我在spring-mvc应用程序之上使用spring-security。关于我正在开发的应用程序的几点。
userDetailsService()和UserDetails()代替AuthenticationManager / provider 现状:
安全context.xml中
<import resource="servlet-context.xml" />
<!-- Global Security settings -->
<security:global-method-security pre-post-annotations="enabled" />
<!-- Spring Security framework settings -->
<security:http pattern="/users" use-expressions="true" auto-config="true" disable-url-rewriting="true" entry-point-ref="formAuthenticationEntryPoint">
<security:session-management>
<security:concurrency-control max-sessions="5" error-if-maximum-exceeded="false"/>
</security:session-management>
<security:intercept-url pattern="/*" requires-channel="any" access="permitAll" />
<security:intercept-url pattern="/**" requires-channel="any" access="permitAll" />
</security:http>
<!-- queries to be run on data -->
<beans:bean id="formAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<bean id="LoginServiceImplementation" class="com.WirTauschen.service.LoginServiceImpl"></bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsService" />
</security:authentication-manager>
</beans>
LoginServiceImpl:
@Service("userDetailsService")
public class LoginServiceImpl implements UserDetailsService{
@Autowired private UserDao userDao;
@Autowired private Assembler assembler;
@Override
@Transactional
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDetails userDetails = null;
User user = userDao.findByName(username);
if(user == null) { throw new UsernameNotFoundException("Wrong username or password");} //Never specify which one was it exactly
return assembler.buildUserFromUserEntity(user);
}
}
登录表单(包含在user.jsp中的hompage HTML代码的一部分)
<nav class="col-lg-5 col-md-5 col-sm-5">
<ul class="pull-right">
<li class="purple"><a href="#"><i class="icons icon-user-3"></i> Login</a>
<ul id="login-dropdown" class="box-dropdown">
<li>
<form id="form" action="<c:url value='/login'/>" method="POST">
<div class="box-wrapper">
<h4>LOGIN</h4>
<div class="iconic-input">
<input type="text" placeholder="Username" name="username" id="username" value="">
<i class="icons icon-user-3"></i>
</div>
<div class="iconic-input">
<input type="password" placeholder="Password" name="password" id="password" value="">
<i class="icons icon-lock"></i>
</div>
<input type="checkbox" id="loginremember"> <label for="loginremember">Remember me</label>
<br>
<br>
<div class="pull-left">
<input name="submit" type="submit" class="orange" value="Login">
</div>
<div class="pull-right">
<a href="#">Forgot your password?</a>
<br>
<a href="#">Forgot your username?</a>
<br>
</div>
<br class="clearfix">
</div>
<div class="footer">
<h4 class="pull-left">NEW CUSTOMER?</h4>
<a class="button pull-right" href="create_an_account.html">Create an account</a>
</div>
</form>
</li>
</ul>
</li>
<li><a href="#"><i class="icons icon-lock"></i> Create an Account</a></li>
</ul>
</nav>
从security-applicationContext.xml
表单登录 <security:form-login login-page="/users" default-target-url="/users"/>
任何帮助都会很好。从来不知道春天安全只会是折磨。
答案 0 :(得分:1)
<强>更新
您必须了解Spring的工作原理:客户端尝试访问受保护的资源(例如,用户页面);如果他还没有登录,他将被重定向(Spring重定向他)到登录页面。
在Spring beans.xml中,您声明了您的登录页面。如果你放在那里&#34; /login.html" ;,你必须确保你有这种页面,登录表格。用户登录后,Spring会将他重定向回/ users。
有道理吗?
更新II
你可以(像亚马逊......)制作一个公开的登陆页面(例如index.html),这意味着用户可以在不登录的情况下看到它。然后,那里有链接到受保护的资源&#39 ;,如果用户尝试单击它并获取受保护资源,Spring会将其重定向到登录页面。如果你想这样做,你会把你的“受保护资源”放在那里。在特定目录下(例如/ secure),你可以放置所有的 c 资源HTML / JSP /等。您可以在beans.xml中对此进行配置:(请注意,欢迎&#39;页面是非安全的,每个人都可以在不登录的情况下看到它)
<sec:http pattern="/welcome" security="none" />
<sec:http authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/secure/**" access="ROLE_USER" />