版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_39766167/article/details/84635405
1.Spring简介
Spring Security 是一个能够为基于 Spring 的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在 Spring 应用上下文中配置的 Bean,充分利用了 Spring IoC, DI(控制反转 Inversion of Control ,DI:DependencyInjection 依赖注入)和 AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作
2.流程
3.Spring整合Spring Security
1)web工程添加Spring Security的依赖包
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
2)配置Spring Security的配置文件
添加src\main\resources\spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/springsecurity.xsd">
<!-- 页面拦截规则 -->
<http pattern="/login.html" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/img/**" security="none"/>
<http pattern="/js/**" security="none"/>
<http pattern="/plugins/**" security="none"/>
<http use-expressions="false">
<!--拥有 USER 角色的可以任意访问-->
<intercept-url pattern="/**" access="ROLE_USER"/>
<!--表单登录信息-->
<!--<form-login/>-->
<form-login login-page="/login.html" default-targeturl="/admin/index.html"
authentication-failure-url="/login.html" always-usedefault-target="true"/>
<!--禁止跨站请求伪造校验-->
<csrf disabled="true"/>
<!--如果使用了 iframe 等框架,希望跳转也是在框架内跳转的话-->
<headers>
<frame-options policy="SAMEORIGIN"/>
</header0>
<!--退出登录-->
<logout/>
</http>
<!--认证管理器-->
<authentication-manager>
<authentication-provider>
<user-service>
<!--拥有角色的用户名和密码-->
<user name="admin" password="123456" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
3)修改web.xml文件
<!--springSecurityFilterChain 名字不能改,代理的是 beanName 为springSecurityFilterChain 的过滤器-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filterclass>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listenerclass>org.springframework.web.context.ContextLoaderListener</listenerclass>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-*.xml</param-value>
</context-param>
4)页面添加
5)获取到登录用户名信息
@RequestMapping("/login")
@RestController
public class LoginController {
/**
* 从 security 认证信息中获取当前登录人信息
* @return 当前登录人
*/
@GetMapping("/getUsername")
public Map<String, String> getUsername(){
Map<String, String> map = new HashMap<>();
String username =SecurityContextHolder.getContext().getAuthentication().getName();
map.put("username", username);
return map;
}
}