupId>jstl</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
        </dependency>
        <dependency>
            <groupId>taglibs</groupId>
            <artifactId>standard</artifactId>
            <version>1.1.2</version>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>3.1.0</version>
        </dependency>
    </dependencies>
    <build>
      <finalName>SpringSecurity</finalName>
    </build>
</project>

3.mvc-dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- 开启包扫描 -->
    <context:component-scan base-package="org.springsecurity.*"/>
    
    <!-- 定义视图解析器 -->
    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix">
            <value>/WEB-INF/pages/</value>
        </property>
        <property name="suffix">
            <value>.jsp</value>
        </property>
    </bean>
        
</beans>

4.spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">
        
    <security:http auto-config="true">
        <!-- 指定需要拦截的URL，并设置访问所需的角色 -->
        <security:intercept-url pattern="/" 
            access="hasRole('USER') or hasRole('ADMIN') or hasRole('DBA')"/>
        <!-- 测试中发现SpringSecurity会自动在角色名称前加上ROLE_。即ROLE_USER == USER -->
           <security:intercept-url pattern="/home**" 
            access="hasRole('USER') or hasRole('ADMIN')or hasRole('DBA')"/>
        <!-- login-page:跳转到登录界面的请求名称
            default-target-url:指定身份验证通过后默认执行的请求名称
            authentication-failure-url:如果验证失败，则转向URL
            username-parameter:表示登录时用户使用的是哪个参数，即用户名输入框的name
            password-parameter:表示登录时密码使用的是哪个参数，即密码输入框的name
             -->
        <security:form-login login-page="/login" default-target-url="/home" 
            authentication-failure-url="/login?error" username-parameter="username"
            password-parameter="password"/>
        <!-- 开启csrf，在登录或注销页面都必须包含_csrf.token -->
        <security:csrf/>
    </security:http>
    
    <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <!-- 设置用户的密码和角色，authorities指定角色必须加上ROLE_，否则会报错403：Access is denied -->
                <security:user name="admin" password="123456" authorities="ROLE_ADMIN" />
                <security:user name="user" password="123456" authorities="ROLE_USER" />
                <security:user name="dba" password="123456" authorities="ROLE_DBA" />
            </security:user-service>        
        </security:authentication-provider>
    </security:authentication-manager>
    
</beans>

5.web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0" metadata-complete="true">
      
      <!-- Spring MVC -->
      <servlet>
          <servlet-name>mvc-dispatcher</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
          <init-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>classpath:mvc-dispatcher-servlet.xml</param-value>
          </init-param>
      </servlet>
      <servlet-mapping>
          <servlet-name>mvc-dispatcher</servlet-name>
          <url-pattern>/</url-pattern>
      </servlet-mapping>
      
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      
      <!-- 加载spring-security配置文件 -->
      <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>classpath:spring-security.xml</param-value>
      </context-param>
      
      <!-- spring security -->
      <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
      </filter-mapping>
      
</web-app>

6.HelloController.java

package org.springsecurity.controller;

import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {

    @RequestMapping(value = {"/", "/home**"}, method = RequestMethod.GET)
    public ModelAndView welcomePage() {
        
        ModelAndView model = new ModelAndView();
        model.addObject("user", getPrincipal());
        model.setViewName("success");
        return model;
        
    }
    
    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public ModelAndView login(
            @RequestParam(value = "error", required = false) String error,
            @RequestParam(value = "logout", required = false) String logout) {
        
        ModelAndView model = new ModelAndView();
        if(error != null){
            model.addObject("error", "违法的用户名或密码！");
        }
        if(logout != null){
            model.addObject("msg", "您已成功注销！");
        }
        model.setViewName("login");
        return model;
        
    }
    
    private String getPrincipal() {
        
        String username = null;
        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        if(principal instanceof UserDetails) {
            username = ((UserDetails) principal).getUsername();
        } else {
            username = principal.toString();
        }
        return username;
        
    }
    
}

7.login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body onload="focus()">
    <h1>Spring Security 自定义登录界面</h1>
    <div id="login-box">
        <c:if test="${not empty error }">
            <div class="error"><font color="red">${error }</font><br/><br/></div>
        </c:if>
        <c:if test="${not empty msg }">
            <div class="msg"><font color="red">${msg }</font><br/><br/></div>
        </c:if>
        <!-- SpringSecurity3.x默认的登录拦截URL是/j_spring_security_check；
            4.x默认的登录拦截URL是/login -->
        <form name="loginForm" action="<c:url value='/login'/>" method="POST">
            <table>
                <tr>
                    <td>用户名：</td>
                    <!-- name必须与spring-security.xml中配置的username-parameter一致，否则登录认证会失败 -->
                    <td><input type="text" name="username"/></td>
                </tr>
                <tr>
                    <td>密码：</td>
                    <!-- name必须与spring-security.xml中配置的password-parameter一致，否则登录认证会失败 -->
                    <td><input type="password" name="password"></td>
                </tr>
                <tr style="text-align: center;" >
                    <td colspan="2">
                        <input type="reset" value="重置"/>
                        <input type="submit" value="登录"/>
                    </td>
                </tr>
            </table>
            <!-- 开启csrf后必须包含_csrf.token,否则报错：
                403 Could not verify the provided CSRF token because your session was not found -->
            <input type="hidden" name="${_csrf.parameterName }" value="${_csrf.token }"/>
        </form>
    </div>
</body>
<script type="text/javascript">
    
    function focus(){//设置加载时鼠标焦点
        
        document.loginForm.username.focus();
        
    }

</script>
</html>

8.success.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
    Dear <strong>${user }</strong>, Welcome to Home Page.
    <a href="javascript:formSubmit()">Logout</a>
    
    <!-- 隐藏域，用于提交注销请求 -->
    <c:url value="/logout" var="logoutUrl"/>
    <!-- 假设注销请求是*，若*=logout（即等于默认的注销拦截URL）,则实际请求是/login?logout
        若*!=logout,则实际请求是/*。具体原因未知。。 -->
    <form action="${logoutUrl }" method="POST" id="logoutForm">
        <!-- 开启csrf后必须包含_csrf.token,否则报错：
            403 Could not verify the provided CSRF token because your session was not found -->
        <input type="hidden" name="${_csrf.parameterName }" value="${_csrf.token }">
    </form>
    
    <br/><br/>
    This part is visible to Everyone.
    <sec:authorize access="hasRole('USER')"><!-- USER角色专有 -->
        This part is visible to <font color="red">USER</font>.
    </sec:authorize>
    <sec:authorize access="hasRole('ADMIN')"><!-- ADMIN角色专有 -->
        This part is visible to <font color="red">ADMIN</font>.
    </sec:authorize>
    <sec:authorize access="hasRole('DBA')"><!-- DBA角色专有 -->
        This part is visible to <font color="red">DBA</font>.
    </sec:authorize>
</body>
<script type="text/javascript">

    function formSubmit(){//提交注销请求表单
        
        document.getElementById("logoutForm").submit();
        
    }

</script>
</html>

9.效果预览

　　9.1 登录界面

　　

　　9.2 ADMIN角色登录

　　

 　　9.3 DBA角色登录

　　

　　9.4 USER角色登录

　　

 　　参考：http://www.yiibai.com/spring-security/spring-security-4-secure-view-layer-using-taglibs.html